June 11, 2021: Healthcare executives have to worry about so many aspects of running a business. Caring for patients and caring for the community, not to mention cybersecurity. Phishing is one of the number one ways health systems get exposed. Today Geisinger shares their program of success in lowering the click rate on phishing emails. Joining us is David Stellfox, Cybersecurity Communication Specialist and Joshua Murray, Cyber Threat Response Team Lead. What kinds of tools are utilized in the program? Can the tools be ratcheted up to simulate the growing sophistication of these attacks? How do you get the backing of senior leaders? Can we ever get to 0%? Is that an attainable goal? And what is Geisinger’s guidance for other health systems looking to kick off a similar program?
Geisinger Shares Pragmatic Solutions to Reduce Phishing with David Stellfox and Joshua Murray
Episode 413: Transcript – June 11, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:17]We have two excellent guests with us today. We have Cybersecurity Communication Specialist for Geisinger David Stellfox and we have Cyber Threat Response Team Lead at Geisinger Joshua [00:00:30] Murray.
[00:00:30] Special thanks to our influence show sponsors Sirius Healthcare and Health Lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:45]I want to take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally Bill J Russell on LinkedIn. I engage almost every day in a conversation with the community around some health IT topic. You can also follow the [00:01:00] show at This Week in Health IT on LinkedIn. You can follow us on Twitter Bill Russell HIT. You can follow the show This Week in HIT on Twitter as well.
[00:01:13] We’ve got a lot of different things going on. And each one of those channels has different content. That’s coming out through it. We don’t do the same thing across all of our channels. We don’t blanket posts. We don’t just schedule a whole bunch of stuff and it goes out there. We’re actually pretty active and trying [00:01:30] to really take a conversation in a direction that’s appropriate for those specific channels. So we spend a lot of time on this. We really want to engage with you guys through this. We are trying to build a more broad community. So invite your friends in to follow us as well. We want to make this a dynamic conversation between us so that we can move and advance healthcare forward.
[00:01:52]And now onto today’s show. Today, we’re going to talk about phishing and we’re specifically going to focus in on phishing around cybersecurity. And we [00:02:00] have two excellent guests with us today. We have cybersecurity communication Specialist for Geisinger David Stellfox and we have Cyber Threat Response Team Lead at Geisinger Joshua Murray. Good afternoon, gentlemen, welcome to the show.
[00:02:14]Joshua Murray: [00:02:14] Good afternoon. Thank you.
[00:02:15]Bill Russell: [00:02:15] I’m looking forward to this conversation. Phishing is still one of the number one ways that health systems get exposed and number one ways for nefarious actors. I like using that term nefarious tend to attack health systems and Geisinger has [00:02:30] had some success on lowering the click rate on phishing emails.
[00:02:33] And I really want to go into that a little bit with you guys. Before we do that David, do you want to try to frame the problem of phishing for health systems today?
[00:02:45]David Stellfox: [00:02:45] Sure. I mean, I think most people are aware that it’s a problem for all of us. I mean, last September, I think it was, there was a report out of Germany that we had the first death that was caused by a cyber attack of a patient. [00:03:00] I think that was subsequently determined that it wasn’t necessarily the case that the woman was in very poor health and probably would have died anyway, despite the fact that she had to be diverted to another hospital.
[00:03:10] But, I mean, that’s sort of the extreme end of the stick there, what we’re facing. I mean, right now, also out at Scripps Health in California, they’re suffering from a ransomware attack. They lost their EHR. They had to divert some critical care patients. So, I mean, this is the kind of thing that we’re facing.
[00:03:27] Joshua Murray: [00:03:27] Yeah. I would just add, it’s also more [00:03:30] of a multi pronged attack too, right? I mean, phishing leads to data breaches but just that David talked about it also leads to malware and stuff like that. So it’s phishing, it leads to one thing, it kind of opens the door for all the attackers to kind of do what they want or all of the above.
[00:03:45] We’ve seen a ransomware attacks that were caused by phishing that not only did they put ransomware on the device, but then they also exfiltrated data, held that for ransom and, or so that the other actors also.
[00:03:56]Bill Russell: [00:03:56] At this point, I was going to ask you, what does it take to get the mind [00:04:00] share among executives but if they’re familiar with what’s going on at Scripps, University of Vermont last year, upstate New York, there was one in Oregon where the systems lost. I mean the EHR was down. It was multiple days, if not weeks of outages and whatnot. This really has Mindshare today. Right? Or is it still, is still an uphill battle to get mind share within the health system?
[00:04:25]David Stellfox: [00:04:25] Yeah, I think it is still a bit of a battle only because the executives [00:04:30] have so many other issues on their plate, other things to worry about. They’re constantly being pulled one way or another and putting out fires here and there.
[00:04:38] So, so yeah, I think some of these stories do help in terms of awareness with the exec at the executive level, but I still think it’s something that you need to push with them from time to time to keep them aware, to maintain their awareness.
[00:04:53]Bill Russell: [00:04:53] How do you get the mind share? I mean, clearly a healthcare executive has to worry about so so many [00:05:00] aspects of running the business, caring for the patients, community grows, those kinds of things. But this is obviously one of many. How do you go about getting the mind share of the executives?
[00:05:12]David Stellfox: [00:05:12] There’s several ways. I mean, I think our, for example, our CSO, Steve Dunkle and, and our Chief Assurance Officer Kevin Karestas they are a conduit to the board, to the executive senior leaders.
[00:05:24]And so we kind of use them to get things up to the board level, but [00:05:30] also I think really we kind of take a bottom up approach. So we started our program I mean, we had a program before, but can I talk about since I’ve been here in 2019 we started and we recreated our SharePoint page.
[00:05:44] We, we built that up. We got a lot of visibility there and it’s about building up the program from the bottom. And then eventually it gets up to the folks at the top. Another thing that we do for example, is we publish a two page bulletin. It’s a one, one sheet piece of paper [00:06:00] double-sided for it’s specifically for executives and we do that quarterly and we made a conscious decision to kind of go old-school with that.
[00:06:09] We don’t deliver it by email. We deliver it in paper, paper, copy, and interoffice mail addressed to them. And that was kind of intentional because it’s so easy to ignore emails and delete emails.
[00:06:21] Bill Russell: [00:06:21] So that’s, I mean, that’s along the lines of when, when I get a handwritten note from somebody, I actually take notice versus literally the 250.
[00:06:28] So there is a conscious [00:06:30] plan around getting in front of people. How did they respond to it when you say, Hey, look, phishing’s a big conduit to a lot of other attacks. I guess our health system, how do they respond? I mean, cause one of the age old problems we had when I was CIO was just it was ease of use versus security.
[00:06:48] And you’d get a lot of pushback of, Hey it takes me too long to log in. It’s there’s too many steps there’s too. Any of that kind of stuff. I mean, how do you balance it?
[00:06:58]David Stellfox: [00:06:58] Yeah. I mean, that’s definitely still a [00:07:00] problem. It probably will always be the balance between convenience and security.
[00:07:04] I think though, that people have moved along on that, moved down the road on that ways that people are wrecking. I think it was imbalanced towards convenience in the past, and I think it’s coming much more into balance. It’s not overbalanced, I don’t think to security, but it’s becoming much more imbalanced as people recognize.
[00:07:26] Joshua Murray: [00:07:26] Yeah. And one of the things Geisinger has been trying to do, especially in the past two years [00:07:30] unfortunately it coincided with COVID and the other priorities, but we’ve been holding a lot of tabletop exercises where we invite both the executives and the managers of the clinical departments.
[00:07:40]And we walk through you know we just did one, a couple of weeks ago with FEMA when we walked through a phishing exercise that led into a ransomware and that type of thing. And what that did was that allowed the executives and everyone to see it from kind of the start to finish, not just, Hey, my computer’s down, what’s going on.
[00:07:54] So with that, we get a little bit more awareness of showing them the whole process and you know what happens [00:08:00] here and why no one click on an email could you know bring down the whole thing and start diversion of patients and all that type of items.
[00:08:06] Bill Russell: [00:08:06] Yeah. So Josh, you have a cool title Cyber Threat Response Team Lead. What is the cyber threat response team?
[00:08:14]Joshua Murray: [00:08:14] Our team here at Geisinger, we’re basically kind of a threat team, which means we monitor the news and all of the sources for any type of threats and act on those threats specifically to help others. But then our team is also tasked with a response if those threaten realize or responding to know those [00:08:30] threat insights. So now we gather the intelligence we review it, determine what’s applicable to us or what we need to do from that. But also on the flip end, if something goes bump in the night or something actually realizes that our team is also the one to respond.
[00:08:42] So that’s really neat because we kind of see the Intel from the whole life cycle from when we get it to when we respond. So there’s no, a lot of, a lot of other places have got disconnectors, that front team and a response team. And I think there’s some communication gaps always exist between the two, but with our team, we’re able to [00:09:00] fully consume the information plus if we need to, we can also act on that.
[00:09:04] Bill Russell: [00:09:04] So is that team separated from the operations team, the team that’s implementing monitoring and all that other stuff. And then the threat response team is literally focused in, on threats to the health system?
[00:09:16] Joshua Murray: [00:09:16] Correct. Yeah. So our team does do just the threats and then the response. So we do have an operations group that helps us or helps Geisinger actually install and do the configuration behind the scene. And then the analysts on [00:09:30] my team we actually have eyes on the glass looking at the intelligence and they’re responding to the any alerts.
[00:09:36]Bill Russell: [00:09:36] So talk to me by the way, I love that, I love that distinction between operations and threat response. So you guys were able to reduce the occurrences or the successful phishing amongst your staff by upwards of 50%. How were you able to do that? Is it a repeatable program that you think other health systems at this point could implement?
[00:09:59][00:10:00] David Stellfox: [00:09:59] Yeah, that’s a good question. And also how long it will last and can we continue it? Those are questions you have to be answered, but as far as what we did already. I think we’ve built up a program where it came very, very visible to the employees with the help of corporate communications, of course and others in the organization.
[00:10:20] And then we went out and gave presentations to departments within the organization. I mean in person before COVID and then after COVID [00:10:30] virtual. But they were kind of like, they weren’t, we call them training, but they were really conversations, discussions. And I was really impressed with how engaged the employees became during those discussions.
[00:10:42] They weren’t just sitting there passively listening. They were asking questions and making comments and I think that was a huge, huge help to how we manage to lower our phishing click rate.
[00:10:54] Joshua Murray: [00:10:54] Yeah. I think just to add to that I think kind of David mentioned was we kind of partnered with them, we know, walk [00:11:00] in with our badges and try to be the policemen.
[00:11:02] Right. We know we sat down with them and like, yeah, let’s just have a conversation about it. We’re on your side. You know, if you click an email a phishing email, here’s what you do. You’re not going to get fired, we’re I could come down and do anything like that. It was just more of that, that can explain where we partner with the employees and just made sure that we’re here to help we all have one goal in mind and this is how we’re going to accomplish that.
[00:11:24]Bill Russell: [00:11:24] This pipeline thing is really interesting as it’s going on right now, because much like the pandemic [00:11:30] was for hand-washing and social distancing and wearing masks and those kinds of things, just people recognizing good hygiene and how it helps people to stay healthy. I think some of these things like waiting in gas lines and that kind of thing is sort of a reminder that, Hey, this is getting serious and this could really impact things.
[00:11:49] And so it really is making a top of mind for the entire staff. It’s probably a more receptive audience today than even it was when you started taking off this program. I would think. [00:12:00]
[00:12:00]David Stellfox: [00:12:00] I think I would agree with that. Yeah. In the last two years with all the incidents that there have been I think people in general are more aware of the potential for these kinds of attacks and the potential implications of these kinds of attacks.
[00:12:14] So, yeah, I would agree with that.
[00:12:15]Bill Russell: [00:12:15] So talk about how are the, I guess, Joshua, this is for you, how are the threats becoming more sophisticated? I mean, it’s interesting, no matter how sophisticated the threats are becoming, it seems to me like the way it is, [00:12:30] is still easiest through an email where somebody is going to give you their credentials.
[00:12:35] Joshua Murray: [00:12:35] Right. So, so as you can imagine, just the evolution over a couple of years. The first phishing emails were very generic. Okay. You want a gift card, click here and sign in. Nowadays. We’re seeing a lot more targeted texts. They’re using Geisinger’s logo, they’re using current events in the media.
[00:12:52] During COVID we saw an explosion not necessarily towards guys here, but just in the email industry and all the other hospitals and all [00:13:00] of COVID related text. Like, Hey, here’s a shot appointment. You know, please sign up and do stuff like that. So I think they’re really trying to kind of pinpoint Geisinger or whoever they’re trying to target using those types of things and and again, the, the current events are the most ways to do that, right.
[00:13:17] Again, COVID anything else that’s going on, they can put the urgency behind it. You know, they can say urgent we need this tomorrow. And that’s when they try to use the trick, the users to give that up. So a lot of times with the more advanced stuff like that, we’re [00:13:30] seeing a little bit more customization and the attackers taking a little bit more time to understand what their target is and what the best way to approach it is.
[00:13:37] Bill Russell: [00:13:37] Is there a set of tools you’re using around this, a set of technology tools?
[00:13:42]Joshua Murray: [00:13:42] Oh yeah. Yeah. So what we do is we do some Microsoft project and some other projects our products to kind of help us do that. One thing I really liked about our team and Geisinger is we still have a pretty good eyes on glass thing.
[00:13:56] When they send an email, we do have some processes that do that, but [00:14:00] ultimately we look at those and that allows us to have a chance to give immediate feedback to the users. Right. We have other industries like, Hey, I sent in a phishing email and then that’s the last thing I heard.
[00:14:09] know with us, we try to respond to emails as quickly as possible. We’ll let them know this is, yes, this is a phishing email. And these were the signs and good job. Right. And on the flip side, we also know this was not a phishing and a legitimate you can click the link, you can visit you open the attachment like that.
[00:14:26] So I think that’s another thing in the overall phishing program is [00:14:30] just the immediate feedback. Because people kind of it’s there in front and they remember it right away versus, Oh yeah. Here’s his email. I sent it two weeks ago and they said it was good. It was kind of like. I know, and we can provide immediate education. This is phishing and this isn’t.
[00:14:43]David Stellfox: [00:14:43] I totally agree with that. I second that, I mean, Josh’s team is very fast in responding when employees send in suspicious emails. And they’re always I mean the whole team has a kind of a customer focused approach and we can get back to people [00:15:00] as soon as possible, as fully as possible, as clearly as possible.
[00:15:03] And even for example, with the people who click on the friendly phishing campaigns, I personally respond to every single one of them within two weeks of them clicking. I mean, when they click, they get a video pops up and explains what’s happened and everything, but I follow up with each one of them after that.
[00:15:21] So I think that helps a lot too.
[00:15:24]Bill Russell: [00:15:24] Are there other ways, is there like other ways to reinforce the behavior? Is there a gamification [00:15:30] aspect of it? Is there. Obviously you’re doing friendly phishing campaigns, so there’s ways to reinforce, reinforce it that way. You’re not just waiting for an attack to happen, to reinforce it. What are some of the ways you are reinforcing the behavior of the staff?
[00:15:44]David Stellfox: [00:15:44] Well, we don’t do a lot of gamification. We have done some and we were doing more before COVID then when COVID struck, it kind of upset everything. Cause everyone started working from home and people weren’t in the office and things like that.
[00:15:58] So I’m personally not a [00:16:00] huge, huge fan of gamification. I think that the people who tend to volunteer for that sort of thing are the people that don’t need the education. So yeah. I don’t know Josh.
[00:16:10]Joshua Murray: [00:16:10] Yeah. I would just add on that, especially in the healthcare world, I mean, all the nurses they don’t normally sit at the computer, reads their emails, stuff like that.
[00:16:17] So a lot of the stuff we do is kind of on demand or we draw them into the SharePoint site. David does a fantastic job, but publishing articles that are relevant to both Geisinger and the industry as a whole. And we relate that to the employee’s personal life. [00:16:30] So anytime there’s any type of scam or breach we kind of break it like this, how affects Geisinger, but then we also add that personal element is like, you know, maybe, maybe you should go home and talk with family members about this.
[00:16:42] And there is no gift card scan. That’s going to be a thousand dollar gift card or and it just, it brings it down that personalization. I think a lot of our employees again, on the clinical side, they don’t necessarily no log in every day or do everything like that. So we take every opportunity. We kind of use the push method of putting it on there [00:17:00] firm and then giving them the access to jump back into the SharePoint page and read about stuff.
[00:17:05]Bill Russell: [00:17:05] I guess if I’m a board member at Geisinger, I’m looking at you guys going, Hey, this is great. This is great, good progress. I appreciate what you’re doing this fantastic.
[00:17:14] What’s it going to take to get to zero? Because that’s essentially the goal, right? We don’t want any. And anyone to give away their credentials cause that’s, that opens up the system. And one of the, I think the eyeopening things for staff is to recognize. They’re like, yeah, but [00:17:30] I don’t have administrative access to anything.
[00:17:31] I don’t have whatever it’s it really is, once they get into a system and they’re able to get into a remote system, a Citrix or whatever, they’re able to break out to that and they’re able to access other systems. I think that was one of the things that was, challenging to get into people’s heads. It’s like. You don’t have to be an administrator of the system to help help bad actors gain access to our system. If you give away your credentials, that’s an opening for them. So [00:18:00] I’m a board member. I’m looking at you guys. Hey, fantastic progress. How do we get to 0%? Is that even an attainable goal?
[00:18:06]David Stellfox: [00:18:06] I’m not sure myself that that’s an attainable goal. That’s like perfection. But certainly one of the ways that, that information that you were just talking about, like the employee doesn’t understand perhaps that if a hacker gets their credentials, that they can get into the system and move around.
[00:18:23] That’s the kind of information that we talked about during our in-person presentations with Steve Dunkle our CISO. And [00:18:30] that generated lots of conversations with the employees. So, I mean, that’s the kind of information that’s really best delivered late verbally in person. And we did some of that and I think that was really helpful.
[00:18:41]Joshua Murray: [00:18:41] Yeah. I just add on trying to get down to zero. I don’t think it’s attainable, but I, I think we just need to keep this constantly going. Just to keep it compressed as much as long as we can. And I do think there were some opportunities within Geisinger. You know we can make it a little bit better.
[00:18:57] One of the things I like to look for our team to do is [00:19:00] kind of keep up with some more of the relevant stuff once we see the start of a scam or some type of attack that we do successfully stop maybe the next following month after that, we run a campaign that closely monitors that and that’s twofold.
[00:19:15] It’s kind of both to keep the education up for the end users of kind of what’s going on or what the new tactics, or this week. Of course there’s new taxes every time, so it’s not going to be just remember that seem to be good. It’s no, we tried to take a [00:19:30] step back and let the employees kind of look at the big picture, right?
[00:19:33] Like, yeah, this is bad link you shouldn’t click on it but before you even think about clicking on that link, you just pick a general overview of the email. Do you know who the sender is? Is there anything weird in the subject line or misspellings back to those common type stops and just kind of get them at that?
[00:19:48] So I don’t think zero is attainable by, I think by us continuing this process and refining it and just continuing to education where we can, like David said in person through remote learning or anything like [00:20:00] that, I think it’s going to help us compress that even a little bit more.
[00:20:04] Bill Russell: [00:20:04] Yeah, I love this concept. I keep going back to, I love this concept of threat hunters. What kind of background do threat hunters have and I guess the question is background skills and how do you stay ahead of it? I have a handful of websites for This week in health IT and I get to see the stats of how many times I am potentially getting hacked every day. It’s it’s silly. I mean, there’s nothing to get behind my website but [00:20:30] the number of potential attacks on the website is significant. How do you stay ahead of it? And what kind of skills and background makes up a threat Hunter team.
[00:20:39]Joshua Murray: [00:20:39] So really for threat hunting, it really comes down to I’d say curiosity really, You want to, you want a person that has the gut that like, Hmm, this look, let’s investigate this a little bit more. But to your point the information out there is overwhelming. Of course we focus mostly on healthcare and those types of threats, as that’s the industry we’re [00:21:00] in, but we do find different veins and different ways of getting into other things like that. So curiosity just the different backgrounds of our employees our teammates her e. Some are really good at networking.
[00:21:11] Some are really good at end point. And again, just being able to collaborate as a team on that type of stuff. It’s amazing the doors that opens and the information that we get through that.
[00:21:20] Bill Russell: [00:21:20] All right. So what’s the guidance to other health systems. They’re looking at this, they’re listening to this, they’re saying, look, we’re just getting our program off the ground, or we’ve got our program off the [00:21:30] ground, but we’re sitting at 10, 20%.
[00:21:32] You know what’s the guidance you would give them for really moving this forward. I’d love to hear from both of you on that.
[00:21:37]Joshua Murray: [00:21:37] All right. I’ll start. I’ll probably take most of the days David’s thunder, but I would say the biggest thing is of course get executive support for we kind of talked about how we did that within Geisinger of just kind of going up the ladder and that type of thing.
[00:21:53] But the other thing I really think is the biggest two portions of a program is our friendliness approach. I’ll call it. [00:22:00] We’re not known as the enforcers or Oh, you get sent to the ISOs office like similar to the principal’s office, right. It’s Nope. We’re here to help you.
[00:22:08] We’re all here to maintain the safety and security of the Geisinger’s data systems. And that type of thing. And the other thing I really like, and I think really shows every time is the immediate feedback we give, whether it be through the phishing campaign itself with a short video I mean short, I mean, it’s like David, I think it’s what, 30 seconds or so.
[00:22:29] It, it’s very [00:22:30] short just gives you what you need. It’s not that long. But also when you send in our suspect real phishing emails, again, my team will respond and we’ll see, say yes or no. And then we’ll provide a little bit more context of no, I mean, yes, this is phishing, there’s links misspellings and that type of thing.
[00:22:47] And I think those, all those three things kind of work hand in hand, and that really gives them employees, that program, that it feels like we’re partnering with them and not against them.
[00:22:56]David Stellfox: [00:22:56] Yeah, I think that’s very well said. [00:23:00] And I mean, I will add that. The only thing I guess I might add is that in addition to the whole non punitive approach, friendly approach that we take to it, we also do a fair amount of work in terms of putting out information to help people in their home lives and in their personal lives with online safety.
[00:23:19] So whether it’s online safety tips for shopping, Whether it’s a scams that are not with nothing to do with Geisinger whatsoever, but scams that are circulating that we happen to know about. [00:23:30] We put that information out. So we come across as trying to help people, not just trying to make them adhere to our policies and procedures and whatnot.
[00:23:40] And I think we are really trying. It’s not that we come across the, we really aren’t doing that, but I think that really wins us a lot of Goodwill from the employees.
[00:23:50] Bill Russell: [00:23:50] Fantastic gentlemen. Great great progress. And thanks for coming on the show and sharing it. I really appreciate your time.
[00:23:57] Thank you, bill. Thank you for having us.
[00:23:59]What a great [00:24:00] discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone [00:24:30] and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now.