Don’t Take the Bait!
By Jonathan Pierce, Information Security Manager
Do you ever receive emails or texts that just seem off and suspicious? Well, if it looks like a duck and quacks like a duck, it’s probably a duck. In other words, follow your gut and don’t take the bait. Hackers are increasingly using these tactics to scam millions of dollars in valuable data and identities that can take down companies and turn lives inside out. To assess how well BHG team members are practicing smart, safe digital hygiene habits, the IT department is conducting undercover phishing exercises for prizes, and so far, most of you are doing well, but we still have a way to go.
Hackers see healthcare data as most valuable
According to a 2019 NIH National Biotechnology Institute report, healthcare data is one of the most attractive to cyber criminals because it contains financial and personal data, can be used for blackmail, and are ideal for fraudulent billing. They are also remarkably vulnerable to penetration because of the fluid and always-evolving nature of a patient’s medical care and because of the number of clinicians, facilities and transactions required to connect patient care across multiple settings. The addition of mobile healthcare devices and connected healthcare delivery systems makes healthcare data more attractive but also more vulnerable.
Medicaid fraud is a huge issue where all the medical information goes oversees. Patient records are worth about 25 cents each. At my last job, we had six million patients, and 25 cents each adds up fast.
The most popular thing hackers are doing now is encrypting an entire network which turns the situation into ransomware. Companies are basically shut down and under siege until the ransomware is paid. In our industry, that can cost lives.
Why the secret phishing?
Security is not just my job, it’s everybody’s job. My job is to empower you to do that job better. One way we’re doing that is by sending out emails to trick you just like the attackers do. The advantage to that is we’re ensuring a safe IT environment and we’re training you to look for the sketchy messages. While that may stink, it’s better than what would happen if you fell prey to the fraudulent phishing (sorry, I couldn’t resist). If it makes you mad, that’s actually good because it means you’re trying to learn and keep your digital ecosystem safe.
The good news is that for a program as new and as large as ours, you all are doing well. Typically, within the first 90 days of a phishing campaign, click rates are 16% within large medical companies. Pat yourself on the back because we’re below that at 11 percent, but we must do better.
My view of security is that it should be as unobtrusive to your work as possible. This is just one of those areas where it can’t be. With phishing, you have to do training, and it’s a widespread practice with companies of all kinds. If you think of it as a game, you’ll be happier. That’s why I like to do prizes.
We are sending phishing emails every month. Those who receive one and appropriately respond will be entered into a drawing. Prize details are still being determine and will be announced at a later time.
Tips to improve digital hygiene habits
- Contact me and the IT team at any time with questions and I will answer them, judgement-free. You weren’t hired to do or know IT and it’s our goal to help you become better about an aspect of your job for which you’ve most likely never been trained.
- If you have suspicions about an email you’ve received, DO NOT forward it. Please click on the “Phish Alert Report” button in the upper right-hand corner of your email task bar and your alert will come straight to me.
- Practice good security posture at work and at home. Unfortunately, most of the bad responses in our campaign are happening from team members’ cells phones. It’s easy to do because we’re all more relaxed at home. However, with remote work becoming the standard, we should be aware at all times on all devices. And the closer to patient health information (PHI) your role is, the more careful you need to be.
- Turn Bluetooth off when not needed, especially during international travel because hackers will clone your phone. It only takes about 30 seconds for them to do it, so have your airplane mode on.
- Be wary of links, especially if they aren’t our BHG domain. We will never ask you for your password or to install a file without your permission and knowledge of doing so. To check for suspicious links, go to https://www.emailveritas.com/url-checker which allows you to type in a web address to see if it is malicious. It won’t catch all malicious websites, but if it says it’s bad, it’s definitely bad.
- https://blog.hubspot.com/marketing/parts-url – Using this as a guide, all websites use https because modern browsers won’t let you go anywhere that isn’t. The second level domain is the important part. Microsoft.blogspot.com is a website owned by BlogSpot for example. The other parts can be anything and it doesn’t provide meaningful information. So, what you always want to look at is what is between the // and the first / and what is right before the last period/dot. For example, jims.big.engines.blog.com would be a site on blog.com
Example of a good domain link
When you hover over the link, it says it is going to FedEx.
Example of a bad domain link
This link says it’s going to Microsoft.com, but if you hover over it, you get what is shown in the image, namely that it is going to “secured-login.net.”
Doing this training reduces the likelihood of a breach. Breaches can trigger HIPAA violations with fines and penalties into the millions, but most importantly, it places our patients’ information at risk.
Just remember, security is everybody’s job. Never feel judged, even if you make a mistake, because that’s the whole point of this phishing exercise. If you do make a mistake, we’re here to help. It’s not a gotcha for gotcha’s sake.