Out Phishing: How Health Systems Can Re-Evaluate Employee Security Training

Unlock Exclusive Cybersecurity Insights

Complete the form below to be redirected to CDW's exclusive proprietary research report on Cybersecurity. Once the form is submitted, you’ll be opted into our Security email stream.

Malicious actors know employees are their easiest point of entry, says Enterprise Strategy Group Analyst John Grady.

“Employees are absolutely the weakest link through no fault of their own. They have other focus areas, especially in healthcare,” Grady says. “With ransomware, all it takes is a user mistakenly clicking on something. A fundamental mind shift must take place, and the only way to do that is through user education.”

Admittedly, organizations across industries note that poor user training can impact cybersecurity: 31% of IT decision-makers cited insufficient or ineffective employee training as a major concern for their strategy, according to the 2024 CDW Cybersecurity Research Report.

Improving Training to Prevent Successful Phishing Attempts

Like all University of California campuses, UC San Diego Health requires annual cybersecurity training, which it performs through a learning management system. The organization supplements that with monthly phishing simulations; for example, sending fake phishing emails as a test.

More recently, Currie has ramped up a third training experience: in-person sessions customized to specific departments.

That’s in response to a recent study on UC San Diego Health employees that found that two common forms of training — annual security awareness training and simulated phishing attacks — offer limited value. In fact, in those simulated phishing exercises, trained users had, on average, only a 1.7% lower failure rate than untrained users.

Currie assisted in the study because he wanted to understand the best way to train employees. Now, he’s increasing face-to-face sessions to improve training. He conducts these department-specific trainings either in person or through video calls and tailors them to specific job risks.

For example, a compromised business partner can send an email asking for banking information related to an invoice payment. “We are trying to do more of these in-person sessions. I think that is by far the most effective means of getting people to understand the risks,” he says.

READ MORE: Understand customized phishing in the age of generative AI.

Currie still sees merit in simulated phishing exercises, so he continues to do them. “Even if it’s marginal or negligible, there is still some value in training because, at the very least, it allows us to continue to have conversations and raise awareness with staff and faculty throughout the year,” he says.

UC San Diego Health has deployed Proofpoint’s secure email gateway, which inspects email and blocks spam and malicious email. Proofpoint also enables Currie and his team to conduct monthly phishing simulations.

“Those who click are directed to an explanation on what should have tipped them off that it was a fake phishing attempt,” he says.

Increased media coverage of breaches and employees’ personal experiences with social engineering attempts help reinforce formal training, Currie adds. As a result, more employees now forward suspicious emails to the IT security team, which has been recommended in training.

“We’re going to look at it and give you a verdict,” he says. “We’re never going to slap you on the wrist. We’re going to congratulate you for being cautious.”

Back to the article Autoplay Full Screen Grid View Exit Full Screen

At Strive Health, a kidney care provider that has grown from 100 employees in 2020 to 650 today, IT executives have woven cybersecurity training into the company’s culture from the start. As part of the onboarding process, new hires must complete a 20-minute phishing training module before they are given computer access.

“We’ve been doing training from the beginning, so we’ve been able to start from the ground up with a security-conscious workforce,” says Strive Health CISO Gabe Stapleton.

The Denver-based company’s physicians and nurses work remotely, primarily providing telehealth visits to patients. Strive Health’s security training includes mandatory annual video training for every employee and regular phishing tests that Stapleton and his team conduct using email security software.

The IT team targets different parts of the company every month to reinforce good security habits. To stay ahead of attackers, they also test employees with spear phishing, where the attack is more personalized.

“Annual training only goes so far. People forget after several weeks. We can’t expect a clinician to remember a 20-minute training that happens annually,” he says.

When employees fail these tests, they receive feedback from IT with short remedial training. “We will message them and tell them to keep an eye out. That this is how you could have known it was a test,” Stapleton says.

The company augments training with security tools. It uses multifactor authentication and a data security posture management tool that categorizes the provider’s data so they can apply appropriate security policies to them, he says.

Click the banner below to sign up for HealthTech’s weekly newsletter.

Healthcare IT Help Desks Need to be On Guard Too

IT help desks are prime targets for social engineering attacks, so Maryland-based Luminis Health provides additional training for its help desk staff, CIO Ron Nolte says.

Help desk employees naturally want to assist fellow staff members, he says. However, hackers can impersonate surgeons and reach out with urgent requests, such as needing their passwords reset because they have a patient in the operating room.

DISCOVER: How does IAM address the challenges of increasingly complex IT environments?

To avoid detection, hackers posing as Luminis physicians can send emails, make phone calls or blur their cameras during videoconferencing calls. To prevent these scenarios, Nolte implemented strict identity verification protocols for password resets.

Luminis Health increasingly sees attacks across various communication tools, such as text messaging. The IT team trains staff to verify any suspicious texts by using known forms of communication. If a text claims to be a colleague with a new phone number, employees are trained to call the person’s original number or verify it through email or Microsoft Teams, he adds.

In a study of personalized phishing emails, the percentage of AI-generated phishing emails that were clicked through, compared with 12% of spam emails from an online database

Source: arxive.org, “Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects,” Nov. 30, 2024

Luminis Health relies on a secure email gateway to block malicious email and multifactor authentication to protect identities. The organization also requires cybersecurity training for new employees and annual training for all staff. IT also performs monthly phishing simulation tests.

If staff click on them, they immediately see a splash page explaining their mistake. “We believe strongly in just-in-time, microtransactional training,” Nolte says.

If an employee fails a phishing test three times, IT notifies both the employee and their supervisor. After five failures, they must complete mandatory video training with exercises.

The goal is to train staff to be extremely skeptical. While the UC San Diego Health study might indicate that training doesn’t work, Nolte argues that it’s worthwhile.

“Training is absolutely critical,” he says. “It’s about managing risk. It’s not about absolutes. You’re training your users as your last line of defense.”