Phishing and Healthcare

Phishing is an email-borne hacking technique that lures message recipients into disclosing confidential information. Spear phishing, where the hacker impersonates someone the target knows or references specific projects or mutual social connections, is even more dangerous.

Both phishing techniques havce proven extremely effective at penetrating hospitals, healthcare entities, and other HIPAA related organizations. What’s worse, standard email filtering and anti-virus software are ineffective in preventing the spread of these devastating attacks.

Download our 16-page Guide on Phishing for HIPAA–Regulated Organizations detailing the business risks and what you can do to prevent these attacks from pawning your organization.

A Serious and Growing Threat

On March 31, 2016 a new alert from the US Department of Homeland Security (DHS) was issued warning about the proliferation of new ransomware variants such as Locky and Samas that were impacting many businesses especially hospitals, healthcare, and other HIPAA related entities. The DHS noted that most of these attacks are being spread through phishing and spear phishing emails.

Targeting Hospitals and Other HIPAA Related Entities

In many ways, the rash of recent ransomware attacks against hospitals is not due to new software so much as a new business model. Cyber criminals have long targeted small businesses and consumers with such attacks. However, they have only recently realized that the patient records held by hospitals and other health care organizations are so valuable that he organizations can’t function without access to them. What’s more, hospitals are in the business of saving lives. They simply don’t have the luxury of shutting down or waiting for an expert to unlock their files. Many simply pay up.

Healthcare Gears Up To Fight Against Security Threats

Healthcare organizations have responded by implementing rigorous risk mitigation strategies like education, anti-virus solutions, and new security procedures. However, healthcare security managers must continuously revamp their policies and toolsets to stay ahead. One of the biggest weaknesses of most organizations is also its most reliable and ubiquitous tool: email.

Phishing and Spear Phishing Are The Biggest Vectors of Security Attacks

Email is critical.  But it’s also a major security problem. In particular, phishing and its more potent variant, spear phishing, present a massive security challenge. Sixty-four percent of respondents to the 2015 Healthcare Information and Management Systems Society Survey indicated that they had experienced a security incident caused by an external actor such as an online scam or social engineering via email.

An estimated ninety-one percent of hacking attacks include a phishing attack.

Healthcare Uniquely Vulnerable to Spear Phishing

Every industry is vulnerable to phishing attacks, but the healthcare industry has distinctive factors that create a high level of exposure to the threat:

  • The distributive nature of healthcare as doctors go from hospital to hospital
  • The hierarchical nature of most healthcare organizations.
  • The urgency of many medical issues makes recipients more likely to give the sender of an email the benefit of the doubt when put in the context of a demand for access to routine systems in a potential life or death situation.
  • Healthcare organizations frequently provision specialized hardware for departmental workloads.

Consequences of Phishing in Healthcare

The business impacts from a phishing attack can be sizeable in any industry, but in healthcare, their effects are amplified by regulatory penalties.

Healthcare records are prized by identity thieves because they contain valuable personal data such as Social Security numbers, physical addresses, phone numbers, birth dates and credit card data.

Costs to contain a breach include legal liability, identity theft victim compensation, identity protection services and outr