Insider risk has long been one of healthcare’s greatest pain points, driven by the need for expedient access, an expansive vendor list with similar access requirements, and the fact humans are fallible. For Duke Health, bolstering security awareness across the enterprise has centered around administrative issues rather than a technology focus.
“It’s much harder to tune humans than it is to tune a tool,” Shelly Epps, director of security program management for Duke Health during an Oct. 19 ISC2 Security Congress Virtual Conference on managing an effective security training and awareness program amid a pandemic. Epps was joined by colleague Gaylynn Fassler, security strategic projects.
Healthcare is uniquely vulnerable to phishing attacks, particularly due to high employee turnover and an influx of new workforce members who may not have received previous cybersecurity training, according to a 2019 study in the Journal of the American Medical Association. The JAMA study on the effects of phishing simulations confirmed that phishing education and training can reduce the overall cyber risk to the healthcare enterprise.
Duke Health launched its pilot simulated phishing program the year before the pandemic. In doing so, the program’s leader was able to raise the security maturity level in the enterprise from a 3 to a 5. The health system has 40,000 users within its network.
Epps was brought onto the security program eight years ago as the liaison between security analysts and to establish a robust security awareness and training program. Rather than a simple checkbox, compliance-focused program, she opted to focus on attack probability and risk assessments around the business impact to determine where to focus the awareness and training efforts.
The program also uses limited physical, technical or other mitigating factors in the awareness program, instead using administrative challenges as the true mitigating factor: policies, procedures, training, awareness, and user behavior.
As such, Duke Health’s prime focus is on the areas where the probability of an event or the impact of an incident is deemed high. In some instances, where risk is determined to be low, those users may not be trained on a certain issue but will be informed on the issue through an internal secure system usage memo or another communication channel.
“If it's a high impact event, but low probability, and we can mitigate it down to a reasonable accepted risk, we're probably not going to focus too much effort there,” explained Epps. “If it's a high probability event, but a low impact, and we can mitigate it, again, that's not where we're going to spend most of our effort.”
“Make sure that, as you are teaching people, you've given them something that they can work with, in small enough amounts,” she added. “Because it's so easy to overwhelm people these days.”
Developing an effective phishing program
In February 2020, Epps began testing the user base with phishing emails with support from Fassler, just before the pandemic began and many of the staff began working from home. Around the same timeframe, the program was scheduled for an internal audit to find areas where the department could improve.
Prior to launching the program, there was a pilot phishing program to gauge the level of security within the organization. At the time, Epps ranked the security maturity level of the enterprise at a 3 out of 5. Duke Health’s culture focused on The Health Insurance Portability and Accountability Act Privacy Rule and its related privacy and compliance requirements.
However, there was limited awareness around the HIPAA Security Rule obligations, and many “hadn't yet incorporated security into their normal language as part of their business decisions.”
The discussions center around strategic methods, “rooted in repeatability, scalability, defensibility and metrics,” she explained. “We never want to do the same thing twice, if we can help it.” That means ensuring the workforce understands risks and how threats are posed within the enterprise environment.
Epps aimed to bring Duke Health to a place where there’s a strategic, repeatable, scalable, and defensible solution able to provide metrics and strong auditing and monitoring controls. The awareness program also avoids relying on PowerPoint or other exercises to train employees.
Instead of “blindly staring at a screen”, Duke Health uses more interactive measures to engage staff with the process, such as video, written communication, in-person sessions, mobile tech, and other ways to better engage staff.
The phishing simulations are positive, not punitive, and kept anonymous so just a handful of admins have access to the administrator console, knowing who actually failed within the organization or reported phishing emails as part of the training
In fact, Epps would not provide the names of those who failed to those outside of the program. Instead, she’d reach out to the individual directly to discuss what happened and ways to improve to “reinforce the positive aspect” of the program.
“There's a spectrum of security that we're all on. We're not trying to teach you everything that you need to know on any given day,” explained Epps. “Instead, the aim is to give users two or three things each day that employees can handle to bring them to the right end of the spectrum.
“The 1980s’ PowerPoint is overkill at this point,” she added. “You're probably not hitting all of your user base, and you're certainly not speaking to the younger people, their user base.”
Incorporating elements from the Sans Institute professional training course, Epps worked to drive awareness through phishing exercises and other educational activities to raise the awareness metric to four or five with a “long-term, sustainable culture change and promoting awareness and training, while ensuring compliance with all rules and regulations.”
One of the biggest recommendations from Epps was the need to implement a report phish button as a widget within the Outlook platform that would give employees the ability to report suspicious emails and again, drive metrics.
To engage with more people less often, Duke Health also employed an ambassador program to ensure they weren't completely reliant upon the security team to accomplish the overall goals. Epps explained there’s a need to deputize people by giving them the basic tools to carry out the program’s message and drive the cybersecurity conversation across the enterprise.
“Even if you're diluting the message somewhat by using people that are not trained security professionals, if you're having the conversation over time, you're all shifting towards a secure culture environment,” said Epps.
Addressing the pandemic impact on security awareness
The pandemic drove an incredible amount of change within the healthcare sector, from new technologies to support remote care and remote work, to new policies and initiatives to keep people safe. Epps and Fassler opted to pause the awareness program at that time, so as not to further inundate the workforce.
“It felt like it would be hard to engage people on these topics when there's so much else going on,” said Fassler. The team began taking stock of the most challenging issues at the time, such as onboarding and offboarding staff, as well as addressing risks posed by the new reliance on Zoom meetings, including preventing staff from being hacked on these channels.
Epps began employing new methods to bolster awareness, such as training videos. Once the team felt adjusted to the new normal, they restarted phishing training and provided awareness training presentations on a virtual platform.
Much like the majority of healthcare providers, Duke Health also had to deal with the uptick in cyberattacks brought on by COVID-19 fears and other schemes tied to the pandemic. Epps explained that as sites tied to the pandemic would come online to support patients, so did attacks against the platforms.
Epps and Fassler became the support team for other workforce members to show them what to do to limit their digital footprint and reduce their susceptibility to attacks. That included ensuring that press releases were limited to needed workforce members and contacts, so as not to provide those details to nefarious actors.
Duke Health also added a standalone offering to its annual HIPAA training focused on awareness, such as insider threats.
For Epps, the key to gaining leadership support for security awareness training is to “stop trying to make everybody happy. It’s a fool’s mission.” The second important element is to have a close relationship with the chief information security officer who can advocate for these measures.
Fortunately, the current threat landscape and healthcare fallout is making it easier to find the advocacy needed to secure the security budget and resources, while keeping security at the table instead of as an afterthought, she explained.
“If you're not having security in the conversation, if your CIO and your board and your others aren't talking about security and getting your CISO’s input, then they're missing the mark at this point,” said Epps. “I am not a huge fan of security that stops business. I'm always one to think, 'What are things that we can do that are going to give us value, but also not kill us at the same time.'”
“One of the challenges we face is that security analysts go so quickly to lock it down, shut it down, etc. And what they don't do is say, 'Keep it up, but mitigate as much as you can,'” she added. “Get it as close as you can, and then accept the rest and then move on. Instead, think about your approach as enabling business through good security.”