Every October, organizations across the public and private sectors come together to observe Cybersecurity Awareness Month. Established in 2004 by a joint declaration from the President of the United States and Congress, this month serves as a critical reminder of the importance of cybersecurity in an increasingly digital world. What began as a U.S. initiative has grown into a global movement, with governments and industries collaborating to raise awareness about the ever-evolving landscape of cyber threats.
Now in its 21st year, Cybersecurity Awareness Month encourages organizations to adopt proactive measures to safeguard personal, financial, and operational data. This year’s focus on best practices serves as a vital guide for healthcare organizations looking to strengthen their defenses.
Protecting sensitive information is paramount in the complex and data-heavy world of healthcare. Health plans and Third-Party Administrators (TPAs) handle large volumes of patient health data, making them prime targets for cyberattacks. As healthcare organizations rely heavily on technology for managing claims, enrollments, and billing, the risk of a breach grows, making cybersecurity not just a priority but a necessity.
In this blog, we will explore four essential practices that healthcare organizations can adopt to enhance their cybersecurity strategies. Building upon guidance from the Cybersecurity & Infrastructure Security Agency (CISA), we have tailored these practices specifically for health plans and TPAs:
- Recognize and Report Phishing
- Use Strong Passwords
- Enable Multi-Factor Authentication (MFA)
- Keep Software Updated
These tips are designed to help healthcare organizations protect their data and maintain trust with their members, ensuring operational stability and regulatory compliance.
1. Recognize and Report Phishing: Identifying the First Line of Attack
Phishing attacks remain one of the most common and dangerous forms of cyber threats. According to the Verizon 2024 Data Breach Investigations Report, phishing remains a significant issue, with the human element involved in 68% of all breaches.1 Furthermore, phishing simulations revealed that 20% of users reported phishing attempts, though the median time for a user to click on a phishing link was alarmingly fast—just 21 seconds.
In healthcare administration, where multiple touchpoints exist between patients, providers, and administrators, phishing schemes are particularly disruptive. Health plans and TPAs must train employees to detect suspicious emails or messages that appear to come from trusted sources but are, in fact, designed to steal sensitive information. Proper reporting channels ensure that phishing attempts are caught and neutralized quickly, reducing the risk of further compromise.
What to Do:
- Educate employees to recognize telltale signs of phishing, such as unfamiliar senders, incorrect domains, or unexpected attachments.
- Establish a streamlined reporting process to alert the IT team to suspicious emails and potential phishing attempts.
2. Use Strong Passwords: Fortifying the Gateway to Sensitive Data
Weak passwords remain one of the easiest ways for cybercriminals to access critical systems. According to the CrowdStrike 2024 Global Threat Report, credential-based attacks continue to be a preferred entry method for cyber adversaries, with a 60% year-over-year increase in the number of interactive intrusion campaigns.2 These attacks typically involve the use of stolen or weak credentials to gain access to critical systems, emphasizing the importance of strong, unique passwords to protect healthcare administration systems.
For health plans and TPAs, password policies need to go beyond the basics, ensuring that passwords are not only strong but also unique and regularly updated. Utilizing password management tools can help reduce the risk of using weak or reused credentials.
What to Do:
- Mandate that passwords be at least 12 characters, incorporating numbers, symbols, and a mix of upper- and lower-case letters.
- Provide employees with password management tools to ensure they use unique and strong passwords across systems.
The CrowdStrike report emphasizes that password-related vulnerabilities remain a leading cause of system breaches, underscoring the necessity of password security in any comprehensive cybersecurity strategy.
3. Enable Multi-Factor Authentication (MFA): Adding an Extra Layer of Security
Multi-Factor Authentication (MFA) is a crucial security measure that goes beyond the use of passwords. According to Microsoft, enabling MFA can block 99.9% of automated cyberattacks.3 With over 300 million fraudulent sign-in attempts to Microsoft’s cloud services daily, MFA has proven to be a powerful tool in preventing unauthorized access.
For health plans and TPAs, MFA can dramatically reduce the risk of unauthorized access to systems containing sensitive personal and financial data. MFA requires users to provide an additional form of verification—such as a one-time code sent to their phone or email—before accessing systems. Even if a password is compromised, MFA provides a critical second layer of defense.
What to Do:
- Require MFA for all platforms that handle sensitive data, including client portals, health plan administrative systems, and billing platforms.
- Ensure vendors and partners also use MFA to protect shared systems.
By implementing MFA, organizations can significantly decrease the chances of account compromise, making it a vital part of a robust security strategy.
4. Update Software: Staying Ahead of Vulnerabilities
Outdated software continues to be one of the most significant vulnerabilities in healthcare systems. According to the 2023 Ponemon Institute Cost of Insider Risks Report, organizations that experienced insider-related incidents attributed a significant percentage of breaches to employee negligence, which includes failing to update or patch software. In fact, non-malicious insider incidents—often caused by oversight such as missing software updates—represented 55% of all insider incidents, costing organizations an average of $505,113 per incident.4
Health plans and TPAs rely on numerous systems to handle sensitive data, and failure to keep these systems updated leaves them vulnerable to both insider threats and external attacks. Regular software updates ensure that known vulnerabilities are patched, reducing the likelihood of successful cyberattacks.
What to Do:
- Implement a routine schedule for system audits and software updates, prioritizing critical patches for known security vulnerabilities.
- Partner with vendors who proactively deliver security updates for their software solutions.
By staying on top of software updates, healthcare organizations can significantly reduce the risk of insider incidents and potential breaches, keeping sensitive data secure.
Commitment to Cybersecurity Beyond October
National Cybersecurity Awareness Month serves as an annual reminder to evaluate and strengthen your organization’s security posture. For health plans and TPAs, securing sensitive health data is about more than compliance—it’s about trust, reputation, and operational stability. By adopting best practices like recognizing phishing, using strong passwords, enabling MFA, and keeping software updated, your organization can mitigate risk and better protect your data from cyber threats.
At HealthAxis, our commitment to cybersecurity extends beyond mere observance of this month. It’s woven into our daily operations and solutions to ensure that we provide the highest standards of security for our clients. Cybersecurity is a shared responsibility, and with the right tools and practices in place, we can all contribute to building a safer healthcare administration ecosystem.
Author:
Ralph Pugh
Information Security Analyst III
Sources:
- 2024 Data Breach Investigations Report, Verizon
- 2024 Global Threat Report, CrowdStrike
- One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts, Microsoft
- 2023 Cost of Insider Risks Global Report, Ponemon Institute | DTEX