Cyberattacks on healthcare organizations have been increasing every year and one of the main ways that cybercriminals and nation-state-sponsored hackers gain access to healthcare networks and sensitive data is through phishing. Phishing can take many forms and involves several different attack vectors, so multiple phishing prevention methods need to be employed to block these attacks.
One of the most important phishing prevention steps is for HIPAA-regulated entities to implement a security awareness training program, which is a requirement for HIPAA Security Rule compliance. HIPAA was written in a time when phishing wasn’t a major problem. When the Security Rule was introduced, attacks were conducted at a tiny fraction of the volume they are today. While phishing training for employees is not specifically mentioned in the HIPAA text, a security awareness program that does not teach employees how to identify phishing attempts would certainly be viewed by regulators as a security training failure.
In order to be effective, security awareness training needs to be provided regularly to the workforce. It is far better to provide a little training often than to wait a year between training sessions. Continuous training has been shown to have a big impact on reducing the susceptibility of the workforce to phishing attacks. In 2022, KnowBe4 conducted a phishing benchmarking study to determine how effective phishing training is at reducing risk. Before training, a benchmark was created using a simulated phishing attack. Across all industry sectors, 32.4% of employees failed the test.
The phishing test was repeated 90 days after training and just 17.6% of employees failed. When the phishing test was repeated after a year of continuous training, the percentage of employees who failed the test was reduced to 5%. When a phishing test is failed, employees are provided with further training to explain how the phishing attempt could have been identified and avoided.
If a HIPAA-regulated entity invests time and resources into providing security awareness training, they will certainly improve resilience to phishing attacks but will not know how effective the training has been if they do not conduct phishing simulation exercises. Phishing simulations are fake phishing emails that are sent to employees to evaluate whether they can identify the emails as being potentially malicious. These emails mirror real-world phishing attacks, but instead of stealing credentials or infecting devices with malware, if the test is failed the user is given immediate intervention training. Through simulated phishing attacks, weak points can be identified and proactively corrected before those vulnerabilities can be exploited in real phishing attacks.
Employee training prepares the workforce for phishing attacks and helps employees develop the skills they need to be able to identify and avoid phishing attempts. Phishing simulations give employees practice at applying their training and they are an important part of the training process. Through training and phishing simulations, healthcare organizations can develop a security culture where employees always consider security. Healthcare organizations also need to take advantage of the many technologies that are available for blocking phishing attempts before they reach employees.
The primary defense against phishing is an email security solution, which is either provided as an on-premises appliance, virtual appliance, software solution, or a cloud-based service. Advanced anti-phishing solutions are capable of blocking spam, phishing, spear phishing, and emails containing malware. Modern solutions incorporate signature-based and behavior-based detection mechanisms for blocking malware, link scanning for identifying malicious hyperlinks, and a range of front-line tests for identifying malicious IP addresses, the common signatures of phishing, and machine learning components are now included that can predict new phishing attempts.
Phishing attacks are becoming more sophisticated and can sometimes evade email security solutions. Additional technologies should therefore be considered such as web filters for blocking access to malicious websites, multi-factor authentication for preventing stolen credentials from being used to access accounts, and endpoint security solutions for analyzing activity on endpoints. When developing a phishing prevention strategy, consider all of these technologies.
A small investment upfront in phishing prevention solutions will likely save a fortune in terms of the attacks these solutions prevent. These solutions, combined with security awareness training and phishing simulations also form part of the recognized security practices that are now considered by the HHS’ Office for Civil Rights when investigating data breaches. OCR will consider these practices for blocking and mitigating phishing attacks when investigating reported data breaches and when making determinations in its enforcement activities.