By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Since at least the beginning of the summer, it seems as though no day can go by without another phishing incident being reported by a healthcare entity. The reports are almost always the same too. After some period of time (usually not the same day), unauthorized activity will be found in the email account of one or more employee. A forensic analysis will be conducted that cannot conclusively determine what, if any, patient information or other data were accessed. Out of an abundance of caution though, a breach notification is provided to enable potentially impacted individuals to monitor accounts in the event of suspicious activity, with the entity sometimes covering the cost of such monitoring.
Despite the somewhat tongue in cheek tone being given to the nature of the responses, being overly cautious and providing information about the breaches is a reasonable course of action to pursue. With a recent report revealing that individuals want to know much sooner rather than later, namely within 24 hours, of an issue occurring, it makes sense for organizations to be upfront about disclosing a phishing attack. The difficulty with the notices about the phishing incidents though is the cookie-cutter approach to the reporting of the incident and the almost non-stop occurrence.
Leaving aside the content of a notice, the real issue of concern is how to prevent or reduce the frequency of successful phishing attacks. Getting to the root of that problem requires turning a critical internally at an organization. The first step is education and training of the workforce. The subject of another blog on the Pulse, awareness among employees of security policies is lacking. As such, taking the time to push out information and training on what phishing is, how attacks occur, and what to do to prevent an attack is essential. Training does not need to be lengthy as key facts and tidbits can be conveyed through 5 minute videos or similar media. The step to take is to get the material into the hands of all individuals across an organization. Distributing materials can then transform individuals into active components of a comprehensive security process.
In considering training, what should be included? Real world examples are frequently helpful because understanding how exactly an attack might come about is invaluable. Examples of training can be taking actual phishing emails and pointing out some of the key clues as to why an individual should identify the email as phishing. Elements can include (i) unsolicited messages about an account being compromised; (ii) bad grammar or phrasing that seems slightly off; (iii) spoofing letters by combining others letters to look the same (consider “m” and “rn” which in the right font can look nearly identical); (iv) pushing for action by preying upon an innate desire to helpful; or (v) email addresses or links that claim to be from or to a known place, but actually divert elsewhere if the highlighted link is reviewed. While these elements require an individual to stop and think about what is happening, the step of stopping to think about what to do is important and can be drilled home through education and training.
In addition to education and training, organizations should increase efforts to audit and monitor systems. Auditing and monitoring is admittedly a daunting task though. Enormous amounts of data go through systems all of the time and the pace of data will not slacken anytime soon. However, volume cannot be an excuse for throwing one’s proverbial hands in the air. Instead, it can be viewed as an opportunity to acquire and/or develop new tools to help. Additionally, some level of manual effort can also be utilized to comb through systems and look for suspicious activity. At the end of the day, a sign of victory is finding an issue in as short a period of time as possible and not letting n intruder roam unfettered through systems.
Stopping all phishing attacks is likely impossible, but every organization should set a goal of making the likelihood of success as small as possible. As with so many risks that can result in a breach, it comes down to instilling a security culture focused on awareness and proactivity. Being complacent and thinking that an event will never occur to one’s own organization is a surefire way to be the next victim.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.