Digital Health News recently reported that a security breach prompted the East Anglian Air Ambulance (EAAA) service to issue a warning about the dangers of phishing.
The warning was aimed at both staff and public and centred on the risk of receiving a malicious spoofed email from within the EAAA. “If you receive an email from someone you know within our organisation with the subject line: ‘Update message from …’ please do not open it and delete it immediately,” the statement read.
Good advice in the circumstances, and EAAA – which is a charity – did the right thing in getting that statement out as quickly as possible. But that’s where the positivity, such as it is, ends for me. That the breach was the result of a staff email account being hacked and organisational contacts therefore being sent the phishing e-mail underscores a common problem: a lack of meaningful cybersecurity awareness among health and care employees.
Time to take it seriously
Targeted phishing, be it of the ‘spear’ variety – where typically the employees of a particular organisation, or even department within that organisation, are targeted – or the ‘whaling’ variety, where specific C-suite executives are targeted, is not just a health sector problem. But it’s one that needs to be taken very seriously indeed.
Last year there were reports of an increase in phishing of NHSmail accounts, particularly within GP practices. It was sufficient for NHS Digital to list it as an open ‘critical incident’, which suggests seriousness.
Yet, as I reported earlier this year, 99 percent of NHS email domains have inadequate phishing attack protection. Even if there were Domain-based Message Authentication, Reporting and Conformance (DMARC) in place to validate emails and help prevent domain spoofing, that still wouldn’t be taking it seriously enough in my book.
Train on time
So, what would? Simply put, NHS staff have to be an integral part of any serious security posturing and that means effective and ongoing awareness training. Of course, I understand that your average NHS trust, GP practice or other health sector service organisation is in a situation where staff are stretched to breaking point and time is an endangered resource. But until there is a firm understanding that an investment of cash and time is required, I cannot see the security conundrum being cracked.
The CareCERT Assure, Knowledge and React programmes are all doing their bit in theory, but in practice the gaps are emerging. Mandatory staff training must include more than just a nod to cybersecurity awareness, but equally users must be embraced as part of the solution to the problem rather than treated as part of the problem itself.
A checkbox completion attitude doesn’t cut it, nor does a six-monthly memo email advising on the latest risks. What’s needed is hands-on, dynamic, programmes such as Phishing Real from the West Midlands Ambulance Service (WMAS).
Practical exercises
Originally developed by the WMAS internal penetration testing team, Phishing Real has been tweaked to become an easy-to-use phishing attack simulator that could be used by any trust to test staff awareness and educate through practical exposure. So, for example, it can be set up to test if staff will attempt a login to an N3 hosted page with trust branding or a NHS ‘mimic site’ that clones a well known real site in an attempt to capture logins.
Rather than apportioning blame for getting suckered by these attack simulations, the system can be configured as an awareness campaign by responding to link clicking and login attempts with a redirect to a phishing awareness page. Alternatively, it could be used to benchmark the effectiveness of existing in-house awareness training.
Ten months ago, a survey of NHS IT managers discovered a mere 11 percent of doctors and six percent of nurses had received cybersecurity training. That wasn’t good enough then, it isn’t good enough now, and assuming we all want a secure health service in the future it won’t be good enough in the years to come…
20 September 2018 @ 22:50
CareCERT React, knowledge and intelligence are no more. At summer school the presentation they submitted, the NHSD Cyber Security Operations Centre, suggested they send 400+ notifications of actual specific organisation indicators of compromise and block tonmy memory 22m transactions a month across N3.
I went on one of their SSCP courses this year and my colleague CISSP last year.
They’ve recently been on site and performed board level training and we’ve asked for a tech review – where they come in and help you remove your vulnerabilities for free.
On top of this we were told that they were launching (might have already launched) a free phishing simulator which a few orgs have already piloted. So I’m not sure this article is a true reflection of what’s available to health from CareCERT/CSOC?
20 September 2018 @ 18:23
Many thanks for the mention re Phishing Real – very much appreciated 🙂
Something we find helps re awareness is telling staff (via news letters etc) that they’re going to be phished as part of an internal exercise. Whether or not they are phished is largely irrelevant, it appears to keep more people on their toes if they think their employer will be testing them. You can then use tools like PhishingReal as part of a layered approach to test whether the message +awareness training is having an impact.