Healthcare Phishing: Protecting SMBs from Office 365 Attacks
Adrien Gendre
—October 24, 2019
—2 min read
While it doesn’t get the media attention of attacks on large healthcare organizations, cyberattacks on small, private healthcare organizations are a daily occurrence. With lower budgets than large healthcare organizations, small to midsized (SMB) healthcare organizations often lack the IT resources of large organizations. This makes them an attractive and easy target for cybercriminals.
What cybercriminals want from SMB healthcare organizations
Healthcare data has the highest revenue on the open market, with records going for up to $1,000 on the black market. With a single record in hand, a cybercriminal has the potential to do incalculable amounts of damage, both to the record owner and the breached healthcare organization.
In the first half of 2019, 31 million patient records were breached in the US. Each of these records represents a treasure of information for cybercriminals, including names, birthdates, social security numbers, and more. For each breached record, there is an associated cost, including the cost to investigate the breach, recover stolen records, and pay litigation fees. For SMB healthcare organizations, a massive breach could be unrecoverable.
[Related Content] SMBs Look to MSPs for Cybersecurity Support
Phishing for healthcare records
Although there are endless ways for a hacker to breach healthcare records, the simplest and most efficient method is through phishing. For the top breaches of 2019, it was the main culprit, with ransomware being used to hold several organizations hostage.
While most SMBs have invested in phishing awareness training, phishers are using sophisticated techniques to fool both users and email filters. From abusing URL redirections and shorteners to mixing legitimate and illegitimate content, these obfuscation techniques make it difficult for traditional solutions to detect phishing.
To make things worse, sophisticated phishers are researching SMB healthcare organizations and designing their attacks specifically for the organization and its users, targeting specific users and manipulating them with unique, individualized attacks.
In one example, staff at a private community healthcare organization received an Office 365 phishing email encouraging them to complete an employee satisfaction survey. The email included the organization’s logo and other branding, and the survey itself was a working survey that collected data from each user.
[Related Content] KVC Health Systems Eliminates Email Security Incidents with Vade for M365
Attacks like this demonstrate the increasingly targeted nature of Office 365 phishing attacks and the diligence required to block them, both from a human and technological perspective. Phishing awareness training is a must, and it works, but the latest phishing techniques make attacks more difficult to spot, especially when they’re highly targeted.
Many smaller organizations that use Office 365 object to investing in more cybersecurity because of the added costs. Additionally, MSPs often struggle to convince their clients to add an extra layer of security beyond Office 365’s native solution, Exchange Online Protection (EOP).
As several MSPs have learned, thanks to a wave of ransomware in 2019, the consequences of phishing reach beyond the client and directly into an MSP’s business. With more clients moving to Office 365, MSPs need to offer a solution that is natively integrated and designed specifically to protect Office 365.
Read our case study to learn how one SMB healthcare organization eliminated phishing threats with Vade for M365.