Patient falls have been a serious problem in hospitals and other healthcare facilities for years. In fact, in January 2013 the Agency for Healthcare Research and Quality set out to help reduce the number of falls in healthcare facilities by commissioning a RAND Corporation/ Boston University School of Public Health Report. The report, titled “Preventing Falls in Hospitals: A Toolkit for Improving Quality of Care” lays out a great deal of information regarding falls in hospitals as well as strategies for reducing the number of victims. An article on Healthcare IT News takes the Toolkit and applies it to the pandemic of email phishing attempts by cybercriminals.
According to the report, an alarming number of individuals (700,000 to 1,000,000 to be more specific) would be a fall victim in a hospital during the year of 2013.
What followed was an intense period of staff education and awareness training, monitoring of falls risks, implementation of numerous fall prevention programs, and development of countless resources to focus on fall risk.”
A project coordinated by the American Hospital Association’s Health Research and Educational Trust found that in 325 participating hospitals across 31 states, there was a 6 percent relative risk reduction in the number of falls following the awareness training, fall prevention programs, etc.
Despite contradictory claims that falls actually increased from 2013 to 2016, this article is set out to focus on the benefits of the Toolkit and how it reduced falls in hospitals, so one should assume there was a true reduction in the number of falls.
The link between EHR corruption and email
Phishing (and now “spearphishing” or “whaling”) are the most easily and commonly exploited vulnerabilities in systems, with the average time between the target receiving the contaminated email and clicking on the attachment being two seconds according to statistics cited by the FBI in meetings.”
How can we use the knowledge learned from the fall prevention Toolkit to promote anti-phishing efforts? Below are some top strategies from the Toolkit, which are applicable to reducing the number of successful phishing attempts made by cybercriminals.
Support from organizational leadership is necessary to promote change
While email attachments provide a convenient way to share documents and attachments among your organization, you cannot send out attachments on a consistent basis and expect your employees to follow the rules of “do not open email attachments”.
Creating a document center where your organization can share documents is a great solution to sending this information via an email attachment. It may be helpful to summarize the document in the email, but refrain from sending anything as an attachment as often as possible.
It’s a people problem
Since employees are often the cause of a data breach and their behavior is not easily changed, it is crucial that they find a way to convince themselves not to click on a phishing email.
Some ways for encouraging employees to look out for phishing emails include advising them to report suspicious behaviors, provide an emergency line in the event they did click on a phishing email and reward them for responding favorably to training.
Even if you have a flawless procedure in place, if it’s not used, it will be unsuccessful. Creating procedures that can be used universally across your organization will be helpful in ensuring your strategies are understood.
To test your email compliance strategy, it will be necessary to send internal phishing attempts to see which employees are complying with your procedures. You may also want to try spear-phishing to see just how closely your employees are paying attention!
Blocking personal email accounts on work computers is very beneficial and is very important to ensure PHI is never sent out from a personal account. Monitoring compliance with email procedures will also go a long way in protecting your organization.
Training is vital
Training is key in ensuring your employees know and understand the do’s and don’ts. Using different approaches such as online and in-person training may be beneficial in keeping your employees engaged.
Attitudes towards solving the problem must change
It’s possible that employees feel no matter how prepared they are, successful phishing attempts will still sneak through the cracks. It is important to have a program with training, auditing, verification/testing and disciplinary actions to remind employees that problem must be solved.