Phishing is one of the commonest ways that cybercriminals gain access to the networks of healthcare organizations, and while some sophisticated phishing attacks – spear phishing for example – can be difficult for employees to identify, there are common indicators of phishing attempts that employees can be trained to look for. These red flags are present in most phishing emails and can allow phishing emails to be easily identified by employees.
The aim should be to train the workforce to look for the common indicators of phishing attempts and report potential phishing emails to their security team if one or more of these red flags is found in an email. The security team will be able to confirm if the email is malicious and if so, can search for and remove any other copies in the email system.
The common indicators of phishing attempts are easy to identify, provided employees know what to look for. These should be covered in security awareness training sessions. The administrative safeguards of the HIPAA Security Rule – § 164.308(a)(5) – call for HIPAA-regulated entities to “implement a security awareness and training program for all members of its workforce.” While the HIPAA text does not specifically state that employees must be trained on how to spot a phishing email, given the extent to which phishing attacks are conducted on healthcare organizations and business associates, phishing is a reasonably anticipated threat to ePHI, so safeguards must be implemented to protect against phishing.
The HHS’ Office for Civil Rights has explained in its cybersecurity newsletters the importance of training employees on how to recognize and avoid phishing threats. The frequency that training should be provided should be dictated by a risk assessment. The best practice is to provide training at least annually, although more regular training sessions are recommended due to the increase in phishing attacks targeting healthcare employees. Most vendors have training content that can be delivered in small chunks that can be easily fit into busy workflows. A little training provided often will help to keep security fresh in the mind.
Training should teach the workforce about the common indicators of phishing attempts, security best practices to follow, how to practice good cyber hygiene, and what to do if a threat is encountered. To encourage employees to report threats, consider providing a mail client add-on that allows suspicious emails to be reported to the security team with a single click. Also, consider conducting phishing simulations to assess whether training is being applied by the workforce on a day-to-day basis. Phishing simulations can help the IT security team to gauge how effective training has been, how security awareness is improving over time, and identify types of phishing emails that are fooling employees. Training can then be adapted to cover those specific threats. If phishing simulations are failed individuals can be provided with additional training.
A wide variety of lures are used by cybercriminals and nation-state threat actors to trick healthcare employees into disclosing their credentials or installing malware, and the tactics, techniques, and procedures are constantly changing; however, there are common indicators of phishing attempts, and these red flags are present to some degree in most phishing emails.
For HIPAA Security Rule compliance, provide regular security awareness training to the workforce, issue regular reminders about security threats and the risk of phishing, and teach employees to be constantly on the lookout for the common indicators of phishing attempts. Through regular training, it is possible to develop a security culture and create a human firewall to complement your technical anti-phishing measures.