We Bring the Cloud to Healthcare
Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

Cybersecurity Awareness Month: Recognizing Phishing, Updating Software, and Healthcare Cybersecurity Strategies

October 23, 2023

Cybersecurity Awareness Month: Recognizing Phishing, Updating Software, and Healthcare Cybersecurity Strategies

To continue with education around Cybersecurity Awareness Month, this blog post will dive deeper into two more main CISA themes: Recognizing Phishing Attacks and Updating Software. We will also share additional guidelines from CISA and HHS specific to healthcare.

The following would be good information to share with your teams for them to implement in their daily jobs and at home.

Recognize and Report Phishing Attacks:

CISA reports that 46% of people feel frustrated while trying to stay secure online, and 39% of users who try to stay safe online feel that information about staying safe online is confusing.

(Source: CISA Cybersecurity 101 ppt: Findings from Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022)

For these reasons, ongoing training is the most effective way to inform your teams of what to look out for and give them concrete direction on how to do so. Because cybercriminals are always advancing their tactics, ongoing training is a necessity.

Phishing Red Flags:

  • A tone that is urgent (or makes you scared)
  • Bad spelling, bad grammar – this one is becoming less and less – cybercriminals are figuring out how to use Grammarly or spellcheck!
  • Requests to send personal info
  • Errors in the sender’s email address (ex. Having a zero (0) instead of (o)

What NOT to do:

  • Don’t click on any links
  • Don’t click or open attachments
  • Don’t send personal information

What to DO:

  • Verify by contacting the person directly – reach out to the person directly (in a new email, do not reply)
  • Report anything suspicious to your IT department
  • Delete the email

These sound like common sense things, but as mentioned, ongoing training to keep these warnings in mind is critical to success.

Update Your Software:

The last theme is about keeping your software up to date. Why is this important? Have you ever noticed in any public announcement of a vulnerability that is found in software that the first instruction is to perform an update of your software? As companies identify vulnerabilities, they must update their software to fix them. You’re not getting protection from known threats if you don’t update.

Raise your hands; how often have you clicked “Remind me later” because you are in the middle of something and don’t take the time to update? How many times do you go back and do the update?

Tip: Either set an automatic update (perhaps during the night when less staff will be working) or set a specific date when you expect staff to do updates. Maybe send them reminders?

Training opportunity:

  • Share the reminders about how to identify phishing – make sure your team knows what to do if they think they’ve received a phishing email
  • Set a standard practice for updating software that is the same for everyone (as much as possible).

CISA training on all four Cybersecurity Awareness Themes can be found in our Cybersecurity Awareness Toolkit for Healthcare.

CISA and HHS Resources Specific for Healthcare Cybersecurity

While the above information is useful for your end-user teams, did you know that CISA and HHS have resources and information specifically geared toward the healthcare sector and protecting your organization from a cyberattack?

Several resources are available to advance your cybersecurity readiness as part of the HHS 405(d) program, which provides healthcare with resources and tools to strengthen the sector’s cybersecurity posture against cyber threats. CISAs Health Industry Cybersecurity Practices (HICP) document outlines the top 5 threats facing healthcare and mitigation practices.

CISA also has other resources like presentations and videos that you can use to train your teams, specifically around topics like ransomware, social engineering, and even attacks against medical devices. You can check out their Knowledge On Demand page and a video from HHS and CISA about utilizing the HCIP and CPG together.

Training Opportunity:

  • Assign a team leader to identify the top training areas for your IT, applications, or security teams.
  • Review the HHS 405(d) content and schedule training sessions to share the information with your teams. As mentioned above, make it fun and interactive – maybe feed them lunch!

To find these resources and more in one place, visit our Cybersecurity Awareness Toolkit for Healthcare to start planning how you will provide ongoing information and training for your staff.

To learn more about these key strategies and resources, join our Cybersecurity Insider Program and attend a live webinar on October 26th at 2 p.m. ET: Cybersecurity Awareness + Four Cybersecurity Strategies for Healthcare.

Laura Pursley, marketing director, CloudWave