Phishing Simulation: Lessons learned combatting the most common attack vector in healthcare

According to a recent HIMSS cybersecurity survey, 70 percent of healthcare organizations experienced a security incident in 2020 and the pace shows no sign of slowing. High-profile hacks on healthcare organizations are in the headlines on a daily basis, and while each attack is different, according to the HIMSS report, one attack vector remains cybercriminals’ method of choice: phishing.

Phishing of course refers to attacks in which cyber criminals typically use email messages to impersonate legitimate organizations, or even colleagues within the targeted organization – all in an effort to prompt recipients to share personal information, such as passwords, or to click on a link that delivers malware. It is often used to deliver ransomware, with the organization being forced to pay the hackers not to disseminate or destroy the data in question, or alternatively not to infect core systems and make them inoperable.

In the phishing simulations we conduct at Med Tech Solutions (MTS) to train our clients’ employees to recognize and avoid imposters’ attacks, we often see nearly 10 percent of their staff falling victim to our initial phishing simulations. These rates decrease dramatically with training, but the social engineering behind phishing attacks, coupled with hectic work environments and a steady barrage of legitimate email, make them particularly dangerous.

So what do healthcare organizations need to know about phishing simulation programs and what they can do to mitigate phishing attacks? Safeguarding mission-critical data and systems is a multi-faceted effort, but in our experience, all organizations can benefit from a number of practical insights and best practices honed while serving hundreds of healthcare organizations. These include:

• Small clinics and practices can no longer fly under the radar. In the past, one could argue that small enterprises – among them community health clinics and independent health practices – were at less risk of a cyberattack. The merits of such an argument were questionable then, but today the idea of avoiding attacks by keeping a low profile is folly. Health records are particularly sought-after because of the personal information found within them. In fact, health records are among the most valuable receptacles of personal data sold by cybercriminals. The grim reality is that any organization that processes, uses, or stores medical records are a high-priority target.
•  The risks associated with a phishing attack cannot be overstated. The payment of ransom, either to recover lost or corrupted data, while devastating, is just the beginning. HIPAA investigations and fines can follow and phishing attacks often corrupt or take entire systems offline, including those for patient intake, clinical care, and reimbursement. Not only can a practice or clinic be forced to cease operations, or even go out of business, but most importantly clinical care can be disrupted.
• Consumers are increasingly litigious if their personal information is compromised. In the event that a phishing attack results in a data breach, organizations should expect legal action. This is particularly true in states where consumer data privacy legislation exists. Currently only three states – including California, Colorado, and Virginia – have such rules on the books, but similar legislation is being considered in a number of states across the country.
•  Regular phishing simulation programs and unannounced tests put employees at the front line of protection. Practice makes perfect and combatting phishing attacks is no exception. All healthcare organizations should have a phishing simulation program in place. Remember that the goal of a phishing simulation program is to provide employees with a safe simulated environment where they can not only learn about the dangers of phishing programs but also what they are like “in the wild.”
•  Follow a proven format for your phishing simulation program. Work with a partner that can ensure that the phishing simulation reflects real-world scenarios and create a baseline by simulating the attacks without telling employees. Then create a communications program prior to rolling out the simulation. This should explain not only how and why the program is part of the company’s overall security efforts, but also why the protection of data is crucial for the organization’s ongoing success and ability to provide care. Schedule the campaigns and then analyze the results – all while aiming for constant improvement. Remember that the key to any phishing simulation program is that it educates employees on the risks at play and helps them identify threats.
• Create simulated phishing messages that are realistic and unique to your organization. It’s imperative to think like a hacker when creating the email messages that will be shared through your phishing simulation. Play on the social engineering inherent in phishing attacks that leads people to respond by including details unique to your organization. That might include emails that appear to come from the CEO. For example, one message might compliment an employee for a job well done and share a link to a “gift card.” Another could appear to come from a local restaurant that employees often order from, or perhaps it’s a message the company’s health insurance plan. These organization-specific emails can be used in conjunction with simulated messages that are applicable to all businesses such as communications from parcel shippers, utilities, airlines, etc.
•  Remember that any phishing simulation is just one component of a multi-layered approach to data protection. It’s imperative that all healthcare organizations create a security-minded culture. This includes the encryption of all data and the use of multi-factor authentication when using any of the organization’s devices or when accessing its network. (Note that HIPAA includes many stringent requirements when it comes to encryption and access to data and the networks on which it resides.) Consider a zero-trust approach to network access and work to ensure that employees only have access to the data they need to do their jobs. This is particularly true of network administrators. Only give network administrative privileges to those who truly require it – and have been trained appropriately.
•  Gain visibility over your network. It’s difficult to fight what you can’t see. Deploy network monitoring technology and endpoint detection and response (EDR) solution to ensure not only that IT is alerted of threats, but also that infected workstations are quickly quarantined or shut down. It’s also crucial to turn on logging. Make sure you are able to track not only what happened, but when it occurred and who facilitated it.
•  Realize you can’t secure your organization alone. Today’s fast-evolving cyber threat landscape and equally fast-moving market for the solutions and services needed to combat those threats is too extensive and dynamic for any one IT department to adequately address. Partner with providers that deliver the security monitoring, forensics, and incident-response capabilities you need. More importantly, formalize these relationships before their services are required.
•  Operate on the assumption that it’s not a question of if you will be hacked, suffer a breach, or be the target the ransomware, but when. Much like guarding a home, putting locks on the front door will not prevent an intruder from breaking a window, but you can make it as difficult as possible to get in and far easier to consider a different target. Most importantly, you can ensure that your organization is prepared to regain business continuity quickly. Make sure you have an effective disaster recovery strategy and program in place and back up your data often. Today’s cloud-based backup and storage solutions make it possible to take “snapshots” of your entire dataset at frequent intervals easily and cost-effectively. And air-gapped backup systems ensure that the threat doesn’t proliferate as you reset your systems.

 By keeping these insights and points in mind, healthcare organizations can deploy an effective phishing simulation program that transforms employees into a powerful and crucial first line of defense against cybercrime. Just as importantly, these same employees can foster a strong security-minded corporate culture that appreciates the importance of protecting the data and patient information that is the lifeblood of all healthcare organizations. As we tell the hundreds of clinics and practices that rely on MTS nationwide, no organization is safe from cyberattacks, but you can put the procedures, protocols and processes in place needed to mitigate the risk.