Enterprise Risk Management (ERM) Technology

Preventing and Surviving Social Media Hacks

Kenita Hill

Social media risks have skyrocketed over the past decade. Some of the most common platforms of concern include Facebook, Twitter and LinkedIn. Risk managers are dealing with more than average risks when it comes to potential privacy breaches because cyber criminals have become very savvy when it comes to stealing personal information.

There are many different avenues that a cybercriminal can target. Patient information, electronic medical records, billing information, patient portals, as well as smart devices pose opportunities for personal information to be hacked. Determining whether or not an organization’s security has been breached presents serious challenges for risk managers to handle swiftly and efficiently. Every day, social media platforms report some form of information has been hacked or stolen. Organizations face challenges getting this risk exposure under control, as well as determining security measures to treat the risk. 

As an illustration, a vice president of marketing for a local hospital falls prey to a custom phishing message via social media containing malware that enables the hacker to control the victim’s device. Messages appear to be sent from the VP’s hospital account on Twitter, LinkedIn and Facebook stating there’s a measles outbreak among staff in the emergency room. Once this bogus information launches on social media platforms, it can go viral in a matter of minutes. The potential financial loss and reputational fallout are great. An event like this could cost an organization millions of dollars and months to recover public confidence. This type of scenario is why risk managers are challenged every day to make certain an organization has a plan to protect its social media accounts.  

Unfortunately, the reality is social media accounts get hacked. As stated in a 2018 article in Adweek, “Social media platforms to hackers are like a candy store to a kid.”  In 2013, a Twitter hack of the Associated Press claimed there were explosions at the White House. The tweets resulted in a brief Wall Street plunge that resulted in a loss of $136 billion. In 2017, a computer of a Pentagon official was hacked when an employee clicked on a link about a vacation in his Twitter account. In November 2015, employees at the State Department were victims of spear phishing through social media accounts.

According to a FICO survey conducted by Ovum, an overwhelming 70 percent of health care organizations do not have cybersecurity insurance. Ransomware attacks are the largest percentage of cyberattacks impacting health care organizations.

Preventing Being Hacked

  • Focus on securing your account. Multi-factor authentication, also known as two-step security, provides an extra layer by requesting additional information during the login process such as entering a PIN that has been sent to your mobile phone by text message or preferably by an authenticator app. Fewer than 10 percent of users take advantage of this free service offered by most online companies. Twitter, Facebook, LinkedIn, Google and Microsoft all offer two-step verification.
  • Know that fingerprint login is one step and is NOT foolproof.
  • Learn to recognize phishing attempts and provide training for staff. The Federal Trade Commission Consumer Information has excellent tips on how to avoid falling prey to a phishing scam.
  • Pay attention to your emails before clicking on them. Who are they from? Don’t just look at the name, check the email address from the sender. Make sure it is a valid address. This can be difficult to verify when you’re using a mobile device.
  • Beware of clicking on links that are sent to you via direct message.
  • Use strong passwords and change them frequently.
  • Do not use the same password on different sites.
  • Do not save passwords on a shared computer.
  • Keep your anti-malware software up to date.
  • Avoid using free public Wi-Fi.

Responding to Being Hacked

  • Contact your IT department immediately, if you are on your work computer or if it involves your business account.
  • Try to regain control of your account. If you’re able to access it, change your password immediately. Make sure you use a strong password that includes a combination of uppercase and lowercase letters, numbers and special characters.
  • Contact your social media provider immediately, if you’re unable to access your account.
  • Check your computer for malware.
  • Check connected applications.
  • Change all passwords. Too often, users use the same passwords for all online accounts including bank accounts and personal emails.
  • Check your social media profile to see what unauthorized messages were sent from your profile.
  • Tell your followers that your account was hacked.

Collaborating with IT will help build a strong social media protection action. Hold regular sessions with staff on how to recognize the latest hacking and phishing scams. Do the research to ensure your cybersecurity insurance policy covers all of your risks, it could pay off in millions of dollars .


Sukherman, Konstantine. (2018 May 3). Your Social Media Accounts are Putting you at Risk: Here’s Why. Adweek. Retrieved May 7, 2019, from https://www. adweek.com/digital/your-social-media-accounts-are-putting-you-at-risk-heres-why/

Fisher, Max. (2013 April 23). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? The Washington Post. Retrieved April 2019, from https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-hackers-claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-terrorism/?utterm=.96c5fb825a2f

Frenkel, Sheera. (2017 May 28). Hackers Hide Cyberattacks in Social Media Posts. The New York Times. Retrieved April 2019, from https://www.nytimes.com/2017/05/28/technology/hackers-hide-cyberattacks-in social-media-posts.html

FICO Survey: Most US Firms Have Cybersecurity Insurance –But Only 1 in 3 Say It Is Full Coverage. (2018 August 21). PR Newswire. Retrieved May 7, 2019, from https://prnewswire.com/news-releases/fico-survey-most-us-firms-have-cybersecurity-insurance–but-only-1-in-3-say-it-is-full-coverage-300700037.html

Chang, Ellen. (2017 July 10). Top 10 Ways to Avoid Being Hacked. TheStreet. Retrieved May 2019, from https://www.thestreet.com/slideshow/14205477/1/top-10-ways-to-avoid-being-hacked.html

Stempniak, Marty. (2019 May 8). Study: Ransomware the No. 1 cyber threat for healthcare providers. McKnight’s Long-Term Care News. Retrieved May 8, 2019, from https://www.mcknights.com/news/study-ransomware-the-no-1-cyber-threat-for-healthcare-providers/

What To Do When Your Social Media Accounts are Hacked. (2018 September 28). Nexus. Retrieved May 2019, from https://nexusconsultancy.co.uk/blog/what-to-do-when-your-social-media-accounts-are-hacked/

What to Do When Your Social Media Account Is Hacked. SaferVPN Blog. Retrieved May 2019, from https://www.safervpn.com/blog/social-media-hack/

Kenita Hill, MSA, CPHRM, LNHA, LPN, is vice president of operations at ServarusRM. A licensed nursing home administrator with a background in long term care that spans more than 25 years, she is responsible for the operations of the risk management program at ServarusRM, on-site risk management audits and training at SNFs and ALFs across the country; and the oversight and enhancement of the adverse incident tracking tool known as ERMA.

Sign Up for ASHRM Forum Updates

Provide your information below to subscribe to ASHRM email communications