Phish or No Phish
An email says your mailbox is "almost full" and provides a link or attachment to "fix it now."
What is a phishing attempt?
This is the recommended minimum length for a strong password at the organization.
What is a 8-15 characters?
This federal law protects patient health information and requires us to safeguard PHI.
What is HIPAA?
Clicking a pop-up ad that promises a free gift card.
What is a trick (Cyber threat)?
An employee downloads patient records to a personal USB drive without approval.
What is insider risk?
Usually an email that looks like it is from a legitimate organization or person. Usually contains malware through a link or file.
What is PHISHING?
This security measure requires you to use more than just a password to log in.
What is multi-factor authentication (MFA)?
Leaving a patient chart open on a workstation where others can see it is an example of this.
What is a data privacy violation?
Verifying a phone call by checking the callback number and asking for the "animal of the day" in the information services webpage before giving any information.
What is a treat (Safe Behavior)?
True or false: Most insider threats are caused by malicious employees trying to harm the organization.
What is false? (Most are accidental/negligent.)
A reminder email from IT comes from "@childrensnational.org" and asks you to update your password only through the secure portal.
What is a legitimate message?
True or false: It is okay to share your password with a trusted coworker if they need quick access.
What is FALSE?
Sending PHI over email requires this type of protection.
What is encryption?
Downloading a "Halloween screensaver" from an unknown website on your company computer.
What is a trick (malware risk)?
During offboarding, this critical step must happen to prevent insider risk.
What is revoking system access and retrieving assets?
An email claims you need to verify your hospital ID "immediately" to avoid being locked. It asks you to click a link and enter your credentials.
What is a phishing attempt (urgent + credential theft).
A strong password should include these four character types.
What are uppercase letters, lowercase letters, numbers, and symbols?
Taking patient files home without permission or secure storage is an example of this.
What is unauthorized removal of PHI (HIPAA violation)?
Receiving a text from "your bank" claiming suspicious charges and asking for your account number.
What is a trick (smishing/scam)?
A clinician clicks a phishing link and unknowingly gives an attacker access. This type of insider threat is called what?
What is an unintentional insider threat?
You get a calendar invite from a colleague with an attachment labeled "invoice.doc" that you were not expecting.
What is a phishing attempt (malicious attachment)
Using the same password across work and personal accounts creates this risk.
What is credential stuffing (attackers reusing stolen passwords)?
Sharing patient case details on social media, even without names, can still risk this.
What is an unintentional disclosure of PHI (Privacy breach)?
Reporting a suspicious email to IT security using the "Report Phish" button.
What is a treat (best practice)?
Employees who intentionally steal or sabotage hospital data fall under this category.
What is a malicious insider threat?