The Texas Hospital Association has helped one of its participants achieve a 70 percent improvement in anti-phishing techniques and worked with another more sophisticated provider to help pinpoint unknown weaknesses, according to THA chief digital officer Fernando Martinez.
THA runs a cybersecurity awareness program to help members strengthen their anti-phishing efforts.
“The program is designed to go to organizations that have not developed a plan for building a culture of cybersecurity,” Martinez said. “Healthcare has been focused on compliance for a long time, but it’s not there for cybersecurity preparedness. So the program is built around launching a series of phishing e-mails at an organization.”
Martinez pointed to two recent success stories without naming the specific organizations for privacy reasons.
Big phishing vulnerabilities in healthcare
One member hospital had a very high click rate on the first round of phishing e-mails, so THA called the CEO to report that it has uncovered a big vulnerability.
“We then coached them about adding a banner to e-mails from external sources, encouraged them to send some additional campaigns messaging other information alerting them to this problem, gave them training materials for existing employees and added those to new employee orientation programs,” Martinez said. “In these types of cases, the problem gives us a chance to quickly intervene and hopefully avoid a crisis in the future.”
The second phishing e-mail was sent a month later to gauge whether the organization had improved after the intervention.
“We track things like click rates and reports to the help desk,” Martinez said. “In this case it proved to be effective. Their results were very positive: a 70 percent improvement in the click rate. This instant intervention helped that organization become better prepared.”
Not as safe as they thought
THA conducted its initial examination at a second hospital to determine the level of preparedness. After finding a moderate degree of cybersecurity maturity, THA sent what Martinez described as a somewhat sophisticated phishing e-mail.
“They only had an 8 percent click rate, which to me meant they had a good level of maturity,” Martinez said.
THA circled back and told the hospital it performed pretty well. It turned out the hospital already had some cybersecurity training prior to the test and felt the association’s anti-phishing work corroborated that it was in good shape.
“But I said no, the test results might be giving you a false sense of security,” Martinez said. “We had the hospital at a medium level of maturity and if we had directed a more sophisticated e-mail at it, it might not have done as well.
So THA did just that in a second wave of phishing emails and the hospital’s click-rate hopped up into the 20 percent range, which Martinez said, “was a humbling moment for them.”
The hospital thought it was safe based on the training program it had done, but Martinez said many corporate cybersecurity training programs can become very static rather than dynamically keeping pace with evolving threats out in the wild.
“It was a real eye-opener for them,” Martinez said. “We helped them bolster their programs and add more sophistication.”
Martinez will discuss privacy and security issues at the HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2017, in San Francisco, during a session entitled “Human Security: A Tested and Proven Approach to Defeating Phishing Attacks.”