In the United States, healthcare sector phishing attacks have been to blame for exposing the protected health records of well over 90 million Americans over the course of the past year. That’s in excess of 28% of the population of the United States.
Recently, another case of healthcare sector phishing has been uncovered with the announcement of Connecticut’s Middlesex Hospital data breach. The hospital found that four of its employees responded to a phishing email, resulting in their email account logins being shared to a hacker’s command and control center. In this instance the damage caused by the phishing attack was controlled, and only 946 patients had their data exposed. Other healthcare groups have not been nearly so lucky.
2015 sees Largest ever healthcare industry phishing attack ever
In February 2015, Anthem Inc., the second largest health insurance firm in the United States, discovered it had suffered the mother of all healthcare data breaches. Around 78.8 million health insurance subscriber records were stolen by criminals in the attack. The breach happened prior to February, when it was first noticed, and the hackers had lots of time to obtain data.
Another U.S. health insurance group noticed that it had also been hacked just a couple of weeks later. Premera Blue Cross similarly found out that hackers had obtained access to its systems many months previously and had potentially obtained the records of over 11 million insurance clients.
Both security breaches were very complex in nature, but were discovered to have their roots in healthcare sector phishing campaigns. Staff members had responded to phishing emails which ultimately allowed hackers to obtain access to huge amounts of highly confidential healthcare data.
In 2014, Community Health Systems were hit by a data breach that left the PHI of 4.5 million individuals accessible in what was then the second largest healthcare data breach witnessed. That data breach was the result of a phishing campaign sent to its staff members.
Healthcare Sector Phishing Attacks Witnessed with Alarming Frequency
In the past year, many healthcare providers and health plans have fallen victim to phishers. Some of the healthcare industry phishing attacks have been summarized in the table here:
Hackers Attracted by Easy Targets and Massive Rewards
In the United States, healthcare groups and their business associates are covered by legislation which requires that the strongest possible protections be put in place to keep computer networks secure and patient health data safeguarded from attack. The Health Insurance Portability and Accountability Act (HIPAA) requires administrative, technical, and physical security measures to be used to keep the Protected Health Information (PHI) of patients safe 100% of the time.
Even though the healthcare sector is heavily regulated, the industry is trailing behind others when it comes to data security. Hackers often see healthcare organizations as an ideal target. Their networks are complex and difficult to secure completely, and IT security budgets are not enough to ensure that all of the appropriate protections are put in place to keep data safe.
Additionally, healthcare providers and health insurers store a very high volume of highly sensitive data on patients and subscribers. Those data are much more valuable to thieves than credit card numbers. Health data, Social Security numbers, and personal information can be used to carry out identity theft, medical fraud, insurance fraud, credit card fraud, and tax fraud. One set of patient data can allow hackers to fraudulently obtain tens of thousands of dollars, and the data can usually be used for much longer than credit card numbers before fraud is noticed.
It is therefore no shock that healthcare providers are such an attractive target. There are potentially massive rewards to be gained and little effort is needed. Healthcare sector phishing is therefore prevalent, and spear phishing campaigns are now increasingly being used to get busy healthcare employees to reveal their login details. Many of those campaigns are proving to be bear profit.
Healthcare Industry reports suggest that the sector in the United States does not have sufficient controls in place to prevent against phishing attacks. A KMPG study completed earlier this year showed that 81% of U.S. healthcare groups had suffered cyberattacks, botnet, and malware infections. Other research carried out by Raytheon/Websense suggested that the healthcare sector in the United States suffered 340% more data breaches than other areas.
Healthcare Sector Phishing Emails are Not Easy to Spot
Up until recent years, a phishing email could be spotted from a mile away. They had many spelling mistakes and grammatical errors. Nigerian 419 scams were commonly seen and easily identified. Malicious email attachments were sent, yet they could be easily be noticed as they were rarely hidden. It is a basic task to train staff never to open an executable file sent through email.
This is not the case today. Healthcare industry phishing emails are not always easy to notice. Malicious emails are formulated with a high level of expertise, spell checks are used, subjects are researched, as are the targets. Links are shared with phishing websites that hackers have spent a lot of time, money, and resources developing. Even a n expert eye can have trouble distinguishing a fake site from a real one. The threat landscape has altered massively in just a few years.
Sometimes healthcare sector phishing emails are so realistic that many members of staff are fooled into replying. Franciscan Health System is a good example to study. In 2014, a phishing campaign was sent to the healthcare provider using email. The scam was very basic. Workers were sent an email that included a link and a valid reason to click it. They clicked through to a website which required them to enter their specific login details. 19 workers were tricked by the campaign and revealed their email account login names and passwords. Contained in their email accounts were patient information and up to 12,000 patients were impacted.
What can be done to Minimize the Danger Posed by Phishing Attacks?
There are a number of controls and security measures that can be implemented to minimize the risk of healthcare industry phishing campaigns being successful, and multi-layered defenses are key to controlling risk.
- Regular Staff Training: All staff should be trained on email and internet security, and told how to identify phishing emails and phishing web portals. They must be given a list of best practices, and their knowledge should be reviewed. The sending of dummy phishing emails is a good way to check to see if they have taken onboard the information given in training sessions.
- Powerful Anti-Virus and Anti-Malware Software: Different anti-virus and anti-malware solutions should be used and virus/malware definitions updated automatically. Regular scans of the network and individual devices should be set for at times of low network activity.
- Spam Filtering Software: Spam filtering solutions are vital. One of the most effective ways of preventing end users from falling for phishing emails is to make sure they never receive them. Powerful anti-spam solutions will block and quarantine malicious email attachments and eliminate phishing emails from being sent to employees.
- Web Filtering Solutions: Not every phishing campaign is sent through email. Social media websites are often used as an attack vector and malicious website adverts can take users to phishing websites. Using a web filter to limit the types of websites that users are allowed to viewt can significantly reduce the risk of users falling for a phishing campaign. Web filtering solutions will also restrict access to known phishing websites.
