Anti-phishing training must be ongoing, relevant

Photo credit: Getty/weerapatkiatdumrong

Training healthcare staff about the dangers of phishing can’t just be a one-time thing. It must be routine, relevant and consistent, according to Mark Parkulo, associate dean of clinical practices at the Mayo Clinic.

As part of its security efforts, Mayo's staff routinely creates fake emails with real-life scenarios that can trick users into clicking on them, one of the primary ways ransomware or other malicious code is introduced into healthcare networks.

“You can do that education, but there is so much turnover in your staff and other security issues that arise, so if you do not consistently do the education and continually monitor what is happening, you will not be successful,” Parkulo tells Healthcare IT News.

The end users can be the ones who alert security staff to potential issues. But the industry overall has not done a good job of fully explaining what cybercrime looks like and its consequences, he says.

It’s also vital to fully understand business processes and identify where vulnerabilities lie, according to Parkulo. Mayo, for example, spends time with patient care and supply chain providers to find security gaps.

Phishing has been on the rise in the past year, according to a Verizon Enterprise Solutions report published earlier this year, with human error, including an increased number of suspicious emails opened, among the top factors leading to security incidents.

In its bid to thwart phishing attacks, the Centers for Medicare & Medicaid Services has recruited "data guardians"--people not part of security staff--to keep employees on their toes.