Despite hackers' insistence on and persistence in taking healthcare providers down, the situation isn't completely hopeless. "We have layers upon layers of security because one individual layer may fail," said John Houston, vice president of information security and privacy for the Pittsburgh-based UPMC health system. One of those layers is employee training, which, when overlaid on a strong technological defense—antivirus and threat detection software, email gateways, firewalls, restrictions on browsing, two-factor authentication—can help keep providers' data secure.
Right off the bat, it's important for everyone to stop rushing so much.
"We're in a bit of a hurry in this environment," West said. Skepticism when viewing emails and browsing the web can easily fall by the wayside, opening up entire systems to malicious software. Plus, people are using mobile devices, which make suspicious emails harder to spot. So it's necessary for them to take the time to figure out whether those emails are safe.
That can be challenging when hackers are so good at what they do. "When something looks authentic and is socially engineered to have information that appears to be pertinent and relevant, then people are going to click on it and fall for it," West said.
Similar to Children's Health, Intermountain's first line of defense is to filter all email through a third-party inspection and then through a firewall, which blocks emails based on rules. Eighty percent of what comes in from outside the system is blocked. The system also labels all messages from outside the organization with a warning. "Our people are taking it seriously," West said.
Knowing that suspicious emails will get through, however, makes training that much more important. Intermountain, Children's Health and others suss out employees who could put the network at risk by sending fake phishing messages, testing employees' email intelligence. If an employee clicks on the test email, a warning will pop up explaining what they should have been done instead. Meanwhile, the system tracks who succeeds and who fails. At Intermountain, security leaders talk about categories of employees who tend to be more and less successful, encouraging those in the latter group to be more vigilant. At Children's Health, employees who identify the most phishing emails get awards.
That encouragement—rather than punishment—is important, McMillan said. "It's crazy to put a penalty on it," he said. "Are you really going to start firing nurses because they're clicking on phishing? A better way to address this is where everyone participates and looks at it as a competition." Participation might even extend to employees' families: "Everybody needs to have better internet awareness," McMillan said. "If you're not helping your children become smarter internet users, you're really setting them up for trouble."
Arora at Children's Health agreed, explaining that employee comprehension of the risk is necessary to achieve security across various environments. Measures like two-factor authentication might seem like a nuisance to an employee working from home, for instance—unless the employee understands exactly why that step is necessary.
For this strategy to work, all employees must be invested, Riggi said. "The CEO and the board have to believe in it. Regulatory pressure alone does not create a culture of cybersecurity awareness."
No matter how far the training goes, as with practicing anything, repetition is important, McMillan said. "Organizations that phish-exercise their staff at least four to eight times a year have dramatically better awareness than organizations that don't do it or do it just once or twice a year."
Smaller changes also help, said Sameer Dixit, senior director of security consulting for Spirent Communications. "Pick up every keyboard to see if there's a sticky note with a password attached," he said. "Change the default passwords."