As recently as twelve years ago, security in healthcare was a far cry from what we know today. For many Chief Information Officers, security strategy wasn't a top-of-mind conversation and drilling down to specifics was rare. It certainly wasn’t a priority that reached the boardroom. Security concerns were largely physical and administrative, hinging on paper-based records that could be carelessly exposed.
Healthcare security teams have evolved into dynamic teams charged with staying ahead of today’s threats. This evolution is propelled by highly targeted application development and emerging healthcare technologies. We also responded to the industry-changing Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the fallout from Hurricane Katrina in 2005, a disaster which displaced around 400,000 people and illuminated the inability for patients and providers to exchange health information.
One element of security that remains unchanged is how human behavior can put health information at risk. Today’s biggest threat is social engineering, which relies less on technical skill, and more on the practical understanding of human behavior. It requires interaction with the end user and bets on our inability to detect threats in what looks like an everyday email.
At Piedmont Healthcare, a nonprofit health system made up of six hospitals and a network of community physicians, the top concern is patient safety and experience. So when we decided to launch our own phishing expedition, we hoped to not only identify areas of improvement within our organization, but to illustrate the reality of cyber-attacks as a high-level priority.
"Behind the scenes, the exercise was implemented on a need-to-know basis. When the suspicious email arrived, the layers of defense were activated"
Since 2013, thieves stole nearly $750 million from more than 7,000 companies in the U.S. using email scams. And while health systems like Piedmont are vulnerable to financial loss, we’re also at risk of exposing patient information.
To reduce cyber security risk factors, it’s crucial to be proactive in following the National Institute of Standards and Technology (NIST) framework. A significant part of this is providing education and awareness training to employees and other allied staff. Some of our employees still hear the word “hacker” and envision quick-fingered coders staying up all night trying to break into the company system. We set out to show how anyone with a company email address is capable of getting hooked by the social engineering of a phishing scam.
We brought in a third-party security firm to send a group of employees an email that looked like it came from a certified Microsoft partner and IT manager. The email contained a link, which when clicked asked users to enter their personal Piedmont login and password. If it were a real threat, the attacker would have obtained the credentials needed to log in to our system and access sensitive information.
Behind the scenes, the exercise was implemented on a need-to-know basis. When the suspicious email arrived, the layers of defense were activated. Some unknowing security team members alerted others and tried to stop the email from going to employees’ inboxes. Of course we had to let it survive—only then could we see what the behavioral response would be.
The sample of selected recipients represented a range of employees, from C-level to clinical staff, and even some in the IS Department. Of those who received the baited email, 47 clicked on the link and 20 employees gave their unique Piedmont username and password.
As we anticipated, employees of all levels were tricked into clicking on the link and entering their information. Was my team really surprised by the percentage of users that linked on the link and provided credentials? No, but the data confirmed the need for education and training throughout Piedmont for staff and leaders alike.
A system’s technical integrity is critical to protecting patient health data, but as we invest in infrastructure and technology, we must also invest time and resources to educating the many individuals that make up an organization. Just like technology, human behavior can be predictable, and attackers will expose the vulnerability of even the most intelligent, successful and savvy.
Conducting this phishing exercise allowed us to implement immediate tactical solutions, such as a header notification calling attention to all outside e-mails, and gain more traction with our key stakeholders and decision makers. The exercise illustrated the need for security budgets to keep pace with the increasing variety of threats, and proved the need for ongoing improvement strategies to transcend typical campaign limits, so cyber security becomes part of the Piedmont way of doing business and keeping patients safe. Cyber security is the hot topic of today, but it’s also going to be the topic of the future. So if it’s not being talked about in your organization’s board room, I suggest you break the ice!
Courtney Fisher-Lewis, Associate CIO, Saint Luke’s Health System & Ex-Sr. Director, IS Program Management, Children’s Mercy Hospital David Chou, SVP & CIO, Harris Health System & Ex-Chief Information & Digital Officer, Children’s Mercy Hospital