- The healthcare sector has remained a primary target for phishing attacks in recent years, with highly targeted viruses like SamSam and Ryuk wreaking havoc on the industry. In fact, one in every hundred emails sent globally has malicious intent, according to FireEye researchers.
Vanderbilt University Medical Center has not been spared from this onslaught. And in response, it’s currently in the middle of a major push to add multi-factor authentication to every tech platform in the organization.
Mandatory multi-factor authentication
Executive Director of Enterprise Cybersecurity Andrew Hutchinson told HealthITSecurity.com that while VUMC already had multi-factor authentication on various platforms — like eprescribing, other apps and business compliance, among others — a recent security event pushed the organization to take it further.
Hackers were phishing certain user accounts in an attempt to gain credentials and passwords. Hutchinson said VUMC used that information to log into the HR site users can access to see their bank account information, direct deposit status, and the like.
But hackers could view it too.
“They could change direct deposit information,” said Hutchinson. “We caught on quickly because we had an incident, where someone asked why they didn’t get paid that week. We figured out that the phishing scammer would determine when someone would get paid and phish users before payday.”
“They’d then login quickly to change the direct deposit information to be directed to them,” he added. “We took action right away and added security to the portal — but we realized we had to do more.”
“The days of usernames and passwords as a valid security mechanism are gone because phishing is so rampant.”
The organization is currently in a pilot stage of adding multi-factor authentication to all platforms. Users are enrolling to make sure the enrollment portal is working properly. Hutchinson said they’re hoping the requirement to use it for the HR portal will drive enrollment to a critical mass.
“Once we have 100-percent involvement, we can add that onto everything because every user understands multi-factor authentication, and it will add that layer of security and identify who our users are and what they’re accessing,” said Hutchinson.
And at the moment, the pilot has been successful and the enrollment process is working as it should.
“But it will become a requirement to access certain components where there is personal identifiable information and other sensitive data by November 19,” he said. “We’ll flip the switch and make it a hard requirement at that time.”
The key to success and complete user buy-in is ensuring that all employees are either comfortable with the system or given options that fit their comfort level. To Hutchinson, that meant giving users plenty of options for multi-factor authentication.
For the advanced users, they can download the mechanism on their smartphone and user that as their token. Hutchinson explained that users who don’t want to download the app to their phone can select a text message option during the enrollment process.
“Those users can log in and will be texted a code to that registered user,” he said. “For folks who don’t have a phone, they can opt for an actual hard token, a key fob.”
And those who don’t want anything to do with technology can actually go to an HR express location, walk up to the HR center and get the paperwork for W2s, direct deposit and the like when they present an ID, Hutchinson explained.
“We wanted to make sure there was something usable for everybody – but that we were also adding a layer of security,” he said. “We offer everything from downloading the app to use it, to, if you don’t like technology, you can go up to HR and do it manually — and everything in between.”
“There’s no reason why everyone can’t use this technology or use a process that allow us to really, really tighten up security,” he added. “And make sure we’re thoroughly authenticating users and their identity.”
So far, employees have bought into the technology and processes. Hutchinson attributed that to the simple and straightforward enrollment. And his team made sure employees understood why it was needed.
“We made sure when we did this to first explain the why. Not just that this is a requirement, so do it — but you need to explain to people why they’re doing it, why it matters personally and do this to protect everybody,” he said.
“When you present it this way, and present it as simple ‘do the right thing’ — there isn’t a lot of pushback or gnashing of teeth,” he added.
Education and user-training
Training for the additional user authentication was standard for VUMC, as Hutchinson said the organization already had a thorough security education program in place. His staff routinely shares articles through internal publications, phishing awareness is part of annual training, and VUMC also does direct outreach.
“I will go to members of different staff groups and educate them on phishing, what it looks like, tricks and methods used by hackers,” said Hutchinson.
Hutchison and his team also perform phishing simulations where they’ll send phishing emails that look like legitimate messages and record how users are behaving.
“If they do click, they’ll have an education experience to go through,” he noted. “What’s important is the people side of the equation. Talk to them, show them examples of what’s caught and what’s successful.”
“Really get out there and communicate to users that they are the target, they are going to see things. And show them what to do, how to easily report it and drill that in,” he added.
VUMC doesn’t just rely on education. Hutchinson explained that technical measures are also necessary. The organization uses several Microsoft products and advanced protection products to cut down security incidents.
“We’ve made a lot of progress,” said Hutchinson. “In fact, the number of accounts compromised annually is in the single digits. We react at every level, and there are indicators when there is a compromise. We also have an incident response team.”
“But we don’t know if we’ll ever get the phishing number down to zero because people are people and will make mistakes. But we still want to drive that effort,” he added. “The days of usernames and passwords as a valid security mechanism are gone because phishing is so rampant.”
But Hutchinson said that the work is never truly done. While he’s heard the success in curtailing successful phishing hacks might mean that it’s time to focus elsewhere, there will never likely be 100-percent success.
“There are things you can do with technology, but nothing is going to be 100 percent. There is no technology silver bullet that can block every phishing attack,” Hutchinson said. “We look at what we block on the way, and we know we’re better than 99 percent of organizations – but they still get into the system.”
“We feel like we’ve got the tiger’s tail pinned down, but we can’t let up,” he continued. “We have to keep going to keep it under control. We can’t let up on education and awareness with the workforce.”