Learning to see through a scam
No matter how good a hospital’s technology is, it can’t prevent bad emails from slipping through on occasion. So, employee education is an essential part of hospitals’ information security efforts. “We have 7,500 people with mailboxes, and one of them making a mistake one time winds up being a lot of work to address,” Winn says.
In December 2015, an employee fell for a phishing email. The victim’s account sent out 600,000 spam emails, and Munson temporarily was put on email blacklists. No patient information was compromised, Winn says, and Munson increased its internal communication to heighten awareness.
Regular training is essential for staff. “It’s not just education of the type that is one time and that says, ‘don’t open suspicious emails,’” says AHA Assistant General Counsel Lawrence Hughes. “It really goes beyond that and helps people understand and identify potential phishing emails, and understand what to do if you were to receive one.”
Teaching email users to report suspicious emails to the IT team enables the team to trace the problem and build in protections for the whole organization, Hughes adds.
A big goal of the training is to get email users to take the time to check for signs that messages might be phishing schemes. “We all get hundreds of emails a day, and we’re all very busy and running a million miles per hour,” says Sheryl Rose, vice president and chief information security officer for Catholic Health Initiatives. “What we continually reinforce to our user base is to slow down, to be cautious and look, even if it may seem like a benign item coming from a senior executive. If you really look, you’ll find something.”
Information security education should include anyone who has an email account. Don’t overlook interns and volunteers, Kim cautions. Training should start at onboarding and continue with regular refreshers.
Kim recommends that education include tips that people can integrate into their daily workflow, as well as real examples of phishing emails.
Beth Israel Deaconess over the past two years has developed an education program called Keep It Private. It involves more than 100 coaches whose job it is to communicate, educate and lead by example. “It’s an army of those who educate our entire workforce about the dangers of phishing, spear phishing, social engineering, and the things you should never do, like respond to an email with your password, give out your credentials over the phone, or download games onto your iPhone and then use it to access patient-identified information,” Halamka says. “Technology, policy and education provide the layers of defense.”
Some hospitals conduct mock phishing exercises to reinforce lessons and keep users engaged. Beth Israel Deaconess uses a third-party firm for its exercises. Start with a good test, but one that isn’t too tough, Halamka recommends, perhaps an email with a spelling error or two, a grammatical error or two, and a URL with some identifiable problems.
“If the email is crafted beautifully, you’re basically trapping people, as opposed to teaching them,” he says.
When a staffer falls for the fake email, he gets more education. As exercises continue, the mock phishing emails get more sophisticated to sharpen users’ skills.
Mock phishing doesn’t just heighten vigilance among email users, it also helps hospitals to track whether training is working. “Security awareness training is great, but when you put it into action, that’s where the proof is in the pudding,” Rose says.
When bad things happen anyhow
Unfortunately, the best technology and education doesn’t guarantee that a criminal will never be able to breach a hospital’s defenses. Hospitals need to have response plans in place to deal with incidents as quickly and efficiently as possible. “You need a team that can do triage, figure out what’s going on, stop the data bleed, rectify the damage, mitigate the loss and get back to normal,” Kim says.
At Munson, the formalized data breach response plan allows for some interpretation on the front end, depending on how big the incident is and what data the criminals are targeting. The 15-member team of responders — from IT, legal, safety, administration and other departments — runs breach drills twice a year. The goal is “to make sure we’ve got the right people in the right places doing the right things,” Winn says.
The health system also has cyber liability insurance in case it has a major incident. The insurance helps to cover expenses associated with a breach, estimated to reach as high as $363 per health record by Ponemon Institute, an IT research firm. The liability insurer also provides a variety of resources, Winn says.
Response to a big breach could require quickly setting up a call center; disclosing the incident to patients, government and the media; and bringing in extra legal expertise and digital forensics experts. “Those are not things that most health care systems have in house, especially one that’s Munson-sized,” Winn says. “Cyber liability insurance is one of the things that helps me sleep a little better at night, knowing that if something really bad were to happen, I’ve got resources to work through it.”
In 2014, Franciscan Health System, based in Tacoma, Wash., fell prey to a phishing scam. A small group of employees responded to emails they mistook for legitimate requests from the system’s parent company, CHI. Information on more than 8,000 patients was exposed.
Rose declined to discuss any changes CHI made in response to the Franciscan breach. But, she says: “The No. 1 important thing is to learn from a particular event and enhance and implement what you need to for that event. Don’t go too macro — be very particular about what you enhance or implement from a control perspective.”
Cyber criminals go to work every day, just like the hospital workers who are trying to protect their institutions from them. “You feel like you’re constantly playing catch-up or chase,” Rose says.
Winn expresses a similar sentiment. “It never stops,” he says. “It’s exhausting to watch all of these activities going on constantly.”