It’s been a long time coming: Health institutions now consider cybersecurity a serious patient safety issue that is core to healthcare’s overall mission. This is a marked change from the earlier part of the decade when cybersecurity was more of an afterthought, tacked on to IT budgets for HIPAA compliance or to secure Meaningful Use funding in support of electronic health record implementations.
This sea change could not come soon enough. Health institutions are under continuous attack by both financially motivated and state-sponsored threat actors who cause significant financial damage to the industry while eroding patients’ confidence in their healthcare providers’ abilities to protect their most sensitive data.
According to a study from IBM Security and the Ponemon Institute, the cost of a data breach for healthcare organizations rose from $380 per breached record in 2017 to $408 per record in 2018, the highest cost, by some distance, of all industries measured. The same study found health consumers to be the most likely to change providers following a data breach.
Perhaps the most concerning cybersecurity challenge facing the healthcare industry is the growth of email fraud, a phenomenon that includes business email compromise and a range of identity deception threats. According to the FBI, BEC alone has cost organizations $12.5 billion globally — yes, billions — since 2013.
Preying on Fear and Trust to Exploit Users
Email fraud preys on fear, trust and the desire to be helpful, creating opportunities for threat actors to steal money and valuable information, or launch phishing or malware attacks.
These socially engineered attacks seek to exploit those who have made it their mission to protect patients. These events are highly targeted and use identity deception tactics such as spoofing and fake email chains to pose as trusted colleagues or business partners over email. This was illustrated by a recent ransomware attack in which cybercriminals purported to be from the Centers for Disease Control and Prevention. This particular campaign included an email news flash warning of a flu pandemic and offered guidance to contain the outbreak.
Unfortunately, the “guidance” was a link that downloaded GandCrab ransomware. The very qualities that draw people to the healthcare profession, however — an unwavering focus on patient safety and public health — also create human vulnerabilities to cyberattacks like this one.
How Healthcare Organizations Are Targeted
As in the CDC example, cybercriminals use a variety of techniques, often in tandem, to launch email fraud attacks. Here are the most common:
Display-name spoofing: Threat actors favor webmail services, such as Gmail, because they’re free and easy to use. In email fraud, attackers often simply change the display name of the email sender. (Email display names are unrelated to the actual email address being used; they can be anything the sender wants them to be.) Over the course of 2017 and 2018, Proofpoint found that 33 percent of email fraud across healthcare used Gmail.com, AOL.com, Comcast.net, Inbox.lv or RR.com addresses.
Domain spoofing: Another common tactic involves sending fraudulent email from the organization’s own trusted domain. This is called domain spoofing. Criminals spoof healthcare-owned domains to target an organization’s staff, patients and business associates.
In the fourth quarter of 2018, Proofpoint threat researchers concluded that 95 percent of healthcare firms were targeted by at least one email fraud attack launched from their own domain. The average organization was targeted with 57 domain spoofing attacks.
Moreover, every health institution in Proofpoint’s study had their domains spoofed by attackers sending fraudulent messages to patients and business associates.
Overall, 45 percent of email sent from healthcare-owned domains in Q4 appeared suspicious. The percentage was even higher for email sent to healthcare staff (65 percent). Roughly 42 percent of the email sent to patients from hospital-owned domains were suspicious, as was 15 percent of email sent to business associates.
Lookalike domains: Attackers often register look-alike domains to trick people into believing an email is from someone they trust. They create new, deceptively similar domains by swapping characters, such as replacing the letter o with the numeral 0, or inserting an additional character such as an s or a hyphen. In 2017 and 2018, 67 percent of healthcare providers were targeted by attacks launched from look-alike domains.
How Hospitals Can Protect Themselves
Email fraud tactics are always shifting. That’s why healthcare institutions need a multilayered defense.
To protect staff, patients and business partners from email fraud, consider these five initiatives:
- Email authentication: Domain-Based Message Authentication, Reporting and Conformance, or DMARC, blocks all impostor attacks that spoof trusted domains.
- Machine learning and policy enforcement: Analyze the contents and context of email to stop display-name spoofing and look-alike domains at the email gateway.
- Domain monitoring: Automatically identify and flag potentially risky domains registered by fraudsters.
- Protect VAP: In addition to high profile executives, cybercriminals often target individuals deep within an organization whose privilege and ample access to sensitive information make them valuable targets. It’s important for healthcare institutions to identify these “very attacked people” and establish security controls to protect them from targeted threats.
- Security awareness training and process accountability: Educate people on how to recognize and report email fraud, phishing and other cybersecurity threats.
Despite large investments in security, email fraud continues to rise. Cybercriminals are growing more advanced, and attacks are evading traditional security tools, leaving people as the last line of defense. Taking a multilayer approach to cybersecurity, and protecting your most attacked employees, will significantly reduce risk and allow your institution to focus on patient care.