The COVID-19 pandemic over the past 18 months has impacted almost every area of our pre-COVID, "normal'' lives---working from home, a demand on toilet paper, and a decline in the workforce, just to name a few. Almost no industry has been spared when it comes to the impact of the pandemic.
As a result of the pandemic, cyber-attacks are on the rise in almost every industry, reaching unprecedented numbers following the 2020 lock-down. As workers suddenly transitioned to a remote environment and management became more focused on merely surviving day-to-day than spending dollars on IT security, the doors opened for perpetrators to seize new opportunities. One report I read indicates that, with regard to the frequency of ransomware attacks, there were 93 percent more attacks in the first half of 2021 than in the first half of 2022, while the number of global cyber-attacks increased by 29 percent. Unfortunately, this "perfect storm" has resulted in massive amounts of personal information being breached, as well as millions of dollars being spent on mitigation, response, and recovery efforts.
For healthcare providers, the situation becomes even more dire, as a ransomware attack can not only disrupt business operations and impact the bottom law, but can also have a negative impact on direct patient care. Even with up-to-date backups, it can take several hours or days to get a system back up and running following a ransomware attack, and most providers, and the patients they serve, will feel a negative impact as a result of such delay.
One of the easiest and cheapest ways to prevent cyber-attacks is to train your employees. Yes, implementing two-factor authentication and investing in computer security and protection measures are important, but supplementing those measures with effective employee training will drastically reduce the likelihood of an attack. We are seeing more and more attacks that could have been prevented had an employee been properly trained and known what to look out for. For example, phishing scams where perpetrators send e-mails with attached malware to individuals, appearing as if they came from a legitimate sender, are on the rise. Cyber-security training can help employees identify suspicious e-mails and protect against these types of scams, among others.
Cyber-security training should not take a one and done approach, but rather should be ongoing and periodic. Cyber-security training can be conducted internally by someone within the IT department, or externally by a contracted third-party. I recommend a combination of both, utilizing the expertise and training programs of a third-party in conjunction with the institutional and operational knowledge of someone in-house.
While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend cyber-security training at least one a year. If there is a significant shift in technology, a change in policy/procedure, or an increased threat, additional, more frequent training may also be warranted.
Whenever training is conducted, whether internally or externally, the training should be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. If a breach incident occurs, this training documentation will become extremely important in the course of the investigation.
In light of the current environment, all healthcare providers should be conducting appropriate, periodic cyber-security training as a first line of defense against attacks.
Kelli Fleming is a Partner at Burr & Forman LLP and practices exclusively in the firm's Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or email@example.com.