While it may seem like phishing is an outdated mode of hacking, the truth is that it’s alive and well — and a very real threat to the healthcare industry.
In early July, for example, hackers were able to breach networks of Reliable Respiratory of Norwood, Mass., via a phishing campaign that potentially exposed at least 15 different types of protected health information, according to recently released details of the attack. And in August, Oregon-based provider Legacy Health revealed to some 38,000 patients that a phishing attack in May possibly exposed personal health information.
These providers are far from alone: 110 health data breaches exposed 1.13 million patient records in just the first quarter of 2018, according to a May report by Protenus. And in a survey from HIMSS earlier this year, respondents identified phishing attacks as one of the top threat actors, with email attacks proving to be the most popular way to access organizations, making up 62 percent of breaches.
Healthcare Phishing Attacks Become More Sophisticated
Part of what’s driving the rise in phishing attacks is that such emails are becoming more professional and targeted than ever.
Spear-phishing, which introduces social engineering into the mix to specifically target companies or even particular employees, in particular is on the rise. “The Cybersecurity Insight Report” by CDW notes that, over the past two years, spear-phishing has become a “real and pervasive” threat for businesses at large.
“We used to see emails with grammar errors all over the place. Now you open an email and it looks and sounds professional,” John Lex Robinson, cybersecurity strategist at anti-threat firm Cofense (formerly PhishMe), says in the CDW report. “Social engineering is now being run like a business. They’re targeting individuals. They have moved beyond emails to build entire fraudulent ecosystems online.”
Meanwhile, attacks that impersonate someone familiar to a targeted person have jumped 80 percent in the last year, according to a recent report by Mimecast.
“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Mimecast cybersecurity strategist Matthew Gardiner in a statement. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter.”
3 Tips to Prevent Phishing for Healthcare Organizations
With these threats on the rise and breaches proving costly for healthcare organizations, how can healthcare organizations best prevent phishing attacks?
1. Audit the Current Cybersecurity Environment: Legacy devices, as well as emerging technology like mobile and Internet of Things devices, all carry their own threats. For this reason, companies should conduct a thorough and ongoing assessment of their vulnerabilities. "Cybercriminals are adept at modifying their malware and methods to stay ahead of traditional protections that organizations deploy, as seen by the rise in infections and sophistication of attacks in 2017,” Rahul Kashyap, worldwide chief technology officer at Cylance, said in a press release. “It's critical that companies are aware of the threats, keep up-to-date with patches, and use defenses that protect against constantly evolving malware.”
2. Segment Networks: “Much of the challenge of safeguarding patient data is simply a matter of keeping sensitive information cordoned off from the rest of the network, making it more difficult for cyberattackers to reach it,” states the CDW white paper “Ensuring the Security of Patient Data.” Enter segmentation, which employs firewalls, routers and other tools to restrict access to parts of a network and provide an added layer of security to PHI.
3. Train End Users: Healthcare is the only industry where insider threats prove greater than those from outside an organization, according to Verizon’s “2018 Data Breach Investigations Report”. To prevent accidental exposure from insiders, training employees to spot and report suspicious email activity is vital. “Users are really scared to use email today. They get email that they’re afraid to click on and they hear all the horror stories,” Randall Frietzsche, CISO and privacy officer for Denver Health tells HealthTech, noting that training can help to reduce attacks while improving confidence. “I want to not only reduce the risk of phishing email and ransomware, but I also want to increase users’ confidence in using email because they’ve seen phishing email before, they’re trained on the indicators and what to do with phishing email.”