Phishing attacks, at an all-time high in 2018, continue to pelt healthcare organizations, gaining access to invaluable patient data and personal information of staff members. Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is grabbed and used to make illegal purchases or otherwise commit fraud. Mobile devices have morphed into profitable new opportunities for criminals executing phishing attacks, as identifying and blocking mobile-based phishing attacks is especially difficult for both individuals and employers’ current security technologies. These exploits create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.
Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!
BUT FIRST…. before you jump down the page, let’s quickly explore the big question: Is a major phishing exploit likely to hit your organization?
In 2018 we saw way too many successful phishing exploits and that no form of healthcare enterprise is immune. No form of device was immune either. In fact, according to one 2018 study, mobile device phishing attacks had increased 85 percent, year-over-year, since 2011, primarily because of the increasing amount of data collected by every site and app visited on these devices.
Have you noticed? Get on your phone or tablet, do an internet search or purchase, and soon a targeted marketing ad (or many!) will appear in your Facebook or Instagram feed based on your online behaviors. Much of our activity online is no longer private and is not only sent to legitimate websites, but may be accessed through security holes by cybercriminals who are always on the lookout for tasty potential phishing victims.
Almost 30 percent of identity thefts in 2017 occurred in the healthcare industry, according to Experian statistics. The 2018 Verizon data breach report revealed that phishing attacks are still on the rise, with 43% of data breaches stemming from such incidents. The average cost of a data breach is reported to be $408 per record, almost 3 times the cross-industry average. Just as concerning, these data breaches can result in major damage to providers’ reputations.
Here is a small sampling:
- UnityPoint Health experienced the biggest healthcare data breach in 2018. Its business system was compromised by a phishing attack in which 1.4 million patients may have had their records breached. This was UnityPoint’s second breach in 2018 after an April event breached the data of 16,000 patients.
- A phishing attack on Ohio-based Aultman Health Foundation provided access to the data of 42,600 patients for more than a month.
- Employees of Sunspire Health, a national network of addiction treatment facilities, were hit by a phishing email campaign that exposed patient information for at least two months.
- A phishing attack on Wisconsin’s Manitowoc County enabled breaches of personal healthcare information for three months.
- A phishing attack on CareFirst BlueCross BlueShield potentially breached the personal data of 6,800 patients, just three years after it was hit by a seismic cyberattack that impacted 1 million members. Victims of the earlier attack are now suing.
- Portland, OR-based Legacy Health discovered an unauthorized individual accessed its email system and the health data of approximately 38,000 patients. The perpetrator duped employees via phishing emails.
- A phishing attack on employees at Missouri’s Children’s Mercy Hospital exposed PHI on more than 60,000 individuals. The unauthorized account access resulted from phishing emails sent to just two employees.
- Employees at Alive Hospice in Tennessee were scammed, but it took five months to discover the resulting breaches.
Phishing attacks that deploy various social engineering approaches are so common because they are extremely powerful, according to a study by security firm Positive Technologies. The study applied real-world hackers’ techniques to send over 3000 emails to employees of 10 organizations, using links to websites, password entry forms, and attachments. 17% of the emails succeeded in tricking recipients into taking actions that would have resulted in data breaches and potentially compromise the entire corporate network. Employees often opened unknown files, clicked suspicious links, and corresponded with attackers. “In 88 percent of cases, these overly trusting employees worked outside of IT. One-quarter of the employees were team supervisors. However, no one is immune from mistakes: 3 percent of security professionals fell for the bait as well.”
The social engineering tactics that phishers use are numerous and growing more sophisticated every day. It’s beyond the scope of this article to enumerate them, but in summary, they range from simple but intriguing emails with infected attachments from strangers to phishing messages from the accounts of employees of real banks and known companies that the hacker has previously compromised just for this purpose. Cybercriminals use emotional hooks, e.g. fear, greed, hope, to make their attacks more effective. Subject lines may be carefully devised to inspire a response: “List of employees to be laid off,” “Annual bonuses, ” “Your IRS tax return requires attention” “Action needed to prevent bank penalty.” Emotional triggers often succeed in making employees lose sight of basic security rules.
Your IT department needs to be very savvy about the social engineering/phishing threats that abound today. In turn, your organization should be strongly supporting the development, updating and implementing of a multi-faceted training and reminder program to maintain high information security awareness of all staff members. Training must be periodic and followed by testing — and include everyone from accounting clerks to physicians to the CEO. Training should cover practical aspects of security and emphasize that all staff members have security responsibilities. It should clearly define how staff should inform the Security Officer or IT of suspected phishing emails or other security compromises.
Just as important, security procedures and responsibilities must be reinforced frequently via various communication methods. Consider quick 5-minute reminder sessions at the close of brown bag lunches, highlighted alerts in enterprise newsletters, and notices on bulletin boards. (That’s where our new poster comes in!) Working together for optimal security, if an infection or data leak occurs, security staff can quickly start response and mitigation — and minimize personal data exposure and collateral damage.
We hope you and your hospital staff will enjoy and benefit from our new poster “How to Catch the Online Sharks Who Are Phishing for You.” It’s a strong eye-catching reminder of the security threats we all face and provides some significant tips on avoiding them. Either print the poster yourself or even better, get an inexpensive local printer to print several at full 18 X 24 resolution on card stock. Breakrooms…bulletin boards…get the word out!