Fall Phishing Prevention: A New Focus on Patient Safety

Since before 2013, hospitals and other healthcare facilities knew that falls were a serious problem, and massive resources were marshalled to reduce or prevent patient falls. In January 2013, the Agency for Healthcare Research and Quality (ARHQ) commissioned a RAND Corporation/Boston University School of Public Health Report titled “Preventing Falls in Hospitals: A Toolkit for Improving Quality of Care.”1 The toolkit estimated that between 700,000 and 1,000,000 people would fall in a hospital in 2013.

What followed was an intense period of staff education and awareness training, monitoring of falls risks, implementation of numerous fall prevention programs, and development of countless resources to focus on fall risk. “Thousands of hospitals around the country” participated in Hospital Engagement Networks, which focus on 10 patient safety initiatives established by the Centers for Medicare and Medicaid Services (CMS).2

And, it appears that some reductions are being accomplished. In a 31-state project coordinated by the American Hospital Association’s Health Research & Educational Trust, participants reported a 6 percent relative risk reduction in falls for 325 participating hospitals.3 Some anecdotal information is not so rosy; in fact, in some published results, falls actually increased from 2013 to 2016,4 and one institution reported a ten-year effort still failing to reach safety benchmarks.5 National data of the type readily available prior to the Toolkit’s publication are not easy to find. However, for the purposes of this article, one should suppose that the overall focus on fall prevention was a success and that a significant number of falls were prevented.

All very interesting, to be sure. What does this have to do with emails and patient safety?

It is now a documented fact that EHR data irregularities can cause negative patient care.6 In one study conducted using the VA health system EHR, 24 of 100 incidents surveyed caused a patient care error due either to software design conflicts, inappropriate access credentials, or to corrupted files or databases that prevented entry of diagnoses and orders or retrieval of patient information.7 In another study, 80,381 EHR event reports were analyzed, and 76 of those reported incidents described a patient safety issue that correlated to EHR unavailability. The majority of the patient safety issues resulted from lab order and result irregularity, with the second most common issue being medication administration and order errors.8

The correlation between EHR corruption and email also could not be more clear. One recent example of this occurred at the Washington University School of Medicine in December of 2016, where an employee responding to a typical “phishing” exploit gave outsiders access to over 80,000 records.9 Phishing (and now “spearphishing” or “whaling”) are the most easily and commonly exploited vulnerabilities in systems,10 with the average time between the target receiving the contaminated email and clicking on the attachment being 2 seconds according to statistics cited by the FBI in meetings.

So, can we learn anything from the systematic approach to fall risk prevention and apply those lessons to the pandemic of email phishing risk? Here are the top strategies identified in the Toolkit:

  • Any change in this environment requires support of top organization leadership. You cannot have an organizational ethos of “don’t click on attachments to email” if your human resources department, compliance department, other reporting departments, or you as the CEO or CIO constantly send out attachments to emails and ask/demand that employees read them. Top organizational leadership needs to endorse a change in the “convenience culture” of email attachments. One solution may be to create a document center to which employees will be directed to read lengthy documents, but provide a summary in the email itself – not an attachment.
  • The problem fundamentally is not a technology problem: it is a people problem. Because employees are the risk vector and their behavior is seemingly unchangeable, line employees must be engaged in developing a plan to convince themselves not to continue to be caught by phishing attempts. Empowering employees to report suspect behavior of others, providing a main emergency line to obtain response for the “inadvertent click”, and rewarding employees who respond favorably to training11 are the kinds of things that employees would typically recommend to fix these problems. However, there may be more novel solutions that resonate in your culture and work environment.
  • Test strategies to see if they reduce risk. The Toolkit acknowledges that “no matter how good your program is, if it is not used by the staff it will not be successful.”12 One key to this is the set standard procedures that apply universally throughout the enterprise, and allow no variation from those procedures. Another is “creating visual cues or reminders in physical locations, such as logos indicating elements of the plan.”13 Testing an email compliance strategy must also involve internal “phishing” attempts to see if employees are complying – and then publishing the results of compliance and non-compliance.14 Including the names of senior administration and physicians who do not comply with the guidance will make the effort feel universal. Also, don’t limit testing to “typical” phishing. Some authors15 suggest using social engineering to “spear-phish” select employees and then publish the results with suggestions to change your online profile.
  • Use technology to monitor risk. In addition to an inbound email “sandbox” that automatically checks attachments and links on email, blocks on personal email accounts on workplace computers and devices would be prudent. Most people have smartphones that can access this email, and corporate policies should not permit personal email use for PHI exchange. Systems should also be configured to monitor compliance with email policies.
  • Training, training, and more training. Combine visual and audible training techniques. Change the way that messages are communicated, perhaps using your public relations or marketing department(s) to craft a different approach. Alternate online and in-person training. If you think you are communicating enough, you probably aren’t.
  • Attitudes about solving the problem have to change. At the beginning of the effort to reduce falls, authors commented that “changing the prevailing nihilistic attitude that falls are ‘inevitable’ and that ‘nothing can be done’ is required to get buy-in to the goals of the intervention.”16 The same complaints surely can be lodged against any initiative to convince employees not to respond stereotypically to phishing campaigns. A multifaceted program, of training, auditing, testing, and appropriate discipline should be deployed to reduce the institution’s risk.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Citations

  1. ARHQ Publication No. 13-0015-EF, accessed at https://www.ahrq.gov/sites/default/files/publications/files/fallpxtoolkit_0.pdf (hereinafter the “Toolkit”).
  2. http://www.hhnmag.com/articles/6404-Hospitals-work-to-prevent-patient-falls
  3. Id.
  4. Data from the UCSF Medical Center showed that the average number of patient falls per 1000 patient days went up from 1.91 in 2013 to 2.10 in 2016. https://www.ucsfhealth.org/images/quality/falls.jpg
  5. https://stti.confex.com/stti/bc43/webprogram/Paper70054.html
  6. https://academic.oup.com/jamia/article/21/6/1053/2909293/An-analysis-of-electronic-health-record-related?searchresult=1
  7. Id.
  8. http://www.beckershospitalreview.com/healthcare-information-technology/5-study-insights-into-patient-safety-events-when-ehrs-go-down.html
  9. http://www.healthcareitnews.com/news/phishing-attack-risks-leak-80000-patient-records
  10. https://www.knowbe4.com/phishing-security-test-offer. 91% of successful data breaches begin with a spear-phishing attack, according to KnowBe4, Inc.
  11. https://www.csoonline.com/article/2132618/phishing/social-engineering-11-tips-to-stop-spear-phishing.html. The article suggests a “Catch of the Day” contest for forwarding suspicious emails.
  12. Toolkit p.52.
  13. Toolkit, p.58.
  14. http://www.hhnmag.com/articles/6404-Hospitals-work-to-prevent-patient-falls. The article mentions a hospital posting the results of fall risk compliance by named staff member in the break room.
  15. https://www.csoonline.com/article/2132618/phishing/social-engineering-11-tips-to-stop-spear-phishing.html
  16. Id.