With phishing attacks on the rise against healthcare organizations, Jackson Health System in Miami is preparing by better training workers to be alert.
The system periodically sends out fake phishing emails, using software to determine the number of clicks a malicious link in the text would receive, Connie Barrera, director of information assurance and chief information security officer at Jackson Health, explains in an interview at Healthcare Info Security.
The software tracks what the user did with the phishing attempt: whether they only opened the email; whether they clicked on the link to the website; or whether they entered any credentials. For those that fall for the schemes, it prescribes further training such as a website, video or game to drive home the message about the dangers of phishing.
During group training sessions, employee say they would never fall for email exploits, but "it's a completely different world when they're sitting at their desk and it's only them, their keyboard and their screen and they see a message [that says] 'we love our employees, we're giving you free coffee, let us know what kind of brew do you like,'" Barrera says.
In IT, she emphasizes the importance of training--and cross-training--staff so they have a broader view beyond just their own set of tasks.
"I find in dealing with the entire organization that for security, many times, the gaps that people have in their knowledge, the particular area that they serve, really compounds the security problem," she says.
If a worker knows only his or her own defined tasks they may not be "knowledgeable enough, not empowered, to even make an educated guess," Barrera adds. "If you don't know what's normal, how do you know when something is off?"
What's more, employees should be taught to be alert for the warning signs of a phishing email, such as spelling mistakes or generic language; requests for confidential information, including passwords and credit card details; and suspicious links.
To learn more:
- read the interview