A CISO's Strategy for Fighting Phishing AttacksJackson Health System's Connie Barrera Describes Her Approach
Hacker attacks often start with spear-phishing attempts used to obtain credentials or deliver malware. But healthcare entities can take steps to help prevent these scams from being successful, says Connie Barrera, CISO of Jackson Health System in Miami.
The delivery system, which includes several hospitals, clinics, mental health and long-term care facilities, combines technology and training in its anti-phishing efforts, Barrera says in an interview with Information Security Media Group.
On a periodic basis, Jackson Health sends fake phishing emails, using a product from PhishMe, to test whether employees will open them or click on the URL contained within the message, she says.
"Without anyone's knowledge we'll send a [test] email that [conceivably] could be malicious. A URL is embedded in the message and the software will track all actions," she explains. "For instance, the software will track if someone merely opened the email but did nothing else with it. It will also track whether someone clicked the link and went to the website, as well as if the person entered any credentials."
If a user clicks on the fake URL and enters credentials into the website, "it's our choosing of any educational material [to offer that user], she says. "Sometimes it's an HTML page, sometimes it's an interesting video directly related to the content of the email. Other times it's a short game."
Immediate Feedback Essential
Barrera says testing whether users fall for the fake phishing scams is effective because the results and response are immediate. This approach, she argues, is far more effective than someone taking a class a long time after a phishing incident is discovered.
Staff members sitting in a training session listening to descriptions of phishing attempts typically say they'd never fall for those tricks, the CISO says. But things change when the users are actually faced with the real phishing email.
"It's a completely different world when they're sitting at their desk and it's only them, their keyboard and their screen and they see a message [that says] 'we love our employees, we're giving you free coffee, let us know what kind of brew do you like?'"
That's why combining the software phishing testing tool with security awareness training is an effective approach, she says.
Also, the training solution that Jackson Health uses includes material designed for the average employee, and also "micro-modules" for executives, "who are pressed for time on a day to day basis," she says.
Jackson Health couples that with one-on-one "walk-through" training sessions and other initiatives, such as email blasts and posters about security and privacy she says. "It's really critical to have a strategy for your communication. While no or poor communication is definitely a detriment to the organization, if the communication is overwhelming or too much, it just becomes noise."
In the interview (see audio link below photo), Barrera also discusses:
- Why the healthcare sector has become a hot target for hackers;
- Critical technology tools to help defend against cyber-attacks;
- Other steps Jackson Health is taking to guard against hacking attacks.
Barrera is director of information assurance and CISO at Jackson Health System. Previously, she held IT security and compliance leadership positions at the University of Miami and was lead IT auditor at Baptist Health South Florida.