Sharpen Your Ability to Identify Phishing Emails and Win: Q&A With Gary Sparks

October is Cybersecurity Awareness Month, and Privacy & Security at Baptist is hosting a competition to help you hone your ability to spot phishing emails that could pose a serious security risk.

Corporate Information Systems Security Manager Gary Sparks shared more about the importance of cybersecurity and how you can help.

Please tell us more about the month-long competition for Baptist team members to mark Cybersecurity Awareness Month in October.

We already do monthly simulated phishing, but in honor of Cybersecurity Awareness Month, we’ve turned it into more of a tournament-style competition. We will send out weekly simulated phishing emails.

Team members progress each week by recognizing and reporting the message, catching the fish, so to speak. It’d be great if 19,000 people made it to the end. Team members remaining during the last week of the competition will be eligible for a drawing for gift cards.

So, if you skip a week reporting, then you’re out of the tournament?

Right. If you don’t successfully report each week, then you don’t progress.

Please report only emails that you think are phishing attempts. Reporting an excessive number of emails may disqualify you from the tournament.

Why is it important to report suspicious emails?

We really wanted to use the competition as a catalyst to help raise awareness about the need for reporting. One day, it’s not going to be a simulation. It’s going to be the real thing.

If we can get everyone in the habit of reporting the suspicious messages that they see, then we will be alerted more quickly. That’s important because we can tell the system to remove that message from the mailbox of any team members who received it. That way, they never see it.

What kinds of activities are cyber criminals engaging in that would affect us?

Phishing is the number one attack vector that they use, and they’re looking to either get your credentials, such as usernames and passwords, or convince you to load malicious software so that they can get access into our systems.

They want data that they can convert into a profit by holding it for ransom with ransomware or by taking the data and selling it on the dark web to someone who might have an intent to do harm.

How can team members identify phishing emails?

Phishing emails may have misspelled words and typos. They often attempt to impersonate a person or company you know and trust. They could also have a request to act quickly. Urgency is a common tactic used in phishing.

The timing may be off. For example, one of the common phishing emails lately is an invoice for Geek Squad, Norton, LifeLock or PayPal. And you didn’t buy anything. It may say, “Click here to dispute this charge or call.” That’s the hook.

Could you tell us more about the role of Privacy & Security at Baptist?

Privacy & Security responsibilities lie in managing the security program and risk and compliance for the organization. We work with onboarding vendors and anything that involves exchanging data with third parties. That’s important for protecting our systems because, not only do our patients entrust their health to us, but they also entrust the security and privacy of their data, too.

We also monitor and investigate potentially inappropriate access. We do anything related to protected health information, patient privacy concerns, sensitive information or employee information.

Privacy & Security reviews business associate agreements and any contracts in our organization that have us disclosing any information or attaching someone to our network. We’d be involved with any security event and provide guidance and/or assistance to Health Information Management (HIM) with subpoenas, authorizations or a patient-requested amendment.

We also work closely with the Baptist Technology Services team from a risk and compliance perspective. They’re hands-on with the technologies that support the organization and make sure those are secure.

The bad guys are really after that data. Health care has become one of the top targets by cyber criminals. We must be ever vigilant, ever diligent in protecting the data.

Is there anything you’d like to add?

When it comes to emails, if you’re in doubt, go ahead and report the message using the “Report Phishing Email” or “Phish Alert” buttons in Outlook. Baptist has a team that reviews every message that’s reported, and if it’s a valid message that looks a little odd then we’ll get that back to you with a confirmation that it’s a valid message. We’ll also confirm if an email is spam. If it’s a phishing email, we’ll let you know that, too, and take action to keep it from being a threat to anyone else in the organization.