What can anti-phishing efforts learn from fall prevention strategies?
Since 2013, hospitals and other health facilities knew that falls were a serious problem and massive resources were mobilized to reduce or prevent falls of the patient. In January 2013, the Agency for Research and Quality Health Care commissioned a report from the School of Public Health RAND Corporation / Boston University entitled " Prevention of falls in hospitals: a toolbox to improve the quality of care "
The toolkit estimated that between 700 000 and 1 000 000 people would fall in a hospital in 2013. An intense period of training and awareness of staff, monitoring of the risks of falls, implementation Many fall prevention programs and innumerable resource development focus on the risk of falling. Thousands of hospitals across the country have participated in hospital engagement networks, which focuses on 10 patient safety initiatives established by the centers for Medicare and Medicaid services.
It appears that some reductions are being made. As part of a 31-state project coordinated by the Health Research & Educational Trust of the American Hospital Association, participants reported a relative risk reduction of 6% falls from 325 participating hospitals.
But some anecdotal information is not so rosy. In fact, in some published results, the falls actually increased from 2013 to 2016 and one institution reported a ten-year effort still not meeting the safety benchmarks .
National data of the type readily available before the publication of the toolkit are not easy to find. However, for the purpose of this article, it must be assumed that the general emphasis on fall prevention has been successful and that a significant number of falls have been avoided.
All this is very interesting, to be sure. What does this have to do with e-mail and patient safety?
It is now a documented fact that irregularities of EHR data may cause negative patient care . In a study conducted with the VA Health System, 24 out of 100 incidents resulted in a care error due to software design conflicts, inappropriate access information or damaged files or databases preventing 39 entry diagnostics or information about patients.
In another study, 80,381 reports of EHR events were analyzed, and 76 of them described a patient safety issue related to the unavailability of the EHR. The majority of patient safety issues resulted from the order of the laboratory and the irregularity of the results, the second most common problem being the administration of drugs and control errors.
The correlation between EHR corruption and e-mail could not be clearer either. A recent example of this occurred at the University of Washington School of Medicine in December 2016, where an employee responding to a typical "phishing" exploit gave access to more than 80,000 people on the outside .
Phishing (and now "spearphishing" or "whaling") are the most easily exploited vulnerabilities in the systems, the average time between the target receiving the contaminated email and the click on the attachment being two seconds according to statistics quoted by the FBI during meetings.
So, can we learn something from the systematic approach to fall risk prevention and apply these lessons to the phishing risk epidemic by email? Here are the main strategies identified in the Toolbox:
Any change in this environment requires support from the leadership of the organization. If your Human Resources department, your compliance department, other line departments, or yourself, as a CEO or CIO, send attachments to e-mails and request or request them to employees, you can not have organizational ethics. read them.
Senior organizational leadership must approve a change in the "convenience culture" of attachments. One solution may be to create a documentation center where employees will be asked to read large documents, but provide a summary in the e-mail itself, not an attachment.
The fundamental problem is not a problem of technology: it is a population problem. Because employees are the vector of risk and their behavior is apparently unchangeable, line employees must be engaged in developing a plan to convince themselves of not continuing to be caught by phishing attempts.
Allow employees to report suspicious behavior of others, provide a main line of urgency to obtain an "accidental click" response, and reward employees who respond favorably to training are the kinds of things that employees would usually recommend to solve these problems. However, there may be more innovative solutions that resonate in your culture and work environment.
Test strategies to see if they reduce risk. The toolkit acknowledges that "no matter how good your program is, if it's not used by staff, it will not be successful. One of the keys to this problem lies in the established standard procedures that apply universally to the entire company and allow no variation with respect to these procedures. Another is to "create visual cues or reminders in physical places, such as logos indicating elements of the plan."
Testing an email compliance policy should also involve internal phishing attempts to verify that employees are complying, and then publish the results of compliance and non-compliance. By including the names of senior officials and physicians who do not comply with the guidelines, the effort will be universal.
Similarly, do not limit the "typical" phishing test. Some authors suggest using social engineering for "spear-phish" select employees and then publish the results with suggestions for changing your profile online.
Using technology to monitor risks. In addition to an incoming email "sandbox" that automatically checks for attachments and links on email, blockages on personal email accounts on computers and workstation devices would be cautious. Most people have smartphones that can access this email, and the company's policies should not allow the use of personal emails for PHI's exchange. Systems should also be configured to monitor compliance with e-mail policies.
Training, training and additional training. Combining visual and sound training techniques. Change the way messages are communicated, perhaps using your public relations or marketing department to develop a different approach. Alternate training online and in person. If you think you are communicating enough, you probably are not.
Attitudes toward solving the problem must change. At the beginning of the effort to reduce falls, the authors commented that "change the prevailing nihilistic attitude that falls is" inevitable "and that" nothing can be done "is necessary to obtain the Adherence to the objectives of the intervention. "The same complaints can certainly be filed against any initiative to convince employees not to stereotypically respond to phishing campaigns.A multidimensional program of training, auditing, testing and proper discipline should be put in place. to reduce the risk to the institution.