What can anti-phishing efforts learn from fall prevention strategies?

Can the systematic approach to fall risk prevention help inform hospitals' approaches to the pandemic of email phishing risk?
By Barry Herrin
10:52 AM
anti-phishing efforts in healthcare

Since before 2013, hospitals and other healthcare facilities knew that falls were a serious problem, and massive resources were marshalled to reduce or prevent patient falls. In January 2013, the Agency for Healthcare Research and Quality commissioned a RAND Corporation/Boston University School of Public Health Report titled "Preventing Falls in Hospitals: A Toolkit for Improving Quality of Care."

The toolkit estimated that between 700,000 and 1,000,000 people would fall in a hospital in 2013. What followed was an intense period of staff education and awareness training, monitoring of falls risks, implementation of numerous fall prevention programs, and development of countless resources to focus on fall risk. Thousands of hospitals around the country participated in Hospital Engagement Networks, which focuses on 10 patient safety initiatives established by the Centers for Medicare and Medicaid Services.

It appears that some reductions are being accomplished. In a 31-state project coordinated by the American Hospital Association’s Health Research & Educational Trust, participants reported a 6 percent relative risk reduction in falls for 325 participating hospitals.

But some anecdotal information is not so rosy. In fact, in some published results, falls actually increased from 2013 to 2016,  and one institution reported a ten-year effort still failing to reach safety benchmarks.

National data of the type readily available prior to the toolkit’s publication are not easy to find. However, for the purposes of this article, one should suppose that the overall focus on fall prevention was a success and that a significant number of falls were prevented.

All very interesting, to be sure. What does this have to do with emails and patient safety?

It is now a documented fact that EHR data irregularities can cause negative patient care. In one study conducted using the VA health system EHR, 24 of 100 incidents surveyed caused a patient care error due either to software design conflicts, inappropriate access credentials, or corrupted files or databases that prevented entry of diagnoses and orders or retrieval of patient information.

In another study, 80,381 EHR event reports were analyzed, and 76 of those reported incidents described a patient safety issue that correlated to EHR unavailability. The majority of the patient safety issues resulted from lab order and result irregularity, with the second most common issue being medication administration and order errors.

The correlation between EHR corruption and email also could not be more clear. One recent example of this occurred at the Washington University School of Medicine in December of 2016, where an employee responding to a typical "phishing" exploit gave outsiders access to more than 80,000 records.

Phishing (and now "spearphishing" or "whaling") are the most easily and commonly exploited vulnerabilities in systems, with the average time between the target receiving the contaminated email and clicking on the attachment being two seconds according to statistics cited by the FBI in meetings.

So can we learn anything from the systematic approach to fall risk prevention and apply those lessons to the pandemic of email phishing risk? Here are the top strategies identified in the Toolkit:

Any change in this environment requires support of top organization leadership. You cannot have an organizational ethos of "don’t click on attachments to email" if your human resources department, compliance department, other reporting departments – or you as the CEO or CIO – constantly send out attachments to emails and ask/demand that employees read them.

Top organizational leadership needs to endorse a change in the "convenience culture" of email attachments. One solution may be to create a document center to which employees will be directed to read lengthy documents but provide a summary in the email itself – not an attachment.

The problem fundamentally is not a technology problem: it is a people problem. Because employees are the risk vector and their behavior is seemingly unchangeable, line employees must be engaged in developing a plan to convince themselves not to continue to be caught by phishing attempts.

Empowering employees to report suspect behavior of others, providing a main emergency line to obtain a response for the "inadvertent click", and rewarding employees who respond favorably to training are the kinds of things that employees would typically recommend to fix these problems. However, there may be more novel solutions that resonate in your culture and work environment.

Test strategies to see if they reduce risk. The toolkit acknowledges that "no matter how good your program is, if it is not used by the staff it will not be successful." One key to this is the set standard procedures that apply universally throughout the enterprise, and allow no variation from those procedures. Another is "creating visual cues or reminders in physical locations, such as logos indicating elements of the plan."

Testing an email compliance strategy must also involve internal phishing attempts to see whether employees are complying – and then publishing the results of compliance and non-compliance. Including the names of senior administration and physicians who do not comply with the guidance will make the effort feel universal.

Also, don’t limit testing to "typical" phishing. Some authors suggest using social engineering to "spear-phish" select employees and then publish the results with suggestions to change your online profile.

Use technology to monitor risk. In addition to an inbound email "sandbox" that automatically checks attachments and links on email, blocks on personal email accounts on workplace computers and devices would be prudent. Most people have smartphones that can access this email, and corporate policies should not permit personal email use for PHI exchange. Systems should also be configured to monitor compliance with email policies.

Training, training, and more training. Combine visual and audible training techniques. Change the way that messages are communicated, perhaps using your public relations or marketing department(s) to craft a different approach. Alternate online and in-person training. If you think you are communicating enough, you probably aren’t.

Attitudes about solving the problem have to change. At the beginning of the effort to reduce falls, authors commented that "changing the prevailing nihilistic attitude that falls are 'inevitable' and that 'nothing can be done' is required to get buy-in to the goals of the intervention." The same complaints surely can be lodged against any initiative to convince employees not to respond stereotypically to phishing campaigns. A multifaceted program, of training, auditing, testing, and appropriate discipline should be deployed to reduce the institution’s risk.