Phishing attacks continue to pelt healthcare organizations, successfully gaining access to invaluable patient data and personal information of staff members. This information — Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is typically used to make illegal purchases or otherwise commit fraud. These exploits also create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.
Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!
BUT FIRST…. before you jump down the page, let’s quickly explore the big question: Is a major phishing exploit likely to hit your organization? Absolutely. In the first half of 2018 alone, we’ve seen many successful phishing exploits and that no form of healthcare enterprise is immune. Here is a small sampling from the last few months:
- A phishing attack on Ohio-based Aultman Health Foundation provided access to the data of 42,600 patients for more than a month.
- UnityPoint Health’s business system was compromised by a phishing attack in which 1.4 million patients may have had their records breached. This is UnityPoint’s second breach this year after an April event breached the data of 16,000 patients.
- Employees of Sunspire Health, a national network of addiction treatment facilities, were hit by a phishing email campaign that exposed patient information for at least two months.
- A phishing attack on Wisconsin’s Manitowoc County enabled breaches of personal healthcare information for three months.
- A phishing attack on CareFirst BlueCross BlueShield potentially breached the personal data of 6,800 patients, just three years after it was hit by a seismic cyberattack that impacted 1 million members. Victims of the earlier attack are now suing.
- Portland, OR-based Legacy Health discovered an unauthorized individual accessed its email system and the health data of approximately 38,000 patients. The perpetrator duped employees via phishing emails.
- A phishing attack on employees at Missouri’s Children’s Mercy Hospital exposed PHI on more than 60,000 individuals. The unauthorized account access resulted from phishing emails sent to just two employees.
- Employees at Alive Hospice in Tennessee were scammed, but it took five months to discover the resulting breaches.
Phishing attacks that deploy various social engineering approaches are so common because they are extremely powerful, according to a new study by security firm Positive Technologies. The study applied real-world hackers’ techniques to send over 3000 emails to employees of 10 organizations, using links to websites, password entry forms, and attachments. 17% of the emails succeeded in tricking recipients into taking actions that would have resulted in data breaches and potentially compromise the entire corporate network. Employees often opened unknown files, clicked suspicious links, and corresponded with attackers. “In 88 percent of cases, these overly trusting employees worked outside of IT. One-quarter of the employees were team supervisors. However, no one is immune from mistakes: 3 percent of security professionals fell for the bait as well.”
The social engineering tactics that phishers use are numerous and growing more sophisticated every day. It’s beyond the scope of this article to enumerate them, but in summary, they range from simple but intriguing emails with infected attachments from strangers, to phishing messages from the accounts of employees of real banks and known companies that the hacker has previously compromised just for this purpose. Cybercriminals use emotional hooks, e.g. fear, greed, hope, to make their attacks more effective. Subject lines may be carefully devised to inspire a response: “List of employees to be laid off,” “Annual bonuses, ” “Your IRS tax return requires attention” “Action needed to prevent bank penalty.” Emotional triggers often succeed in making employees lose sight of basic security rules.
Your IT department needs to be very savvy about the social engineering/phishing threats that abound today. In turn, your organization should be strongly supporting the development, updating and implementing of a multi-faceted training and reminder program to maintain high information security awareness of all staff members. Training must be periodic and followed by testing — and include everyone from accounting clerks to physicians to the CEO. Training should cover practical aspects of security and emphasize that all staff members have security responsibilities. It should clearly define how staff should inform the Security Officer or IT of suspected phishing emails or other security compromises.
Just as important, security procedures and responsibilities must be reinforced frequently via various communication methods. Consider quick 5-minute reminder sessions at the close of brown bag lunches, highlighted alerts in enterprise newsletters, and notices on bulletin boards. (That’s where our new poster comes in!) Working together for optimal security, if an infection or data leak occurs, security staff can quickly start response and mitigation — and minimize personal data exposure and collateral damage.
We hope you and your hospital staff will enjoy and benefit from our new poster “How to Catch the Online Sharks Who Are Phishing for You.” It’s a strong eye-catching reminder of the security threats we all face and provides some significant tips on avoiding them. Either print the poster yourself or even better, get an inexpensive local printer to print several at full 18 X 24 resolution on card stock. Breakrooms…bulletin boards…get the word out!