Kaleida Health has announced that a phishing attack has resulted in an email account being compromised, and along with it, the protected health information of 2,789 of its patients.
Kaleida Health became aware of the incident on May 24, 2017, and called on a computer forensics firm to assess which patients have been affected and the extent to which its systems had been compromised.
The firm determined the attack was limited to one email account. That account contained patients’ names, medical record numbers, diagnoses, dates of birth, treatment information, and other clinical data. The investigation did not confirm that ePHI had been accessed, although the possibility of a PHI compromise could not be ruled out. Patients have now been notified of the incident by mail in accordance with HIPAA Rules.
The incident highlights the importance of security awareness training. However, unless employees have their skills put to the test in a safe environment, healthcare organizations will not be able to determine whether their training programs have been effective.
One of the best ways to assess the effectiveness of security awareness training and resilience to phishing attacks is with phishing email simulations. Simulations should cover the most serious email risks faced by an organization, including general phishing campaigns, spear phishing attacks, business email compromise attacks and malware and ransomware emails.
All employees should have their phishing email identification skills to the test in a safe environment to determine which individuals are the most susceptible to phishing attacks and who needs further training.
Research conducted by PhishMe, a leading anti-phishing training company, has shown that susceptibility to phishing attacks decreases by around 20% after a single failed phishing test. Organizations that run multiple simulations have reduced their susceptibility to phishing attacks by up to 95%.
When an employee fails a phishing test it can be turned into a training opportunity. That individual can be informed of the error and shown why the phishing email should have been flagged as malicious. Further training can then be provided to improve security awareness.
While the majority of employees in an organization will be able to identify phishing emails and take the appropriate action following security awareness training, all it takes is for one employee to respond to a phishing email to expose the PHI of patients. Identifying which individuals have not taken training on board helps organizations to take appropriate action and prevent a real phishing attack from causing a data breach.