BreachExchange mailing list archives
Why Phishing Scams Cannot Be Ignored by Healthcare Entities
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 30 Apr 2015 18:57:51 -0600
http://healthitsecurity.com/2015/04/30/why-phishing-scams-cannot-be-ignored-by-healthcare-entities/ Phishing scams are not a new security threat to the healthcare industry, but that does not mean that covered entities should not consider them when working to prevent data breaches. As technology evolves, it becomes more important for healthcare organizations to broaden their approach to privacy and security, accounting for newer threats, but not forgetting about older forms of attack. What is are phishing scams? Phishing scams are social engineering attacks where cyber attackers use email or websites to trick individuals into giving up their personal information. Healthcare phishing scams typically involve employees giving up their username and passwords, which could give the hackers access to more sensitive information, such as patients’ PHI. “An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity,” according to the USComputer Emergency Readiness Team (CERT) website. “However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network.” CERT added that attackers may contact more than one person at an organization, ensuring that they can gather enough information to cause damage. The hackers could also do this to seem more credible to the second individual, as they will have already gathered some data from the first source. What are best practices to avoid falling victim to phishing scams? A key aspect to preventing healthcare phishing scams from being successful is for employees to remain vigilant. Even staying on the lookout for simple things, such as misspelled words in URLs or domain names being spelled wrong, could be beneficial. Additionally, if a cursor hovers over a link it reveals itself as a different address. CERT cautions that employees should “be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.” Moreover, it can be beneficial to try and verify unknown individuals’ identities. Employees can ask a caller or person emailing to verify his or her identity directly with the company. “Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information,” CERT explains on its website. “Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.” CERT also suggests the following tips to keep facilities secure in email communications: - Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email. - Don’t send sensitive information over the Internet before checking a website’s security (see Protecting Your Privacy for more information). - Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). The National Institute of Standards and Technology (NIST) suggests in its “Guide to Cyber Threat Information Sharing” that organizations should consider anonymizing email samples and removing any sensitive information that is not relevant to incident responders. This is because email headers may contain infrastructure information such as internal IP address or host names. “For phishing and other attacks, it is natural to look for instances of the targets’ names, email or account names, in the body as well as the subject and attachments of the message,” the guide states. “Organizations may also not wish to share the fact that they have been attacked, so reports may employ pseudonyms such as “USBUS1”. If this is the case, then any artifacts of the attack, such as packet captures or files should be examined for revealing target IP addresses, domains, and URLs.” Technical safeguards will also be essential to health data security. In its “Guidelines on Electronic Mail Security,” NIST suggests that facilities enable anti-spam and anti-phishing features. “These features often have rather permissive settings by default, so it may be beneficial from a security perspective to set them to a higher level,” the guide states. “Also, users should be educated on reviewing tagged or filtered messages to identify ones that have been incorrectly labeled. Some mail clients allow users to configure filtering features such as creating lists of safe senders and senders to block.” How is this still relevant to healthcare data security? Many of the top healthcare privacy and security headlines revolve around sophisticated cyber attacks where hackers have infiltrated data bases to gain access to sensitive data. However, by also having access to employee usernames and passwords, hackers could potentially get even farther into these types of databases. Or, hackers could try and gain sensitive information after an initial breach. For example, a phishing scam could be made to fool patients, or individuals whose information was part of an initial breach. The scammers could send emails to patients, posing as a hospital or other credible source. Patients could then unknowingly supply the hackers with even more data that was not originally accessed. Healthcare organizations need to stay smart and keep themselves current on what the latest threats are to privacy and security. Thorough employee training, along with the right training exercises, will help users understand the safest ways to send and receive information through email. Additionally, keeping patients aware of what to look out for could also be beneficial. Socially engineered attacks are likely not going away anytime soon, and will continue to become more sophisticated. However, facilities need to remain aware of all possible threats.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why Phishing Scams Cannot Be Ignored by Healthcare Entities Audrey McNeil (May 08)