Gone phishin': Mayo Clinic shares tips for fending off attacks
Staff members in the office of information security at the Mayo Clinic do a lot of phishing. Which is not to say that they are loafing out of the office on a boat somewhere. They actually are trying as hard as they can to trick their colleagues throughout the prestigious provider organization into clicking on malicious e-mails – fake malicious e-mails of their own creation. And leaders at the clinic say these educational anti-phishing campaigns are a key to successful cybersecurity.
Anti-phishing cybersecurity efforts must be routine, relevant and consistent, said JoEllen Frain, senior manager in the office of information security at the Mayo Clinic.
“What we’ve learned is if we phish our folks, they will get good for a period of time, but if we do not keep those exercises in front of them, staff will quickly slide back into old behaviors,” Frain said. “Healthcare organizations must make sure these efforts are relevant, giving staff real-life situations that we all are faced with and keeping the efforts consistent over time.”
If a healthcare organization simply does an anti-phishing campaign over one fixed period of time, it will be unsuccessful, added Mark Parkulo, MD, associate dean of clinical practices at the Mayo Clinic.
“You can do that education, but there is so much turnover in your staff and other security issues that arise, so if you do not consistently do the education and continually monitor what is happening, you will not be successful,” Parkulo said.
Learn more at the Privacy & Security Forum in Boston, December 5-7, 2016.
And it’s important not just for employees but for staff responsible for security to continually be working on the phishing scourge, Parkulo said.
“This is because you always are surprised at where security issues come up,” he explained. “Some area you think would have no issues with their e-mail or phishing, suddenly in testing that is where some issues happen. And in those instances, sometimes the people in that area are the ones who can help identify actual problems early on – if there is substantial education. It often is surprising where vulnerabilities are within an institution.”
Frain echoed Parkulo’s observations.
“The industry has to recognize this: Even though we have heard about all of this for years and people are familiar with the terms phishing and cybercrime, we have not done a good job of talking through what cybercrime looks like and means,” Frain said. “And until the industry does that on a personal level, it will not be successful. When you break things down, people ask really good questions, such as what does cybercrime look like, what happens, what are the consequences? And that is when you see a huge shift in how people approach their e-mail, which happens after we conduct these internal phishing campaigns.”
Healthcare organization employees in particular want to do a good job at cybersecurity because they understand what they are defending – the well-being of patients, Frain said.
“Oftentimes end users think technology protects them from more than it really does,” Parkulo added. “‘The institution wouldn’t let these things come through, right?’ When you tell them there is no way to block everything, they become more aware of the importance of monitoring it.”
When it comes to protecting against nefarious phishers overall, Frain said there are three overarching principles: technology, process and people.
“It’s important that you leverage the technology you have and recognize and use it to its fullest capacity,” she said. “There are lots of decisions that can be made in setting up filtering in what you let in or out. In healthcare, that gets much more complex because we are accustomed to working with all sorts of individuals and businesses that other industries do not have to deal with.”
The second principle is understanding business processes. Healthcare organizations must bring transparency to the different groups within the organization and the processes these groups use to exchange information, Frain said.
“We spend a lot of time with our patient care providers and supply chain folks, for example, talking them through what are pitfalls we can fall into when we go outside of our normal business processes,” she explained. “So, for example, providers, push patient communication to the patient portal to exchange that kind of information. And supply chain folks, go to the defined processes and avoid one-off exceptions.”
The second component segues into the third, which is people.
“There is no level of technology that can protect an organization from every motivated attacker,” Frain said. “We have to raise the collective awareness of employees so they take a momentary pause as they go through their e-mails.”
The Privacy & Security Forum will take place in Boston Dec. 5-7, 2016. What to expect:
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches