As an art of cyber subterfuge, phishing keeps getting more crafty. Bad actors continue to create malicious emails that are convincing innocent workers at healthcare and other organizations the messages are authentic. And many workers click on them, starting a stream of problems.

This is why it's up to CISOs and other cybersecurity professionals to train workers how to identify phishing emails and not click on them or download their malware-infested attachments.

Danville, Pennsylvania-based Geisinger has had great success with its anti-phishing training, lowering the click rate on malicious emails by 50%. 

Healthcare IT News interviewed David Stellfox, cybersecurity communications specialist in the information security office at Geisinger, to get the lowdown on how exactly Geisinger achieved its success against phishing.

Q: Before you started your efforts to get staff to better respond to phishing emails, what was the situation like? What was happening with actual phishing emails and test phishing emails? What was your cybersecurity posture like in this area?

A: In 2018 and 2019, we were faced with stubbornly high click rates on test emails in our monthly friendly phishing campaigns, and little reporting of suspected phishing emails. There were pockets of awareness in leadership and management, but by and large, the bulk of employees seemed to think of it as somebody else's problem, if they thought of it at all.

The information security office had committed to hiring a full-time communications specialist to support and market the security awareness program – not only to end users, but to internal program stakeholders such as corporate communications, human resources and executive leadership.

Prior to that, the technical staff were trying valiantly to promote security awareness but simply didn't have the creative skills, the communications skills or, frankly, the time to do it.

A foundational element of success at Geisinger – or anywhere – is a healthy working relationship between communications specialists and the technical specialists. In my own case, I was enthusiastically embraced by the Geisinger ISO technical staff, who were only too happy to have help in promoting security awareness goals.

Q: When you decided to take action, what were your first steps? What did you decide to do to make improvements?

A: Work got underway in a big way in 2019. We re-created our SharePoint site and tripled the number of site visitors in one year. Then, our CISO and I began planning a series of security awareness presentations we would give to any employee group or department meeting we could get into.

Over the course of 2020, we managed to do five of these. We spoke to groups as small as 20 people and as large as 1,500 (spread out over two days and four geographic locations). We started with some highly targeted groups, such as HR and finance/payroll employees, so we could also cover business email compromise and other forms of social engineering.

The presentations themselves were more or less standard training fare. What made them stand out was the personal "color" added by our CISO, whose experience and connections, deep knowledge and colorful stories left an impression on our employees and led to really meaningful engagement in the Q&A sessions.

In other words, it was the personal touch as much as the actual training content that did the trick. Employees were able to engage directly with the CISO, and his willingness to travel around the system to speak to groups of employees directly (and later virtually due to COVID-19) reinforced the message that, "Yes, this matters."

Q: What were your best strategies and tactics that helped change behavior?

A: I would say it in two words: visibility and engagement.

Our success wasn't achieved because of mandatory, computer-based training. We didn't tweak our policies or enforce them differently. There were no threats of disciplinary action involved; no prizes, gimmicks or gamification.

We use many of those standard security awareness features, of course, but what really moved the needle for us was visibility – visibility and engagement.

To measure the effectiveness of the training, we ran friendly phishing campaigns on the groups both before and after the training. When the results showed significant improvement after the training, we then used corporate communication vehicles to publicly congratulate the departments on their improvement.

This gave the department bragging rights, and offered another opportunity to raise awareness generally about the importance of phishing and social engineering. Several months into it, we even had one employee group ask for the training.

We also upped our game in terms of regular, consistent messaging. We did a second major makeover of our SharePoint site in 2020, got corporate communications to promote it and became active on our enterprise social networking service, Yammer.

Many of us discount the use of internal corporate social networks, such as Yammer – and, to be sure, their reach is limited – but there are some employees who are heavy users of it, and it's another tool in the arsenal.

I became convinced of its usefulness when a food service employee emailed me to ask about a suspicious email. He said he was emailing me because he remembered me "from all your Yammer posts."

He didn't follow our normal procedures of calling the service desk or sending an email to our ISO mailbox. He may have forgotten those options, or never committed them to memory, or didn't know where to find them on our corporate intranet. But he did remember me. And because he remembered me, that's one less suspicious email out in the wild.

Employees remember training content better when they can connect it to people – colleagues in the organization who care enough to show up, rather than some distant corporate office simply administering rules, which the employees may or may not see the point of.

Q: You said you lowered your click rate on phishing emails by more than 50%. How did you accomplish this? What really sank in with end users?

A: I think, you know, we made it real for employees. In a nutshell, that's really it. I think we communicated effectively – and as personally as possible in a large corporate setting – that email presents a clear, present and ongoing risk to our organization. Malware could shut us down and put patient safety at risk. It has shut down other hospitals. The same goes for social engineering.

We steered very clear of any type of punitive approach. Our message is, "We're here to help." When people perceive that you mean that, they're much more willing to help you in return. There's a very subtle, but powerful message there that is communicated almost subconsciously, more by actions than by words. This, I think, is really key to enlisting user support. Don't just say you want to help. Help!

For example, Geisinger reaches out not just to employees, but to our patients and members. Last year, we launched a security alerts webpage on our public website where we post information for our health system patients and members about current and ongoing scams. 

We include information about where to find additional resources and how to contact our information security team if the matter relates to Geisinger. So we complete the circle.

As far as our employees go, our click rate on phishing emails is now below the average in our peer group. Will it stay that way? Maybe not, but the lesson I've drawn from the success of our program to date is that there is no substitute for personal visibility and engagement.

Computer-based training, policies, corporate communications – these all have their place, to be sure. They are all necessary, but maybe not sufficient to move beyond a compliance-based culture to one where security awareness becomes routine and visible, and wears a human face.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.