How a National Healthcare Provider Mitigates Spearphishing With SecurityIQ’s PhishNotify

Executive Summary:

Protected health information (PHI) brings a hefty price on the black market, making many healthcare organizations a prime hacker target. This particular company previously included security training as part of their new hire onboarding process, but wanted to go one step further to ensure stored PHI was protected year-round. With every unauthorized PHI disclosure considered a HIPAA violation, the company saw awareness training as an important risk reduction tool.  

After looking at several security awareness training platforms, the IT team selected SecurityIQ for its role-based healthcare awareness training and attractive pricing structure. After implementing SecurityIQ PhishNotify email reporting, the company:

  • increased security awareness,
  • reduced phishing susceptibility rates by 30 percent, and
  • improved incident response.

In the following  Q&A, a company representative discusses how they used SecurityIQ to boost employee security awareness and stay HIPAA compliant.

Why Did You Pick SecurityIQ as Your Awareness Training Solution?

Client: Before SecurityIQ, we’d administer security training during the onboarding process. We would cover many topics, including password hygiene and phishing, in a short period of time. SecurityIQ provided us the ability to reinforce training year-round on topics we determine fit for the organization and current events. This ensures security is fresh in everyone’s mind.

We looked at a few other platforms, but picked SecurityIQ because of its pricing structure. Access to all training content was included in every account tier. This was a big factor in our decision-making process.

Tell Me About Your First Phishing Campaign. How Did Employees Perform?

Client: We ran a phishing simulation before launching our first awareness campaign to evaluate our employees’ security awareness.

We kicked off the program in December using an online shopping template, so the timing was perfect. It looked so real, some of our employees even called their spouses asking them if they had ordered anything online. They were really caught off guard.

Has SecurityIQ Helped Increase Employee Security Awareness?

Client: Yes, I’ve received resounding positive feedback from both our clinicians and corporate staff about the SecurityIQ training modules. They’ve told me the training has helped them professionally and personally.

Our employees continue to improve at spotting suspicious emails and using the PhishNotify reporting tool. Click rates on phishing emails have dropped 30 percent since our first baseline campaign.

The SecurityIQ Catch of the Week phishing templates also help our users stay current on new email-based threats. New templates are added every week and focus on topics our employees might see in the news. We recently used the Facebook Cambridge Analytica Data Breach template to show employees how news headlines can be used to trick them into clicking emails.

Have You Found the PhishNotify Suspicious Email Reporting Tool Helpful?

Client: The PhishNotify plugin is a great tool for reporting and incident response. We receive  about five reported phishing emails from our employees each day.

We were hit with a very targeted spearphishing attack this past April. Many of our users reported the email using PhishNotify, helping us address the situation quickly.

The attack email appeared to come from an executive, asking employees to log in to a malicious website designed to capture their credentials.

The email was signed “Sent from my iPad.” This generic signature made it difficult for users to identify if the sender was legitimate.

Do You Personalize Awareness Training for Employees?

Client: We have three dynamic training groups — one for corporate staff, one for physicians and one for new hires.

Each group gets training targeted to their roles. The new hire group receives interim training in the event the next full-length training campaign isn’t scheduled to run for a few weeks after they start. At minimum, we want to make sure everyone gets the “What is Phishing?” training right away.

We use the HIPAA and PHI modules to train our clinicians. They are the ones who usually input PHI data, so it’s important they understand the regulations. They’ve found the training really helpful.

Any Security Awareness Training Tips to Share?

Client: Make sure you have a solid communications plan in place before launching your program. This includes everything from how you announce the program to technical details like making sure your training notification emails are coming from the correct email address. I’ve found it helps to keep training notifications short — they should be very direct and to the point.

It’s also important your employees know what to expect from your training program. If you send 1,000s of training notifications to your team and execution is not perfect, your help desk will be overwhelmed with emails and calls.

I also recommend customizing phishing simulations in the platform to mimic what your employees typically see at your own organization. For example, I used a Turbo Tax phishing template during tax season. I later learned many staff in our company do not use Turbo Tax. It was good they didn’t click it, but it wasn’t a true test of their awareness because it wasn’t relevant to half of the employees who received it.

Would You Recommend SecurityIQ to Other Healthcare Organizations?

Client: I would recommend SecurityIQ to others in the healthcare space. I’ve already told a colleague about it, and he’s now using the program for phishing simulations at his organization.

IT Security Analyst

Managed Healthcare Service Provider

Challenges

Industry

Client Size

Location