Phishing and Healthcare
Phishing is an email-borne hacking technique that lures message recipients into disclosing confidential information. Spear phishing, where the hacker impersonates someone the target knows or references specific projects or mutual social connections, is even more dangerous.
Both phishing techniques havce proven extremely effective at penetrating hospitals, healthcare entities, and other HIPAA related organizations. What’s worse, standard email filtering and anti-virus software are ineffective in preventing the spread of these devastating attacks.
Download our 16-page Guide on Phishing for HIPAA–Regulated Organizations detailing the business risks and what you can do to prevent these attacks from pawning your organization.
A Serious and Growing Threat
On March 31, 2016 a new alert from the US Department of Homeland Security (DHS) was issued warning about the proliferation of new ransomware variants such as Locky and Samas that were impacting many businesses especially hospitals, healthcare, and other HIPAA related entities. The DHS noted that most of these attacks are being spread through phishing and spear phishing emails.
Targeting Hospitals and Other HIPAA Related Entities
In many ways, the rash of recent ransomware attacks against hospitals is not due to new software so much as a new business model. Cyber criminals have long targeted small businesses and consumers with such attacks. However, they have only recently realized that the patient records held by hospitals and other health care organizations are so valuable that he organizations can’t function without access to them. What’s more, hospitals are in the business of saving lives. They simply don’t have the luxury of shutting down or waiting for an expert to unlock their files. Many simply pay up.
Healthcare Gears Up To Fight Against Security Threats
Healthcare organizations have responded by implementing rigorous risk mitigation strategies like education, anti-virus solutions, and new security procedures. However, healthcare security managers must continuously revamp their policies and toolsets to stay ahead. One of the biggest weaknesses of most organizations is also its most reliable and ubiquitous tool: email.
Phishing and Spear Phishing Are The Biggest Vectors of Security Attacks
Email is critical. But it’s also a major security problem. In particular, phishing and its more potent variant, spear phishing, present a massive security challenge. Sixty-four percent of respondents to the 2015 Healthcare Information and Management Systems Society Survey indicated that they had experienced a security incident caused by an external actor such as an online scam or social engineering via email.
An estimated ninety-one percent of hacking attacks include a phishing attack.
Healthcare Uniquely Vulnerable to Spear Phishing
Every industry is vulnerable to phishing attacks, but the healthcare industry has distinctive factors that create a high level of exposure to the threat:
- The distributive nature of healthcare as doctors go from hospital to hospital
- The hierarchical nature of most healthcare organizations.
- The urgency of many medical issues makes recipients more likely to give the sender of an email the benefit of the doubt when put in the context of a demand for access to routine systems in a potential life or death situation.
- Healthcare organizations frequently provision specialized hardware for departmental workloads.
Consequences of Phishing in Healthcare
The business impacts from a phishing attack can be sizeable in any industry, but in healthcare, their effects are amplified by regulatory penalties.
Healthcare records are prized by identity thieves because they contain valuable personal data such as Social Security numbers, physical addresses, phone numbers, birth dates and credit card data.
Costs to contain a breach include legal liability, identity theft victim compensation, identity protection services and outright financial theft from the healthcare organization itself. In addition, healthcare organizations face civil fines mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Mitigating the Phishing Threat
It should not be a surprise that 96% of users want better protection against phishing attacks, according to Gartner’s Magic Quadrant for Secure Email Gateways (July 2015). The key word here is “better.” Many controls and countermeasures are already in place. But there is huge room for improvement, as evidenced by the increasingly frequent ransomware and other attacks show.
HIPAA-Compliant Email Is Not Enough
Generally speaking, “HIPAA-compliant email” means that the email has been encrypted so that it is not easily intercepted and exploited when in transit. However, the act of encryption does not offer protection for all of the employees who use outside email. Standard anti-spam and HIPAA email compliance vendors such as Google and Microsoft will not prevent every phishing and spear phishing email from getting through to employees.
Standard Email Filtering and Anti-Virus Won’t Work Either
Web-filtering software is not typically able to reliably block phishing URLs because phishing sites are generally not online long enough to get blacklisted. Anti-virus systems won’t help, as there is often no virus involved in the initial breach.
Training is important but insufficient.
A surprisingly high 23% of recipients open phishing messages, and 11% click on links in phishing emails, according to security industry research. All you need is one careless employee to respond to a phishing attack to put your network at risk. Obviously, a technical solution is needed in addition to employee training.
A specific anti-phishing solution is needed that can recognize the unique traits of both mass phishing emails and more targeted “one-off” spear-phishing attacks.
Read more about the specific features needed in such a solution, how the various security and filtering solutions compare, and how your hospital or healthcare organization can quickly deploy a phishing/spear phishing solution by downloading our free 16-page Guide on Phishing for HIPAA–Regulated Organizations.