To continue our commitment to keep Main Line Health and its employees safe, IT and HR have worked together to implement a new software and education program to address the ever-growing phishing threat that all companies face. The software, called ThreatSim, will help raise awareness and educate employees about the dangers of phishing attacks. To make it easier for employees to report suspicious emails, MLH has added a new button in Outlook (email) called PhishAlarm. By clicking on the “Report Phishing” button in your Outlook toolbar, the suspicious email will be sent directly to the IT Security team for further analysis.
Phishing campaigns are one of the biggest threats to the Main Line Health computer network and, more importantly, both patient data and employee data. If you access a fake phishing website from your work computer and download malware – or even just give away your log in credentials – the entire Main Line Health computer network could become infected. Depending on the nature of the malware, patient and/or employee data could be compromised, stolen or encrypted into a format that makes it unusable until a ransom is paid.
Unfortunately, our protected health information (PHI) is worth considerably more than credit card information on dark markets. Cybersecurity is an important part of the Culture of Safety at Main Line Health and while MLH has defenses in place to help protect us, you’re the last line of defense in this effort and it requires constant vigilance to spot these threats.
Our IS Security team will soon be conducting a baseline phishing test to assess the current level of awareness of the staff and to help direct future phishing campaigns. Anyone with an MLH email address is eligible to receive these phishing tests.
There will be no disciplinary actions associated with this baseline campaign.
If an employee takes any inappropriate action(s) during the phishing campaign (after the baseline test) they will receive immediate feedback from ThreatSim.
- The first time an employee clicks on a phishing test email, they will get a message from the application with a short description of what they did wrong. Once the employee is done reading the notice, they will have to electronically sign an acknowledgment of completion.
- The 2nd time, the employee is auto-enrolled into a 5-10 minute video course and will need to click an acknowledgment button at the end.
- For the 3rd & subsequent violations – the employee’s manager and HR manager are notified, and corrective action may be taken, up to and including termination. Discipline will be limited to those who consistently and/or willfully violate the Phishing policy.
Information about our new ongoing phishing program, as well as tips to protect you against phishing, are detailed in our new annual mandatory education course, “Phishing Education,” which can be found in HealthStream. This course will help you spot these types of threats both at work and at home so please take the time to read and understand this information.
Thank you for your commitment to keeping our organization and our patients safe. If there are any questions, please feel free to contact your local HR representative.