To Fight Phishing, Let's Look at Fatigue

Editor’s note: This is a column written by Jack Murtha, senior editor. His analysis reflects his views, not necessarily those of the magazine.

By 10:10 a.m. today, I received 2 separate warnings about attempted phishing attacks against the parent company of Healthcare Analytics News™. In one, a cyberattacker claiming to work for a bank attached a sketchy file to an email, requesting the recipient to review bogus failed transactions. In the other, the hacker posed as a FedEx employee and provided a link to where the mark could supposedly enter personal information to claim a package.

Neither intended victim has worked here in the past year. And although neither of these emails was remotely legitimate, both were the latest in a string of phishing expeditions whose potential negative effects are all too real.

How come, in 2018, phishing remains so common? The short answer is that phishing works.

>> READ: The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

In March, one such attack hit a national physical therapy chain and exposed the protected health information of more than 35,000 patients. That news followed a successful phishing trip in a Florida state health agency, jeopardizing 30,000 Medicaid patients’ records. And last year, the deceptive practice accounted for the highest number of healthcare cyberattacks, according to Theresa Meadows, MS, a hospital executive who cochairs a federal cybersecurity task force.

“The biggest recommendation that I have for hospitals, specifically, is to do ongoing education around phishing, ransomware, and malware,” she told this magazine in December, “because you’re only as strong as your weakest link.”

I’m guessing there are many weak links, in healthcare and beyond, these days. The relentless, rapid-fire nature of today’s scammers is getting overwhelming. Whether it’s the barrage of calls to my cellphone or shady email links and attachments, these digital bear traps seem to be becoming downright ubiquitous.

And I’m beginning to understand how fatigue can set in.

In healthcare, fatigue wears different costumes and carries different implications. The first and most obvious type of fatigue in medicine is the symptom affecting patients with any number of illnesses, from a cold to cancer. There’s also professional fatigue, the cloud of exhaustion and disengagement that sometimes leads to physician burnout and, in the worst cases, contributes to suicide. Another face of fatigue stems from tech—electronic medical record systems, digital alerts, you name it—which can cause clinicians to disregard serious alarms, endangering patients.

But a more universal form of exhaustion also places healthcare organizations, clinicians, patients, and just about everyone at risk. Call it cyber fatigue, security fatigue, cybersecurity fatigue. Whichever term you prefer, it describes a phenomenon in which computer users grow tired of the constant messaging surrounding the hacking threat, causing them to abandon cybersecurity altogether.

>> LISTEN: Finding Orangeworm

Research suggests a majority of computer users, spanning various age groups and backgrounds, deal with some form of cybersecurity fatigue. In turn, that sense of weariness translates to risky user behavior and a boon for malicious actors, according to studies and industry experts. “I don’t pay any attention to those things anymore,” one research participant told investigators, a casual disarmament of critical cyberdefenses.

Now, combine this lethargy with a finding from 2015 that suggests 97% of people can’t identify phishing emails, and we have a troubling puzzle. How can we teach computer users, meaning nearly everyone, to avoid phishing emails if most of us are sick and tired of thinking about cybersecurity?

There are ways. An organization can always jolt its employees out of complacency by performing a penetration test, complete with a phishing component, followed by an educational program. Healthcare information technology departments, meanwhile, must keep their systems up to date—always a vital step. They may also institute stricter email spam controls. But no measure is ironclad.

The key idea is to keep employees alert to the very real threat facing every resident of the digital world. Healthcare, specifically, is among the most targeted industries by hackers, and its data are perhaps the most sensitive of any field. And analyses suggest healthcare employees are the prime cause of cybersecurity meltdowns. If your people aren’t awake, your patients are at risk.

What worries me is the prevalence of phishing, the tenacity of social engineers. Every day, most of us manage a deluge of emails, including phishing attempts. The more often these attacks zoom by, the more likely the hackers are to catch us sleeping. And we’re all just one click away from upheaval.

Get the best insights in healthcare analytics directly to your inbox.

Related

If You Can’t Beat the Hackers, Join Them

Phishing Emails Play on Our Fear of Failure

Inexpensive Actions Against Expensive Data Breaches