BlackHat 2018: Did Mayo Clinic Just Diagnose an Antidote to Phishing?

Organizations have tried nearly everything to get their employees to pay closer attention to the danger posed by phishing. The message is just not getting through.

In the latest edition of Symantec's Internet Security Threat Report, for instance, 71% of the targeted attacks detected last year were found to have used spear phishing to steal the targeted user's credentials.

In part, chalk it up to attackers who are increasingly sophisticated. In the past, it was easier to spot phishing emails given the prevalence of poorly designed emails and websites filled with typos and other grammatical errors. Unlike the average phisher a couple of decades ago, contemporary practitioners are well-schooled in social engineering and quite skilled at what they do.

And as the profile of a typical phisher has changed, it’s become increasingly harder to distinguish phishing sites apart from legitimate sites. The upshot: Too many victims get fooled into giving away their passwords, credit card numbers and other important information. 

But the Mayo Clinic has been testing what it calls a “technology and human solution” designed to promote behavioral changes and help employees to better recognize phishing scams.

Three years ago, Mayo set up a continuing security awareness program and created what it describes as InfoSec Ambassadors. These are volunteers from within the organization charged with raising awareness and reminding employees of the role they play in keeping Mayo’s networks secure. At last count, Mayo had 289 active ambassadors, up from 144 when the program began in 2015.

Each ambassador is expected to make a one-year commitment and be ready to devote 2 to 3 hours to the task each month. Mayo also updates employees about current infosecurity news with a monthly newsletter targeted at a more general audience that may not be intimately familiar with the ins and outs of cyber security.

“When you’re working in a hospital, your first thought is to treat the patient and it may not be security. But when you explain that security is part of the whole patient strategy, they get it,” said Kingkane Malmquist, an information security analyst from Mayo.

At the same time, Mayo has been carrying out simulated phishing campaigns to test employee responses. The early batch of findings, which were revealed this week at the BlackHat conference, offer encouraging evidence that change is possible as increasing percentages of employees recognized phishing attempts:

2015:

• 6 Campaigns
• 63,831 Total Average Emails Sent
• 32.9% Reported Phish

2016:

• 8 Campaigns
• 66,010 Total Average Emails Sent
• 44.4% Reported Phish

2017:

• 5 Campaigns
• 66,882 Total Average Emails Sent
• 52.1% Reported Phish

Health-related data, which includes not just patient data but also financial data, clinical research and intellectual property, remains a particularly appealing target for malicious actors. In the last few years, cyber attackers have repeatedly used phishing scams to gain control of hospital networks – in some cases shutting down hospitals and impacting care delivery until they receive ransom payments.

So, any movement in the right direction would be welcome - especially at a health institution like Mayo, which employs more than 63,000 staff members, including 4,729 physicians and scientists. 

“In the end, everyone has a role here in keeping Mayo Clinic safe,” Malmquist said. “When you provide people with the right motivation and you help raise their awareness, it's possible to create changes in behavior.”