OCR Tells Organizations to Step Up Phishing Scam AwarenessEmployees Still Falling for Email Schemes, Leading to More Breaches
Employees are still falling for phishing scams that are leading to major breaches, including those related to ransomware attacks such as WannaCry, say federal regulators who are urging healthcare entities to step up their workforce training and awareness of email schemes.
In its latest monthly cybersecurity email newsletter, the Department of Health and Human Services notes that a 2017 study by consulting firm KPMG found a 10 percent increase over the past two years in the number of healthcare providers and health plans that have had instances of security-related HIPAA violations or cyberattacks impacting protected health information.
Factors contributing to the spike include an increase in the "interconnectedness" of electronic health records with other systems, including "smart devices" and billing systems, as well as increased use of cloud computing, HHS' Office for Civil Rights notes in the alert.
Phishing, however, is a favorite vehicle of hackers launching attacks that are increasingly resulting in breaches of PHI, OCR says.
"This increase in HIPAA violations includes breaches due to ransomware events, such as WannaCry, and other cyberattacks which could have been prevented by an informed workforce trained to detect and properly respond to them," OCR adds. "Training on data security for workforce members is not only essential for protecting an organization against cyberattacks, it is also required by the HIPAA Security Rule."
Weak Training Practices
Many healthcare entities and business associates have insufficient information security and privacy training, says Rebecca Herold, president of SIMBUS LLC, a privacy and security cloud services firm, and CEO of The Privacy Professor consultancy.
"Most BAs provide the bare minimum training, and often don't address malware, phishing or ransomware in any meaningful way other than to warn that it exists," Herold notes. "There are still too many covered entities, and a large majority of BAs, who are just sending their policies to their workers and are calling that training. And too many vendors are telling them that this qualifies as training. They need to know that telling someone to read a policy is not training."
Kate Borten, president of the privacy and security consulting firm The Marblehead Group, notes that a number of good tools - including phishing attack simulators - are available to help with training. But Borten notes that training isn't enough to foil all cyberattacks involving phishing. "While OCR is right to emphasize workforce training, and many organizations need to beef up their training, phishing risks are not entirely in users' hands," she says. "IT departments should be deploying filters and detection systems."
Even when organizations provide their staff with phishing awareness training, employees often still fall for the scams, for a variety of reasons, Herold notes.
"Not all training is good or effective training," she says. "So, even if employees [are] taking that type of training, they will not have learned the warning signs of phishing messages; they will not know the wide range of phishing tactics."
Also, many organizations provide phishing training to their employees once and then never refresh that training, she notes. "The types of phishing attempts evolve all the time, and new tactics are created on an ongoing basis. So those businesses who gave training one or more years ago will not have covered the tactics of the new types of phishing scams, so employees will not be aware and will fall for them."
And unfortunately, she notes, "some phishing tactics are really clever. So even the most well-trained and savvy employee may fall for the attempt if clever enough."
OCR recommends that organizations' training programs should be "an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them."
OCR says covered entities and business associates should consider:
- How often to train workforce members on security issues, given the risks and threats to their enterprises, and how often to send security updates to their workforce members;
- Using security updates and reminders to quickly communicate new and emerging cybersecurity threats, such as new social engineering ploys, including fake tech support requests and new phishing scams, and malicious software attacks including new ransomware variants;
- What type of training - such as computer-based training, classroom training, monthly newsletters, posters, email alerts - to provide to workforce members on security issues, given the risks and threats to their enterprises;
- How to document that training to workforce members was provided, including dates and types of training, training materials, and evidence of workforce participation.
"Any investigator or auditor will ask for documentation, as required by the HIPAA rules, to ensure compliance with the requirements of the rules," OCR notes.
Also, some experts note that periodic internal phishing tests conducted by the organization or a contractor can assess how prepared employees are for avoiding scams.
But what about sanctioning employees who fall for phishing emails? In some cases, a sanction might be a fair penalty - but not in others, Herold says.
"For those workers who skipped training, who didn't read the reminders, who let others use their computing devices for work and then they caused a successful phishing attempt, or who skipped keeping their systems updated with anti-malware that helps to thwart phishing attempts, some type of sanction may be appropriate," she says.
However, if an employee can show they did everything possible, but still fell for a new type of phishing attack, a sanction would usually not be appropriate, she contends. "There is no such thing as 100 percent security, and there is no such thing as a human who is 100 percent invulnerable to a new or super tricky phishing attack. Any sanctions should only be given if the worker involved was negligent in keeping systems updated, and did not follow anti-phishing procedures and did not attend or ignored training, and didn't read awareness reminders," she says.
Also, if an attack was enabled because of exploiting a system vulnerability or unpatched system, "that is usually not something that should result in a sanction to the employee that was the victim, if they can show they were doing everything reasonable to prevent such an exploit," she adds.
If employees realize they've clicked on a phishing email, they should be trained to alert their security team immediately, Herold notes.
"The information security area should have done some preparation for these events, and should follow their documented phishing response procedures. For ransomware, the organization should have been following a comprehensive backup and disaster recovery plan to ensure they can quickly and successfully restore backups of the systems and data quickly to limit systems and database non-availability to as short of a time as possible."