As the threat of cyber attacks hangs over the healthcare industry, providers increasingly understand that lost laptops or other data memory devices are no longer the greatest breach threat.

The most worrisome threat now is social engineering by hackers to trick employees into giving access to an organization’s information network, said Chris Bowen, founder and chief security officer at cloud-hosting and security services firm ClearDATA, during an interview at HIMSS16. “We’ve seen an uptick in investments of social engineering simulations. If an employee clicks on a link they should not, it takes them to a training page.”

ClearDATA provides secure cloud hosting that enables its healthcare customers to monitor compliance with encryption, access control, back-up, patching, login system log retention and security screening policies, among others. While employees are the biggest threat to an organization’s network, they also can be the best defense, said Scott Whyte, Advisor and Former Chief Strategy Officer at ClearDATA and former IT leader at Phoenix Children’s Hospital and Dignity Health.

Few organizations have the technology budget to sufficiently defend against attacks, Whyte notes. What they most need is a culture of compliance as opposed to a security checklist “that is all green or As,” he advised. “That shows a fake report of your compliance.”

At HIMSS16, ClearDATA saw a big increase over last year’s show in larger vendor and provider organizations initiating conversations about improving their security.

These entities have the means to put up a better fight against hackers, and a recent Ponemon Institute anonymous survey of hackers bears this out, Whyte said. Hackers took an average of 100 hours to get into a good IT infrastructure and 147 hours to breach an excellent infrastructure. However, after an average of 209 hours trying to get in, they gave up.

For smaller organizations, there is a strategy that can improve the odds of avoiding a big attack, according to Whyte. “When chased by a bear, you don’t have to outrun it; you just have to outrun the other guy.”

Originally published by HealthData Management on March 4, 2016.