The past few years has seen an explosion of cyber attack activity in the healthcare industry.
But that shouldn’t come as a surprise. Healthcare records are a goldmine for enterprising hackers, and with low security budgets across the industry it’s no wonder that healthcare organizations are considered a soft target.
A cursory glance at the industry’s security profile tells us everything we need to know. There are weaknesses everywhere, and hackers all over the world know it.
Incredibly, from a single successful healthcare breach, a hacker stands to earn anything from $285,000 to $1.7 million.
Small wonder, then, that healthcare breaches have become an almost daily occurrence.
So if you’re in the healthcare industry, you’re probably wondering what you can possibly do to keep your organization secure. Healthcare organizations are often highly complex environments, which can make the task of maintaining a strong security profile a real challenge… so where do you start?
In my opinion, the very best place to begin is with your users. Here’s why.
Why Your Users Should Be Your First Priority
If you want to take a risk-based approach to security, as most organizations do, it makes sense to start with an analysis of past healthcare breaches. After all, while new attack vectors do come along every now and then, for the most part the past predicts the future.
What does that mean for the healthcare industry? Simple. According to the Verizon’s 2016 Data Breach Investigations Report, healthcare breaches fall into three categories:
- The insider threat
- Lost and stolen devices
- Phishing and ransomware
And what do these threats have in common? They’re all predominantly rooted in human error.
Even the insider threat, which most people associate with disgruntled employees, is overwhelmingly populated with well meaning employees making seemingly insignificant mistakes. It happens all the time. Just like this guy, who accidentally sent a few emails to the wrong recipient, any one of your users could easily place your organization at risk multiple times each day.
But by taking the time to train your users properly, you can dramatically reduce your organization’s cyber risk profile.
Your Current Security Awareness Program Has To Go
Most security awareness training is awful… and everybody knows it. It’s boring, seemingly pointless, and wouldn’t exist if it wasn’t a requirement for HIPAA compliance.
Be honest, now. Your security awareness program is held once per year in a dank, dark, basement room somewhere, and everybody dreads it. When it’s over, you all go back to throwing sensitive documents in the trash instead of shredding them. After all, the shredder has been broken for months, and who has time to call the repair guy?
But when you understand that the most significant threats to your organization are a direct result of human error, you’ll realize this has to change right now. And if you’re serious about improving your organization’s security profile, it’s going to need to be a dramatic change.
One of the biggest issues I have with most security awareness training programs is that they’re completely one-directional. Risk officers and security professionals identify the points they want to cover, sit employees down, and talk to them about it.
But when you get right down to it, what is the value of security awareness? Does improved awareness actually lead to better decision-making?
Rather than “increasing awareness”, we really ought to be focused on modifying security behaviors. And if we can learn anything from behavioral psychology, it’s that simply telling somebody how and why they should do something has almost no impact whatsoever on their behavior.
No, if you really want to improve the security of your healthcare organization, and you recognize that security behaviors need to change, the process is going to need to be a lot more interactive.
Of all the risks to your healthcare organization, one in particular stands out: Phishing.
Phishing emails can deliver malware, such as keyloggers or ransomware, and they can also trick users into giving up their login credentials. Sophisticated spear phishing attacks often seem to have been sent by senior members of your own organization, and have routinely been used to trick users who process payments into wiring large amounts of money directly into a hacker’s account.
According to Verizon, regardless of the technical mechanisms used or exploited, the vast majority of data breaches begin with a phishing or spear phishing campaign. And sadly, there is no way to prevent at least some phishing emails from reaching your users’ inboxes.
How, then, can we modify user behaviors in order to reduce the risk posed by phishing? In short, we must train users to the point where they can identify and report phishing lures, rather than being tricked into complying with their demands.
And how can you achieve that? Simple. Phish your employees on a regular basis.
Yes, you read that correctly. If you want to improve your users’ ability to identify and report sophisticated phishing emails, you’ll need to study real phishing campaigns, construct your own, and send them to every one of your users on a regular basis.
Naturally, you’ll need to provide some training first. You’ll need to explain why and how the program will work, and how you want your users to respond. You’ll need to teach users how to identify malicious emails, and explain the tactics commonly used by hackers to trick unsuspecting employees into compromising their organizations. Perhaps most importantly, you’ll need to constantly reiterate how having malicious emails reported to you instead of ignored will dramatically enhance your ability to identify and quarantine future phishing campaigns.
But once all that is said and done, you’ll need to get phishing.
Success Must Be Easy
When a user receives one of your simulated phish, or identifies a real email as malicious, it’s vital that they don’t simply ignore it. Yes, of course, ignoring malicious email is infinitely preferable to “falling for it”, but it’s still not ideal.
By reporting malicious emails to your security team, your users will be playing a vital role in improving the security of your organization. First and foremost, it will it enable you to quickly identify and quarantine other incoming malicious emails, which will routinely prevent serious security incidents and even breaches.
But it doesn’t stop there. In order to be maximally effective, your simulation must resemble real-world phishing lures, and there’s no better way to achieve this than by habitually capturing and analyzing real-world samples. Where do these samples come from? Your guessed it: Reported phishing emails.
Naturally, then, you’ll want to make it as easy as possible for users to “win”. Any time they identify a malicious email, their first thought will be to delete or ignore it, so you need to make it as simple (and fun) as possible for them to report it instead.
To that end, I strongly suggest adding a simple “Report Phish” button to your users’ email client.
Ideally, when they report an email, they should immediately see a pop-up that either congratulates them on successfully identifying a simulated phish, or thanking them for reporting a malicious email.
That way, whenever they correctly identify a simulated phish, or think an incoming email looks a bit dodgy, they can simply click a button to send it directly to your security team.
This may seem trivial, but in my experience it makes a huge difference: The harder it is for a busy user to report an email, the less likely they are to do so.
Don’t Fear Failure
When you start phishing your users, you’ll quickly see improvements in their ability to identify and report malicious email. But you’ll also notice that they fail a lot.
And I have to be honest, improving your users’ ability to identify and report malicious email isn’t going to happen overnight. These are busy people we’re talking about, and unless we rigorously train and test them, they aren’t going to have security at the forefront of their mind at all times. At the beginning, you’ll be training them with very basic phishing simulations, and you’ll still see high rates of failure.
But over time, you will see improvement. Your users will gradually learn to identify increasingly complex and sophisticated phishing lures, and you’ll receive ever increasing piles of real malicious email samples.
Of course, each time you up the complexity of your simulations, the failure rate will increase… and that’s OK. After all, learning is a gradual process, and security is a marathon, not a sprint.
But what you might not realize is that failure is actually a desirable component of the process. You see, every time a user “fails” one of your simulation, they should immediately be sent to a multimedia training webpage that helps them understand how and why they’ve been tricked, and teaches them how to identify that type of phishing lure in the future.
To illustrate this, imagine you’ve sent out a simulated phish that looks something like this:
You’re looking at a holiday-themed phishing simulation, which I’d expect most untrained users to fall for. In fact, in this case, it fooled a lot of trained users too.
If one of your users were to “fail” this simulation, they should immediately be provided with a multimedia training page to help them to identify and report holiday-themed phishing emails in the future.
Then, later in the month, they should receive a second simulation. This follow-up email should be of the same type as the first, but with different actual content, giving the user a chance to apply their learning. If this follow-up campaign is also failed, the user should be sent to an additional training page.
Over time, you’ll be able to increase the complexity of the simulations you send out. And, over time, this approach will slowly but surely improve the ability of your users to identify and report both simulated and real-world phishing lures.
The Security Marathon
In the coming years, healthcare organizations can expect an ever increasing volume of incoming attacks. And statistically, whether they’re designed to install ransomware, steal credentials, or simply wreak havoc, most of them will begin with phishing attacks.
As you’ve no doubt already realized, the process I’ve described here is not something you do once or twice, it’s a never-ending process of training and testing. Over time, it will fundamentally improve your organization’s ability to identify and respond to incoming attacks… but only if it’s faithfully maintained and enacted.
Of course, no matter how diligent you are, you’ll never be 100 percent impervious to phishing attacks. New employees will join your organization, busy staff will rush through their email inboxes, and mistakes will happen.
But don’t panic. With time, you will drastically reduce the number of security incidents that arise from phishing attacks, freeing up your incident response resources to focus on the small number of critical cases that do arise.
And best of all, if you do implement the type of powerful security training program within your organization, you’ll massively reduce the chances of becoming yet another healthcare data breach headline.