Phishing in Healthcare Settings
Adrien Gendre
—December 03, 2015
—4 min read
Despite the fact that security and compliance requirements for healthcare are fairly well understood today, new threats regularly force change onto an evolving risk management landscape. Phishing in particular is a rising threat that exposes healthcare providers to substantial risks that need to be mitigated with strong countermeasures.
Phishing: An Emailed Threat
Phishing uses deceptive emails and fake web URLs to trick employees into disclosing login credentials and personal information or downloading malware. Thousands of phishing attacks launch every day, many of them targeted at healthcare organizations. Sixty four percent of respondents to the 2015 Healthcare Information and Management Systems Society Survey indicated that they had experienced a security incident caused by an external actor such as an online scam or social engineering. These techniques are the essence of phishing.
Security industry research reveals that 11% of recipients click on links in phishing emails. Otherwise savvy people click on links due to sophisticated impersonation techniques. For instance, a healthcare phishing attack might involve an email that looks as if it’s coming from a familiar vendor such as LabCorp with the subject “Patient Results Available.” The email will look exactly like a LabCorp email. The link in the email will take the recipient to a perfectly “spoofed,” identical copy of the log-in page on labcorp.com. When the recipient tries to log in, his or her credentials get stolen. Now, the hacker can log into LabCorp and access PHI from the healthcare organization’s patient rolls.
“Spear phishing,” a new version of phishing, uses the identities of friends and colleagues to make the email more convincing. For instance, imagine that Dr. John Smith and Dr. Jeff Jones practice radiology at a large hospital. A phisher, looking at the “Our Physicians” section of the hospital website, gathers the doctors’ names and prepares an attack email addressed to Dr. Smith. The email says, “Hey, John, can you please take a look at the attached X-ray image and get back to me. Thanks, Jeff.” The attached image file may actually be an X-ray, but it also loads keystroke logging malware onto Dr. Smith’s device. Or perhaps the email only includes a link to a malware site made to look exactly like the secure imaging system used by the hospital. Either way, the phisher can collect Dr. Smith’s intranet credentials — a free pass to invade the hospital’s private networks. Any PHI and other HIPAA-regulated data is at risk of being improperly accessed.
A Single HIPAA Breach Can Be Disaster
Phishing has serious business impacts for healthcare organizations, including reputation damage, loss of intellectual property or trade secrets and exposure of customer records. There can also be direct financial costs such as regulatory fines, legal liability, costs to compensate identity theft victims affected by the attack and outright financial theft. Healthcare records are greatly sought after by identity thieves because they contain a goldmine of personal data often including social security numbers, physical addresses, phone numbers, birthdates, and credit card data.
Potential HIPAA violation penalties range from $100 to $50,000 per patient record. Penalties are capped at a whopping $1.5 million per identical violation and $10 million for a single set of incidents. The average HIPAA fine cost $2 million in 2014, according to The Ponemone Institute, as cited in HealthCareIT News. In one case, New York-Presbyterian Hospital and Columbia University Medical Center agreed to pay $4.8 million to settle alleged HIPAA violations after 6,800 patients were leaked onto Google. The average cost for a security incident of the 350 corporations surveyed by Ponemone was $3.79 million.
Average security breach costs for a healthcare organization were $363 per patient record according to the Ponemone Institute’s 2015 Cost of Data Breach Study: Global Analysis. This is the highest per capita cost for a security incident of any industry. How many patient records does your organization have? How many could a malicious actor access with the right credentials?
These are not just accidental or careless breaches. According to the same study, fully 47% of the reported data breaches involved malicious actors. The ultimate cost to your organization could dwarf even the maximum HIPAA penalties.
HIPAA Compliant Email is Not Enough
Generally speaking, HIPAA compliant email has been encrypted so that it is not easily intercepted and exploited when in transit. There are many HIPAA compliant email vendors, including Microsoft 365 and Google Apps. However, just because your email systems are encrypted does not generally protect your employees from receiving outside emails. This is the threat posed by phishing. Standard anti-spam and HIPAA email compliance will not prevent phishing and spear phishing email from getting through to your employees. Other standard tools will also generally fail to stop well-crafted phishing attempts.
Even if you are using HIPAA compliant tools, your organization is still probably at risk from Phishing attacks.
How can this happen?
The answer is that the email evades your anti-spam filters because they aren’t “spammy” and they feature URLs that appear harmless when being examined by standard email filtering software. After passing the filter, the phishing email waits in the recipients’ in-box. Within a short time, perhaps an hour, the hacker will redirect that link to a malicious site. When the recipient opens the email, the link it contains is now toxic and leads, for example, to a phishing site that is stealing user credentials. This won’t be stopped by your web-filtering software because phishing sites are generally not online long enough to get black-listed.
Anti-virus systems won’t help in this case because there is no virus involved. The site is brand new, so it would not appear on any black-lists and would not trigger standard web filters.
Specific Anti-Phishing Tools Are Needed
Vade anti-phishing solution offers unique protections that can be layered on top of existing anti-spam solutions to provide better overall email protection to healthcare employees and organizations.
Heuristic Email Filtering — employs artificial intelligence that has been taught to spot phishing threats. Tapping into rules developed by monitoring hundreds of millions of email boxes for 10 years, the system is always learning and finding new threats. It looks at the characteristic of each individual email, not relying on outside reports of malicious activity (which can come too late).
Dynamic Webpage Exploration — every URL included in emails is safely explored in a remote sandboxed environment to see if it contains any malware, honeypots or malicious code. Vade is unique in that it makes the exploration at the moment an employee clicks on the link. It avoids the problem of phishers sending clean links that they later point to malicious URLs. The software can also automatically make bad pages inaccessible, effectively taking them down.
Identity MatchTM — uses proprietary processes to spot one-off spear phishing attacks by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.