Experts also recommend tweaking access settings for external users in Microsoft Teams. Multifactor authentication can help secure login attempts in applications such as Teams, notes Salman Ansari, managing director for cyber risk advisory at Brown & Brown. He also recommends limiting access to certain features in Teams based on the level of trust and collaboration needed.
“Organizations can leverage guest access controls to manage permissions for external users and grant the least privilege necessary for them to contribute effectively,” Ansari adds.
“By implementing data loss prevention policies, organizations can prevent sensitive patient data from being accidentally or maliciously shared externally through Teams chats or file sharing,” Ansari says. “Organizations can monitor user activity logs to identify suspicious access attempts or unusual data sharing behavior, especially involving external users.”
Because healthcare providers use Teams to communicate with patients and suppliers, shutting down external access may not be possible, Caveza says. Still, providers must train professionals throughout their organization on security awareness to protect against healthcare phishing and social engineering attacks, Caveza says. That includes warning users not to click on suspicious links or downloads.
Hospital IT teams should isolate malicious sessions initiated by links embedded in Teams messages, Witt says.
Best Practices on Protecting Against Healthcare Phishing
Caveza recommends taking classes from the Open Worldwide Application Security Project to learn how to protect applications from introducing the IDOR vulnerability. OWASP provides recommendations on secure coding practices and input validation techniques.
Eilhardt also recommends role-based access controls to mitigate IDOR.
“By properly defining roles and permissions with RBAC, you can limit the data users can access even if they find an IDOR vulnerability,” Eilhardt says.
Organizations should take a multilayered approach to preventing healthcare phishing attacks and address specific vulnerabilities. Train staff at health systems and clinics on how to identify fraudulent invoices and payment requests, Eilhardt advises, and train nurses on how to spot fake appointment confirmations or patient record requests.
Eilhardt also recommends conducting phishing simulations and sending out test phishing emails to evaluate the effectiveness of training programs and spot areas in which employees are susceptible, she says.
UP NEXT: Learn how a robust cyber resilience strategy mitigates hospital downtime.
