Phishing and security awareness best practices for healthcare [Updated 2019]

Stephen Moramarco
June 28, 2019 by
Stephen Moramarco

As healthcare organizations continue their push to modernization of their record keeping, more and more patient data is able to be used in a variety of important ways. However, this rich trove of information is being targeted by hackers and thieves as never before. Therefore, it’s important to train all staff about security and the very real dangers of phishing, malware, and ransomware attacks. Here is a guide to some steps every facility should take as soon as possible.

Education and Awareness

All employees must constantly be reminded of the importance of staying vigilant. This can and should be in the form of signage, memos, emails, videos, and staff meetings. A good resource for signage is from the STOP.THINK.CONNECT. Campaign created by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Workgroup (APWG). Especially important for healthcare facilities is the very real threat of ransomware - computers being held hostage for money. One of the offerings is a Ransomware Tipsheet that can be printed and given to all staff.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

It’s also an excellent idea to have all personnel be professionally trained as to what these threats are and how to spot them. InfoSec Institute has an educational program called AwareED, which is a series of modules that include videos and tests about phishing, malware, and other essential security topics. They can be configured in any manner and delivered to learners automatically. Administrators can see who has enrolled, passed, or failed on the dashboard.

Delete Data

The more information you hold, the more vulnerable your organization. Regularly audit what is being kept and why. Delete any data that is unnecessary, redundant, or expired.

Written Protocols

Security methods and practices that are implemented should be written out and understood by everyone. Employees should be required to read and sign off on the document. Included in this information should be the hierarchy of information security, particularly what to do and who to call if or when you suspect the system has been compromised. Encourage participation not with threats or blame but perhaps offer a small reward for those who flag suspicious emails or activity.

Covert and Overt Drills

Another crucial piece of prevention protocol is real-world testing and responding. As mentioned earlier, most hacks or breaches are not from rogue employees but outside hackers. The most common method of attack is some type of variation on phishing - sending emails pretending to be official or familiar correspondence but containing malware or links to rogue websites that capture usernames and passwords or other data.

The best way to understand who is susceptible to phishing attacks as well as assess the overall security of your systems is to “phish” employees. This can be done in a safe and ethical manner with SecurityIQ’s other flagship application PhishSIM.

PhishSIM is short for Phishing Simulator and is an automated way to send a series of campaigns to your entire organization. These can be created and or adapted from a wide range of templates and are designed to mimic common methods of attack: emails with a link, an attachment, or sent to a site to enter credentials.

It is suggested that you create at least one of each type of phishing email and set up a battery, which will send them automatically to your list.

If a user clicks the link, instead of being compromised they will be sent to a landing page (which you can configure) and shown a short video informing them that they have been “hacked.” From there, they can be enrolled in the AwareED campaign. (You will also be notified of their actions.)

On the other side of the problem, just like we have earthquake or other disaster-type drills, you should regularly run hacking or ransomware drills. Talk with IT to develop a simulation and then set up a date and time to enact it. Measure response times, take notes of what went right and what went wrong. Repeat regularly.

Other Security Factors to Consider

Securing the Network

Hospital and healthcare networks should be running enterprise-level servers using Linux-based software that are kept in locked rooms, preferably with cameras installed. (However, it should be noted that just 15% of breaches are due to insiders.)

Encrypt all data on these drives; if there is a wireless network, make sure adheres to the latest encryption and security standards. It’s also critical that network access is segregated so that a hacker, if successful, will not have full run of the entire database.

Eliminate file sharing or messaging apps as these peer-to-peer services can be exploited even if installed and not used. Do not allow anyone to install software without permission.

As more and more medical devices become connected to the Internet of Things (IoT), they increase vulnerability. Make sure all the latest software and firmware patches are installed.

Limit Access

Allow only authorized personnel to log in to the system. Make sure everyone uses strong passwords. While a combination of numbers, letters, and symbols are thought to be extremely strong, they are also difficult to remember. A new school of thought suggests combining four non-associated words (“lampshade parrot astronomy fool”) that can be more easily remembered and just as strong.

If there are shared passwords that need to be written down at workstations, keep those in a locked drawer and rotate them regularly. Have a system that automatically invalidates user/passwords for employees that no longer work there.

Mobile Security Protocols

Mobile devices are now the norm in nearly every environment. While this creates convenience, it also adds more avenues for mischief. The best method is to only allow smartphones that have been issued by your organization and can be monitored and disabled/wiped if necessary. However, practicality often means you permit BYOD (“bring your own device”). In this case, insist all devices have a 6-code numeric password (instead of the traditional 4) and are configured to encrypt their data. (Apple does this by default; Android requires setup). Again, limit their access to the entire network.


These are just a few of the necessary tactics to keep your healthcare organization and its data safe. InfoSec is offering a free membership for PhishSIM and AwareED that has limitations on numbers of learners and campaigns. We are also offering a free month of unlimited use. Sign up today and get started on taking control of your network before someone unauthorized does it first!


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.