Raymond D. Aller | March 18, 2018

How hospitals use savvy and software as a phishing net

As seen on CAP Today...

We all know we shouldn’t click on suspicious emails, but suppose you see an email from your department of human resources with an attached document about a new dress code. You open it, thinking “What new dress code?” And now you’ve infected the hospital’s computer system with a virus.

“The number of people who fell for that one was astounding,” says Anahi Santiago, chief information security officer for Christiana Care, a two-hospital system headquartered in Wilmington, Del. Fortunately, it was just a drill—part of Christiana Care’s ongoing campaign against phishing, or using fake email to trick recipients into abetting a cyberattack.

While the system’s mail filters catch about 90 percent of malicious emails, Christiana Care’s approximately 12,000 email users are the last line of defense for those that sneak through, and Santiago tests them quarterly with simulated attacks created by Wombat Security Technologies. If employees click something they shouldn’t, they have to take anti-phishing refresher training, she explains. The software immediately sends them a “teachable moment” message offering tips to avoid future traps and schedules them for a more detailed five- to 15-minute interactive course. While Santiago did not provide specific figures, she says using the testing program has reduced employee failure rates “exponentially.”

“We use six different templates that are sent randomly to our users to lower the likelihood that employees who work in a particular department will get the same test email,” Santiago says. “However, if they were to share that it’s a test, we would not be concerned—at least they would be talking about it, which in turn generates awareness.”

A skilled phishing attack can look like a genuine internal message, complete with corporate logo, says Wombat spokeswoman Amy Baker. Some messages even appear to be from a specific sender, such as an organization’s chief financial officer, a tactic known as spear-phishing. Many organizations’ email formats are standardized and easy to guess. A hacker can deduce a top executive’s email address and include it as part of the message, even though the true originating address is outside the organization, and maybe even outside the country.

HHS’s Office for Civil Rights, which investigates breaches of protected health information, reported 42 incidents, over the past two years, of hackers attacking health care providers via email. Each incident breached the information of between 500 and 80,000 people. (Incidents affecting fewer than 500 people are not reported to the OCR.) Email attacks on providers represent about one in 10 data breaches reported to the OCR since 2016.

Health care employees are less likely than those in other industries to recognize a phishing email if they haven’t had anti-phishing training, according to Wombat’s 2017 “State of Security Education—Healthcare” study. On average, they missed 31 percent of questions in a training module on how to identify a phishing threat, compared with 28 percent of employees across all industries. Yet the company’s 2018 “State of the Phish” report indicates that they are less likely to open phishing messages. Only 10 percent of health care employees in the latter study clicked on a simulated phishing email, a better record than either government (13 percent) or tech (12 percent). Defense contractors did the best, at three percent.

Hackers would rather filch passwords from unwary users or get them to click on a malicious link before they try a direct assault on a computer, says Ryan Hardesty, founder of PhishingBox, also a provider of phishing simulation software for employee training. Documents such as health records command a premium on the dark Web, he notes. A fake note from a CFO, instructing the recipient to pay the attached vendor’s invoice with a wire transfer, can yield an immediate cash bonanza. Phishing is also a way to install ransomware to freeze a hospital’s computer system.

In response to the uptick in cybercrimes, many health care organizations are hardening their defenses against phishing. Kaleida Health, an 11-hospital system in Buffalo, NY, recently banded together with its regional competitors in a coordinated anti-phishing campaign after Kaleida suffered a phishing attack last summer that compromised information on almost 3,000 patients. “We realized that a lot of our providers move between organizations and we all needed to be on the same page with our policies,” says Cletis Earle, Kaleida’s chief information officer. All the health care system CIOs and chief information security officers consult with one another and trade ideas with Buffalo area banks and educational institutions, also frequent phishing targets.

East Alabama Medical Center, Opelika, Ala., uses PhishingBox’s software to run monthly anti-phishing contests. The IT security staff picks 10 to 20 departments and sneaks phishing messages into their daily emails. At the end of the month, the targeted departments are ranked according to how many of their employees succumbed to one or more of the messages. IT security administrator Michael Wegner is proud to say that the average failure rate is one to two percent, and enough departments score 100 percent success that it’s impractical to offer a trophy to the winner. Wegner has also trained people to forward suspicious email to his department.

“Our platform is structured so that employees can easily report suspicious emails to the designated individuals,” explains PhishingBox’s Hardesty. And PhishingBox, like Wombat, offers multiple-template campaigns to organizations concerned about employees sharing their phishing experiences.

“Now and then,” says Wegner, “someone will send us a real phishing email and say, ‘Ha, you didn’t get me this time!’ And we say, ‘That wasn’t one of ours.’”

Teaching employees to flag a potential threat isn’t always easy, however, since people are often distracted or hurrying through email messages. It takes a conscious effort to hover before you click, for example. By hovering over an email address or a link, you can often see where it really came from or where it will go. If the information you get from hovering doesn’t match that in the original message, you’re being phished, says Earle.

Employees should also watch for external mail pretending to be internal mail, the experts say. Some mail servers tag outside mail with [EXTERNAL] or something similar in the subject line. Some don’t show addresses for internal senders, just names. A phishing attempt typically will look like an external message, even if it claims to be internal.

Phishing messages have better spelling and grammar than they used to, but if the language sounds off, or if it’s asking you to do something that’s not normal procedure, send it to your IT security team for verification, says Earle. “If it smells phishy, it is.”—Elizabeth Gardner

Read this article on CAP Today