Why Security Awareness Testing Alone Isn’t Enough

Here is a story from one of our customers who wants to help other organizations like you strengthen their cybersecurity practices. Find out about the important lessons they learned when they suffered a ransomware attack, and what they did to bolster their security awareness training program to better defend against today's cyber threats.

Sky Lakes Medical Center is a not-for-profit, community-owned, internationally accredited acute-care teaching hospital. Sky Lakes serves more than 80,000 people in the Klamath and Lake counties in south-central Oregon and northern California. As the only hospital in a 10,000 square-mile area, it’s a critical asset to the communities it serves.

With an increase in cyberattacks on healthcare institutions, it’s also an important reminder of the need for a combined approach to employee cybersecurity awareness testing and training. Because of the great responsibility of delivering patient care in these communities, Sky Lakes knew creating an effective security awareness program meant they needed to offer security awareness testing and training on a continuous basis. The medical center had put regular testing programs in place but had yet to implement security awareness training that would help employees spot the red flags of social engineering attempts.

Risks Increase, Security Awareness Training Is a Must

Hospitals have, for several years, contended with ransomware attacks that prey on the fact that taking data offline risks patient health, putting tremendous pressure on healthcare administrators and security teams. The American Academy of Medical Colleges reports that 1 in 3 global healthcare organizations were hit with ransomware in 2020, and COVID-19 related attacks are driving numbers even higher. HealthITSecurity has reported a 45% increase in cyberattacks against healthcare entities since November 2020.

Sam Stewart, network systems analyst at Sky Lakes Medical Center, took over management of the organization’s KnowBe4 deployment in late 2019. By early 2020 he had the system automated to serve phishing security tests to employees on a regular basis. At the time, however, employees were not being offered KnowBe4’s security awareness training, which provides deep knowledge about threats, how they are evolving, and topical examples of just how tricky they can be to identify.

Ryuk Ransomware Hits

In October 2020, a Sky Lakes employee opened an email from a personal account, clicked on a link to Google Drive and downloaded a file they thought was related to the company bonus program. Unfortunately, it was actually a malicious file that had been sent by Ryuk ransomware threat actors.

The employee had not been trained to look for nuanced indicators that might have suggested that the file was not legitimate, or that company information would not be sent to their personal account. Nor had they been trained to immediately report the issue to the Information Services department when the download made the computer screen ‘blip’ – a possible indicator that a problem was taking place.

The issue was discovered by an after-hours support team. Within a day, the medical center’s leadership made the decision to shutdown all computers and servers, forcing the medical staff to revert to electronic health record (EHR) downtime mode.

Coming Up for Air

Sky Lakes had smartly already put a disaster recovery and backup plan in place. Even with that head start, the organization operated for 23 days without EHRs, while rebuilding and reconfiguring 2,500 computers and 600 servers.

Stewart and the Sky Lakesteam have been very open about the ransomware attack they suffered and the lessons learned in the process. By doing so they are a beacon for other healthcare organizations about how to prepare an organization – and its people – for attempted attacks. One of the main tips – focus on training and testing in tandem so your employees learn how to spot and avoid a cyber threat.

It’s only by focusing on the ABC’s of the human-side of security that an organization can put its best awareness foot forward. As a reminder, within your organization, focus on:

• Awareness – train employees on what attacks look like, how they evolve and what to expect;
• Behavior – reinforce to employees to report suspicious messages and to make choices that are security-minded; and
• Culture – foster a culture of cybersecurity within your organization so that all employees know that cybersecurity is a collective, shared responsibility.