This Week Health

Don't forget to subscribe!

June 11, 2021: Healthcare executives have to worry about so many aspects of running a business. Caring for patients and caring for the community, not to mention cybersecurity. Phishing is one of the number one ways health systems get exposed. Today Geisinger shares their program of success in lowering the click rate on phishing emails. Joining us is David Stellfox, Cybersecurity Communication Specialist and Joshua Murray, Cyber Threat Response Team Lead. What kinds of tools are utilized in the program? Can the tools be ratcheted up to simulate the growing sophistication of these attacks? How do you get the backing of senior leaders? Can we ever get to 0%? Is that an attainable goal? And what is Geisinger’s guidance for other health systems looking to kick off a similar program?

Key Points:

  • Geisnger were able to reduce the occurrences of successful phishing amongst their staff by upwards of 50%. [00:09:40
  • Much like the pandemic was for hand-washing, social distancing and good hygiene is now to the growing seriousness of cybersecurity with people waiting in gas lines [00:11:25
  • In the last two years people have become more aware of the potential for cyber attacks and their implications [00:12:05
  • Geisinger
Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 hospital system and creator of this week in Health. IT a channel dedicated to keeping health IT staff current and engaged. We have two excellent guests with us today. We have cybersecurity communication specialist.

For Geiser David, and we have Cyber Threat Response Team Lead at Geiser, Joshua Murray. Special thanks to our Influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you wanna be a part of our mission, you can become a show sponsor as well.

The first step. Is to send an email to partner at this week in health it.com. I wanna take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally, bill j Russell on LinkedIn. I engage almost every day in a conversation with the community around some health IT topic.

You can also follow the show. At, uh, this week in health it on LinkedIn. You can follow us on Twitter, bill Russell, HIT. You can follow the show this week in, in HIT on Twitter as well. We've got a lot of different things going on and each one of those. Those channels has different content that's coming out through it.

We don't do the same thing across all of our channels. We don't blanket posts, we don't just, you know, schedule a whole bunch of stuff and it goes out there. We're actually pretty active in, uh, trying to really take a conversation. I. In a direction that's appropriate for those specific channels. So we spend a lot of time on this.

We really want to engage with you guys through this. We are trying to build a, a more broad community, so invite your friends in to follow us as well. We want to, to make this a dynamic conversation between us so that we can move and advance healthcare forward and now onto today's show. Today we're gonna talk about phishing, and we're specifically gonna focus in on phishing around cybersecurity.

And we have two excellent guests with us today. We have cybersecurity communication specialist for Geiser, David Steal Fox, and we have Cyber Threat Response Team Lead at Geiser, Joshua Murray. Good afternoon, gentlemen. Welcome to the show. Good afternoon. Thank you. I'm looking forward to this conversation.

Phishing is still one of the number one ways that. Health systems get exposed, and number one ways for nefarious actors. I like using that term, nefarious tend to attack health systems, and Geisinger's had some success on lowering the click rate on phishing emails. And, uh, I, I really want to go into that a little bit with you guys.

Before we do that, David, do you want to try to frame the problem of phishing for health systems today? Sure. I mean, I think most people are aware that it's a problem for all of us. I mean, LA last, uh, September, I think it was, there was a report outta Germany that we had the first death that was caused by a cyber attack of a patient.

I. I think that was subsequently determined that it wasn't necessarily the case that the woman was in very poor health and probably would've died anyway, despite the fact that she had to be diverted to another hospital. But I mean, that's sort of the extreme end of the stick there. What we're facing, I mean, right now also out at Scripps Health in California, they're suffering from a ransomware attack.

They lost their EHR, they had to divert some critical care patients. So, I mean, this is the kind of thing that we're facing. And I would just add it, it's also more of a, a multi, you know, pronged attack too, right? I mean, phishing, you know, leads to data breaches, but just that David talked about it also leads to malware and stuff like that.

So, you know, it's phishing leads to one thing. It, it kind of opens the door for all the attackers to kind of do what they want, or, or all the above. We've seen the ransomware attacks that were caused by phishing that not only did they put ransomware on the device, but then they also exfiltrated data.

Held that for ransom and or sold that to other actors. Also, at this point, I, I was gonna ask you, what does it take to get the mindshare among exec executives, but if they're familiar with what's going on at Scripps University of Vermont last year, upstate New York, there was one in Oregon where the, the system's lost.

I mean, the EHR was down, it was multiple days, if not weeks of outages and whatnot. This really has mindshare today, right? Or is it still, is it still an uphill battle to get mindshare within the, the health system? Yeah. I think it is still a bit of a battle, only because the executives have so many. Other issues on their plate, other things to worry about.

They're constantly being pulled one way or another and putting out fires here and there. So, so yeah. I think some of these stories do help in terms of awareness with the exec at the executive level, but I still think something that you need to push with, um, from time to time to keep them. Aware to maintain their awareness.

How do you get the mind share? I mean, clearly a, a healthcare executive has to worry about, so, so many aspects of, uh, running the business, caring for the patient's, community growth, those kinds of things. But this is obviously one of many. How do you go about getting the mind share of the executives? There are several ways.

I mean, I think our, for example, our ciso, Steve Dunkle and, and our Chief Assurance Officer, Kevin Reus, they are a conduit to the board, to the executive senior leaders. And so we kind of use them to get things up to the board level, but. I think really we kind of take kind of a bottom up approach. So we started our program, I mean, we had a program before, but can I talk about, since I've been here since 2019?

We started and we recreated our SharePoint page. We, we built that up. We got a lot of visibility there, and it's about building up the program from the bottom and then eventually it gets up to the folks at the top. Another thing that we do, for example, is we publish a two page bulletin. It's a one one sheet piece of paper, double-sided, a four specifically for executives, and we do that quarterly and we made a conscious decision to

Kind of go old school with that. We don't deliver it by email. We deliver it in paper, paper copy in inter-office mail address to them. And that was kind of intentional. 'cause it's so easy to ignore emails and delete emails. , that's, I mean, that's along the lines of when, when I get a handwritten note from somebody, I actually take notice versus literally the so conscious plan around getting in front people.

How do respond, Hey. Conduit to a lot of other attacks against our health system. How do they respond? I mean, because one of the age old problems we had when I was CIO was just it. It was ease of use versus security and you'd get a lot of pushback of, Hey, it takes me too long to log in. It's. There's too many steps, there's too many of that kinda stuff.

I mean, how do you balance that? Yeah, I mean, that's definitely still a problem. It probably will always be the balance between convenience and security. I, I think though, that people have moved along, uh, on that moved down the road on that ways. That people are rec. I think it was imbalanced towards convenience in the past, and I think it's coming much more into balance.

It's not overbalanced I don't think, to security, but it's becoming much more imbalanced as people recognize. And one of the things Geer has been trying to do, especially in the past two years, unfortunately, that coincided with Covid and the other priorities. But we've been holding a lot of tabletop exercises where we invite both you the executives and you know, the managers of the clinical departments.

And we walked through when we just did one couple weeks ago with fema, when we walked through a phishing exercise that led into a ransomware. That type of thing. And, and what that did was that allowed, you know, the exec, everyone to see it from kind of the start to finish, not just, Hey, my computer's down, what's going on?

So the, with that, we get a little bit more awareness of showing them the whole process and, you know, what happens here and why, you know, one click on an email could. Bring down the whole thing and start diversion patients and all that type of items. Yeah. So Josh, you have a, a cool title Cyber Threat Response Team Lead.

What, what is the Cyber Threat Response Team? Our team here at Geisinger, we're basically kind of a, a threat team, which means we monitor the news and all the sources for any type of threats and act on those threats specifically to healthcare, but others. Then our team is also tasked with a response if those threat realize or responding to, you know, those threat insights.

So, you know, we gather the intelligence, we review it, determine what's applicable to us or what we need to do from that. But also on the flip end, if something goes bump in the night or something, actually realizes that our team's also the one to respond. So that, that's really neat because we kind of see the intel from the whole life cycle, from when we get it to when we respond.

So there's no, a lot, a lot of other places have that disconnect. There's a threat team and a response team. And I think there's some communication gaps that always exist between the two. But with our team, we're able to fully consume the information. Plus if we need to, we can also act on that. So is that team separated from the operations team?

The team that's, uh, implementing monitoring and all that other stuff. And then the threat response team is literally focused in on threats to the health system. Correct. Yeah. So our, our team does do just the threats and then the response. So we do an operations group that helps us or helps Geisinger actually install and, you know, do the configurations behind the scene.

And then the analyst on, or my team, we actually have eyes on the glass looking at the intelligence and the responding to the any alerts. Wow. So talk to me, by the way. I love that. I love that distinction between operations and, and threat response. So you guys were able to reduce the occurrences or the successful phishing amongst your staff by, uh, upwards of, of 50%.

How were you able to do that? Is it a repeatable program that you think other health systems at this point could implement? Yeah, that's a good question. And also how long it will last and can we continue it. Those are questions yet to be answered, but as far as what we did already, I. I think we built up a program where we became very, very visible to the employees with the help of corporate communications, of course, and others in the organization.

And then we went out and gave presentations to departments within the organization. I mean in person before Covid and then after Covid Virtual. But they were kind of like, they weren't, we call them training, but they were really conversations, discussions. And I was really impressed with. How engaged the employees became during those discussions.

They weren't just sitting there passively listening. They were asking questions and making comments, and I think that was a huge, huge help to how we managed to lower our phishing click rate. Yeah, I, I think just to add to that, I, I think kind of David mentioned was we kind of partnered with them. We didn't walk in with our badges and try to be the policeman, right?

You know, we sit down with them and like, here, let's just have a conversation about it. We're on your side. You know, if you click an email, a phishing email, here's what you do. You're not gonna get fired. We're not gonna come down and do anything like that. It was just more of that, that candid thing where we partner with the employees and just made sure that we're here to help.

We all have one goal in mind, and this is how we're gonna accomplish that. This pipeline thing is, is really interesting as it's going on right now because mu much like the pandemic was for handwashing and social distancing and wearing mask and those kind of things, just people recognizing good hygiene and how it helps people to stay healthy.

I think some of these things like weight and gas lines and, and, and that kind of thing is, is sort of a reminder that, hey, this is getting serious. And this could really impact things. And so it really is making it top of mind for the entire staff. It's probably a more receptive audience today than even it was when you started taking off this program.

I would think. I think I would agree with that. Yeah. In the last two years with all the incidents that there have been, I think people in general are more aware of the potential for. These kinds of attacks and the potential implications of these kinds of attacks. So yeah, I would agree with that. So talk about how are the, I, I guess, Joshua, this is for you.

How are the threats becoming more sophisticated? I mean, it, it's interesting, no matter how sophisticated the threats are becoming, it seems to me like the, the way in is, is still easiest through an email where somebody's gonna give you their credentials, right? So, so, um, as you can imagine, the evolution over a couple years.

The first phishing emails were very generic. You know, Hey, you want a gift card? Click here, you know, and, and sign in. Nowadays we're seeing a lot more targeted tax. They're using Geiser logo, they're using current events in the media of Covid. You know, we saw an explosion not necessarily towards Geiser, but just in, in, in the email industry and all the other hospitals in a whole of Covid related text.

Like, Hey, here's a shot appointment. You know, please sign up and do stuff like that. So I, I think they're really trying to a kind of pinpoint Geisinger or, you know, whoever they're trying to target, using those type of things. And. Again, the, the current events are the most ways to do that, right? Again, COVID, anything else is going on.

They could put the urgency behind it, you know, they could say, urgent, we need this tomorrow. And, and that's what they try to use to trick the users to give that up. So a lot of times with the, the more advanced stuff like that, we're seeing a little bit more customization and the attackers taking a little bit more time to kind of understand what their target is and what the best way to approach it is.

Is there a set of tools you're using around this, a set of technology tools? Yeah. Yeah. So we do, we do use some Microsoft product and some other project, our products to kind of help us do that. One thing I really like about our team at Geisinger is we still have a, a pretty good eyes on glass thing. Um, when they send in emails.

We do have some processes that do that, but ultimately we look at those and that allows us to have a chance to give immediate feedback to the users. Right. And we have other industries like, Hey, I sent in a phishing email and, and that's the last thing I heard. With us. We try to respond to emails as quickly as possible.

We'll let them know this is, yes, this is a phishing email and you know, these were the signs and good job, right? And, and on the flip side, we can all say, Nope, this was not a phishing, this is legitimate. You can click the link, you can visit, you open the attachment like that. So I, I think that's another thing in the overall phishing program is just the immediate feedback because people kind of, it, it's there from, and they remember it right away.

Versus, oh yeah, here's this email I sent in two weeks ago, and they said it was good. So it's kind of like, you know, and we can provide a media education, or this is phishing or this isn't. I totally agree with that. I second that. I mean, Josh's team is very fast in responding when employees send in suspicious emails and they're always, I mean, the, the whole team has a kind of a customer focus.

Approach and we can get back to people as soon as possible, as fully as possible, as clearly as possible. And even, for example, with the people who click on the, uh, friendly phishing campaigns, I personally respond to every single one of them within two weeks of, of the, of them clicking. I mean, when they click, they get a, you know, a video pops up and explains what's happened and everything.

But I follow up with each one of them after that. So I think that helps a lot too. There other ways? Is there like other ways to reinforce the behavior? Is there a gamification?

Reinforce, reinforce it. That way you're not just waiting for an attack to happen to reinforce it. What are some of the ways you're reinforcing the, the behavior of, of the staff? Well, we, we don't do a lot of gamification. We have done some, and we were doing more before Covid than when Covid struck. It kind of.

Upset everything because everyone started working from home and people weren't in the offices and things like that. So I'm personally not a huge, huge fan of gamification. I think that the people who tend to volunteer for that sort of thing are the people that don't need the education. So, yeah, I don't know, Josh.

Yeah, I would just add on that, and especially in the healthcare world, I mean all, all the nurses, they don't normally set out a computer, read their email and stuff like that. So a, a lot of stuff we do is kind of on demand or we draw them into the SharePoint site. David does a fantastic job of publishing articles that are relevant to both the Geiser and industry as a whole, and we relate that to the employees personal life.

So. Anytime there's any type of scam or, or breach, we, we kind of break in like, this is how it affects Geisinger. But then we also add that personal element is like, yeah, know, maybe you should go home, you know, and, and talk with family members about this and there is no gift card scam that's gonna you a thousand gift card or, and it just brings it down that personalization.

I, I think a lot of our employees, again, on the clinical side, they don't necessarily, you know, log in every day or do everything like that. So we take every opportunity, we, we kind of use the push method of. Putting it on their firm and, and then giving them the, the access to jump back into the SharePoint page and read about stuff.

I, I guess, you know, if I'm a board member at Geisinger, I'm, I'm looking at you guys going, Hey, this is great. This is great. Good progress. Appreciate what you're doing. This is fantastic. What's it gonna take to get to zero? Because that's, that's essentially the goal, right? We don't. Anyone to give away their credentials because that's, that opens up the, the system.

And one of the, I think the eye-opening things for staff is to recognize, they're like, yeah, but I don't have administrative access to anything. I don't have, whatever. It's, it really is once they get into a system and they're able to get into a remote system, a Citrix or whatever, they're able to break out that systems

people. You don't have to be an administrator of the system to help people gain, help bad actors gain access to our system. If you give away your credentials, that's an opening for them. So I'm a board member. I'm looking at you guys. Hey, fantastic progress. How do we get to 0%? Is that even an attainable goal?

I'm not showing myself that that's an attainable goal. That's like perfection. But certainly one of the ways that that information that you were just talking about, like the employee doesn't understand perhaps that if a hacker gets their credentials that they can get into the system and move around.

That's the kind of information that we talked about during our in-person presentations with Steve Dunkel or ciso, and that generated lots of conversations with the employees. So I mean, that's the kind of information that's really best delivered, like verbally in person. Uh, and we did some of that, and I think that was really helpful.

Yeah, I, I'd just add on, we're trying to get down to zero. I, I don't think it's attainable, but I, I think we just need to keep this constantly going just to keep it co compressed as much, as long as we can. Man, I do think there are some opportunities we think geer, that we, we can make it a little bit better.

One of the things I, I like to, you know, look for our team to do is kind of keep up with some more of the relevant stuff once we see the start of a scam or some type of attack that we do successfully stop, or maybe the next following month after that, we run a, a campaign that closely monitors that, and that's twofold is kind of both to keep the education up for the end users of kind of what's going on or what the new tactics are of this week.

Of course there's new taxes every time. So it, it's not gonna be, just remember this, you can be good. It's, you know, we tried to take a step back and, and let the employees kind of look at the big picture, right? Like, yeah, this is a bad link. You shouldn't click on it. But before you even think about clicking on that link, you just take a general overview of the email.

Do you know who the sender is? Is there anything weird in the subject line or misspellings, you know, back to those common type stops and, and just kind of get 'em at that. So I, I, I don't think zero's attainable, but I think by us continuing this process. And refining it and just continuing the education where we kinda, like David said, in person through remote learning or anything like that, I, I think it's gonna help us compress that even a little bit more.

Yeah. I, I love this concept. I, I keep going back to it. I love this concept of threat hunters. What kind of background do threat hunters have? And I, I guess the question is. Background skills and how do you stay ahead of it? I have a handful of websites for this week in health. It and I, I get to see the stats of how many times I, I'm potentially getting hacked every day.

It's, it, it's silly. I mean, there's nothing to get behind my website, but the number of potential attacks on the website is, is significant. How do you stay ahead of it and threat team threat hunting comes down to. I, I'd say curiosity, really. You wanna, you want a person that has the gut that's like, hmm, let look, let's investigate this a little bit more.

But to your point, the information out out there is overwhelming. Of course we focus mostly on healthcare and, and those type of threats as that's the industry we're in. But we do find different veins and different ways of getting into other things like that. So curiosity, just different backgrounds of our employees, our teammates here.

Some are really good at networking, some are really good endpoint. And again, just being able to collaborate as a team on that type of stuff. It's amazing. The doors are opens and the information that we get through that. All right. So what's the guidance to other health systems? They're at this, they're listening this, we're just getting our program off the ground or we've our off the percent, you know, what's the guidance you would for of on Go, Josh?

I'll start. I'll probably take most of Dave's David's Thunder, but, uh. I, I would say the biggest thing is to, of course, get executive support for, we kind of talked about how we did that within Geisinger of just kind of going up the ladder and that type of thing. But the other thing I, I really think is the biggest two portions of a program is our friendliness approach, I'll call it, but we're not known as the enforcers, or, oh, you get sent to the ISOs office, you know, like.

Similar to the principal's office, right? It's nope, we're here to help you. We're all here to maintain the safety and, you know, and security of the Geisinger's data systems and, and that type of thing. And the other thing I really like and I think really, um, shows every time is the immediate feedback we give, whether it be through the phishing campaign itself, with a, a short video.

I mean, short. I mean, it's like David, I think it's what, 30 seconds or so? It, it's very short. Just gives you what you need. It's not, you know, that long. But also when you send in our a suspect real phishing emails, again, my team will respond and we'll say yes or no, and then we'll provide a little bit more context of, Nope.

I mean, yes, this is phishing, there's links, misspellings, and that type of thing. And I think those, all, those three things kind of work candid hand and that really gives them the employees a program that it, it feels like we're partnering with them and not against them. Yeah, I, I think that's very well said.

I. And I mean, I will add that the only thing I, I guess I might add is that in addition to the whole non-punitive approach, friendly approach that we take to it, we also do a fair amount of work in terms of putting out information to help people in their home lives and in their personal lives with online safety.

So whether it's online safety tips for shopping. Whether it's, uh, scams that are not nothing to do with Geisinger whatsoever, but scams that are circulating that we happen to know about, we put that information out. So we come across as trying to help people, not just trying to make them adhere to our policies and procedures and whatnot.

And I think we are really trying. It's not that we come across that we really are doing that , but I think that really wins us a lot of goodwill from the employees. Fantastic gentlemen. Great. Great progress and thanks for coming on the show and sharing. I appreciate. Thank you. Bill us. What a great discussion.

If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show. It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts.

Apple, Google. . Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders.

Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 282
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved