Select Page

CIO QUARTERLY REPORT - September 2025

  1. Archives
  2. September 2025

Cybersecurity Awareness Month: Catch a Phish for a Chance to Reel in a Backpack

At Houston Methodist, where patient care is at the center of everything we do, cybersecurity isn’t just an IT issue — it’s a shared responsibility across our organization. Cybercriminal activity has the potential to directly impact patient safety, our systems and our ability to treat patients. We must all be vigilant and always on guard to protect HM.

This October, as we observe Cybersecurity Awareness Month, it’s a good reminder for all of us to practice good cyber hygiene. This year’s theme is “Secure Our World.” Health care is one of the most targeted industries for cyberattacks. In 2024 alone, there were nearly 450 reported incidents impacting health care with 238 ransomware threats and 206 data breaches. Sadly, health care organizations across the country have faced operational shutdowns, delayed treatments and reputational damage due to cyberattacks.

To counteract these threats, the National Cyber Security Division strongly encourages you to take these four key actions:

  1. Use strong, unique passwords.
  2. Enable multifactor authentication (MFA) for all of your accounts.
  3. Be cautious of unsolicited messages, recognize and report phishing attacks.
  4. Keep software updated regularly.

“We each need to stay aware and take individual responsibility for protecting our data,” said John Mowery, vice president and chief information security officer. “This is a critical time to take action. We can start with something small, like thinking before you click. When everyone is vigilant, with a mindful eye on cybersecurity, then our patients and our data are safer and more secure.”

What Happens When You Click a Malicious Link?

If you receive an email that looks like it’s from a trusted source — maybe HR, a vendor or even your manager, what do you do? You open it. You may even click links within the message. That’s exactly what phishing emails are intended to do — trick you into opening and clicking links that can give cybercriminals an entryway into our data and systems.

The best thing you can do is be cautious and think before you click. Behind the scenes, that single click can unleash a chain reaction. See the visual below.

If you do click, HM has safeguards in place to protect us. Every day, we block more than a million suspicious emails, with nearly 700,000 containing malicious content. In addition to this, when a suspicious link is clicked, our Digital Security team springs into action. Our goal is to act fast, minimize risk and keep our systems and patient data secure.

Learning to Catch a Phish and Maybe a Backpack

Every month, we test you by sending simulated phishing emails to see if you can recognize and report suspicious messages. “We know practice makes perfect,” shares Mowery. “The more you train your eye to spot suspicious emails, the better you’ll be at spotting real threats.”

In October, we’ll turn up the volume with our annual Catch a Phish tournament. There will be more of these emails, designed to mimic real-world phishing attempts. Your goal? Spot the phish and report it using the Report Phishing button in Outlook.

Every employee who catches/reports the simulated phishing attempt will be placed into a weekly drawing to win a Houston Methodist-branded backpack and will be recognized in IT Matters and on The HUB.

Cyber Smarts: Report Suspicious Messages

Cybersecurity isn’t just about avoiding bad links. Ignoring a suspicious message is better than opening and clicking a link, but reporting it to IT is even better. If a message looks strange, click the Report Phish button or the Report Suspicious button. Reporting these messages allows our IT tools to investigate the threat and if real, remove it from everyone else’s inbox, too. Remember, it’s better to be safe than sorry. So, don’t ignore or delete suspicious emails or texts, report them.

A Culture of Cybersecurity

At HM, we’re proud of our culture of excellence, and that includes cybersecurity. Everyone plays a role in protecting our precious patient data and systems.

Cybersecurity Awareness Month is a powerful reminder — but our vigilance must extend every single day. Staying alert, aware and safe isn’t just a best practice, it’s a responsibility. Together, we can protect HM’s patient data and systems, ensuring our care remains uninterrupted and secure. By doing so, we keep patients at the heart of everything we do.