David Stellfox, Cybersecurity Communication Specialist, and Joshua Murray, Cyber Threat Response Team Lead, joined host Bill Russell to discuss Geisinger Health's success in lowering phishing email attack success in their health system.
According to Stellfox, there has been an increasing awareness of phishing attacks against health systems. These can be multi-pronged attacks, leading to data breaches and malware installation. Through phishing, attackers can create an open door to do almost anything within the system's network, Murray explained.
Even with heightened risk and awareness, IT professionals still fight an uphill battle to have mindshare with health system executives. Stellfox explained there must be a push to maintain the awareness of executives, as they are also handling other pressing issues in the organization.
To effectively communicate, their team at Geisinger's uses bottom-up approach, where they work with people who serve as conduits to the executive leader board. Additionally, according to Stellfox, they deliver a two-page quarterly bulletin that serves as a physical reminder to executives.
But heightened awareness can also mean increased pushback, Stellfox explained. There must be a balance between convenience and security, which has often skewed towards ease of access.
According to Murray, Geisinger has tried to hold tabletop exercises where executives and clinical recruitment managers are shown how phishing leads to ransomware.
"With that, we get a little bit more awareness of showing them the whole process," he explained.
According to Murray, his Cyber Threat Response Team is responsible for threat management in the organization by:
At Geisinger, the team has reduced phishing success by 50% amongst their staff. According to Stellfox, to do this, the organization made a program visible for employees and provided training to lower these rates. It was critical to partner with their teams through conversations rather than try to police them, Murray said.
"It was where we partnered with the employees and just made sure that we're here to help. We all have one goal in mind, and this is how we're going to accomplish that," he explained.
In the last two years, the general public has become more aware of phishing attacks and their potential implications, according to Stellfox. In the beginning, phishing emails were generic with gift card links. Murray explained that over time, they have become more sophisticated, transitioning into targeted text attacks with company logos and current events.
Attackers have increased customizations to target organizations and individuals more effectively. For example, throughout the pandemic, there was an explosion in COVID-related schemes, including text messages for vaccine appointments.
"I think they're really trying to kind of pinpoint Geisinger, or whoever they're trying to target, using those types of things. And, again, current events are the most ways to do that...They can put the urgency behind it; say we need this tomorrow. And that's when the users give that up," Murray said.
Murray also explained that the team at Geisinger examines possible phishing attacks and gives immediate feedback to staff. This has allowed them to provide education on what is phishing and what is not.
The immediate response has proved important to the team. According to Stellfox, they use on-demand tools and information on their SharePoint site. Additionally, he publishes phishing articles relevant to the company, healthcare industry, and employees' personal technology use. This is helpful for staff who do not often log onto their computer, like nurses.
While there may be a goal to eliminate phishing attack success in health systems, Stellfox and Murray do not believe that is an achievable goal.
"I don't think it's attainable, but I think we need to keep this constantly going. Just to keep it compressed as much as long as we can. I do think there were some opportunities within Geisinger. We can make it a little bit better," Murray said.
According to Murray, gaining executive support is important to decreasing phishing success. Additionally, he recommended a friendly approach to training staff and dealing with attacks.
"We're not known as the enforcers, or you get sent to the ISOs office, similar to the principal's office. We are here to help you. We're all here to maintain the safety and security of Geisinger's data systems," he said.
Additionally, immediate feedback is an element Murray believes is beneficial to other health systems. They try to remain proactive by researching information about online safety tips and scams circulating both in and out of the health system. Consistently distributing this information has benefitted their employees, according to Stellfox.
"We come across as trying to help people, not just trying to make them adhere to our policies and procedures...I think that really wins us a lot of Goodwill from the employees," he said.