Experts weigh in on fixing problems before the start, plus the idea of phishing simulations
In our last installment, we discussed risk management and analysis with two experts from Kauffman Rossin—Kevin Fine, MHA, Kaufman Rossin’s director of healthcare advisory services, as well as Rob Valdez, CPA, CISA, CISM.
In addition to his work with Kaufman Rossin, Valdez is also the president of ISACA South Florida, an organization with over 1,000 members. ISACA serves as a leading global provider of knowledge and certifications on information systems assurance and security.
Fine’s quote best summarizes our last installment. “We can absolutely put in the controls, the processes, to prove how much we’re looking at (the company’s) their risks and assessing their actions.” he explained. “It’s the organizations who hit a breech or a bump in the road and do nothing that incur the greatest financial consequences. You need to be proactive rather than reactive—once we’re called in on a reactive situation, there’s going to be a financial consequence.”
Asked for an anecdotal tale of a proactive measure, Valdez didn’t hesitate. “There are plenty of these scenarios, but among the many different options, one that stands out are our phishing simulations.”
Hospitals and healthcare providers are under constant threat from ransomware, which is software that can lock up your files and charge you a fee—a ransom—to get them back.
“Hospitals are dealing with life-and-death situations,” Valdez continued. “So we try especially hard to protect them against these types of scenarios.”
How? Valdez and his team will come into the hospital and send a ‘phishing simulation.’ By definition, phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. In layman’s terms, it’s hackers and thieves disguising themselves as professionals to trick unsuspecting employees.
To perform a simulation, Valdez and his team sends an email to all the employees of a particular hospital with certain characteristics that they hope the employees will recognize as being consistent with the anti-phishing training they’ve received. The hope is that at worst, the employee ignores the email, and ideally deletes it immediately without opening.
Of course, nothing is foolproof, and there have certainly been instances of employees taking the bait (pun intended). What happens in that scenario?
“We watch and see who clicks on it,” Valdez explained, “and any employee who does so is immediately redirected to a training that pops up directly on their screen. It’s a brief, three-minute training session. We report all that information back to management, and over time, maybe quarterly, we come back to evaluate and see whether we can drive up those performance metrics and ensure that employees are becoming more secure.”
Valdez emphasized that the entire program is reinforced by a security awareness training program on the hospital’s end. They perform this service for numerous hospitals, and upon each quarterly review, Valdez says he regularly sees significant improvement. “Sometimes, it’s most dramatic between the first and second simulation,” he explained. “But certainly over time, we see proof that this type of activity is helping to prevent what would otherwise be a disastrous incident.”
Is there a ‘magic number,’ so to speak, of employees who are aware of what to look for? Obviously, just one employee clicking on a phishing email can lead to catastrophe, but say 50 percent of employees are drawn in by Valdez’s initial simulation. Is that an organization whose problems are too big to handle?
“Prior to any simulations, we perform an interview with the hospital’s security team to gain an understanding or where they think they are. From that, we try to set an expectation on our end as to how high (a clickthrough rate) is going to be, pursuant to a few questions we’ve asked the security team and compliance people,” he said.
For organizations doing very little to educate employees and stay on the watch for ransomware, initial click rates can often be in excess of 20 percent—sometimes rising as high as 40-50 percent.
For those organizations with some level of compliance program, the hope is to see a click rate no higher than 10 percent. “As the organizations mature, ideally we want them below a 5 percent click rate,” Valdez revealed. “It’s not necessarily a realistic or healthy goal to go to someone and say we can shoot for perfection. Instead, we’re tracking the information and remediating those employees who are having those problems.”
Due to the sophistication of these phishing emails and availability of ransomware, risk has never been higher than it is in today’s healthcare environment. The fast pace of mergers and acquisitions and the resulting consolidations have pushed the bar to a new level in the past few years. Making simulations as realistic as possible is one way to keep employees ahead of a changing environment.
Kevin Fine and Rob Valdez work for Kauffman Rossin, one of the largest CPA & advisory firms, provides accounting, tax and consulting services to businesses, attorneys, bankers, and individuals. Check back for periodic contributions from Kevin and Rob on their various areas of expertise.
