Why Phishing Scams Cannot Be Ignored by Healthcare Entities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/04/30/why-phishing-scams-cannot-be-ignored-by-healthcare-entities/

Phishing scams are not a new security threat to the healthcare industry,
but that does not mean that covered entities should not consider them when
working to prevent data breaches. As technology evolves, it becomes more
important for healthcare organizations to broaden their approach to privacy
and security, accounting for newer threats, but not forgetting about older
forms of attack.

What is are phishing scams?

Phishing scams are social engineering attacks where cyber attackers use
email or websites to trick individuals into giving up their personal
information. Healthcare phishing scams typically involve employees giving
up their username and passwords, which could give the hackers access to
more sensitive information, such as patients’ PHI.

“An attacker may seem unassuming and respectable, possibly claiming to be a
new employee, repair person, or researcher and even offering credentials to
support that identity,” according to the USComputer Emergency Readiness
Team (CERT) website. “However, by asking questions, he or she may be able
to piece together enough information to infiltrate an organization’s
network.”

CERT added that attackers may contact more than one person at an
organization, ensuring that they can gather enough information to cause
damage. The hackers could also do this to seem more credible to the second
individual, as they will have already gathered some data from the first
source.

What are best practices to avoid falling victim to phishing scams?

A key aspect to preventing healthcare phishing scams from being successful
is for employees to remain vigilant. Even staying on the lookout for simple
things, such as misspelled words in URLs or domain names being spelled
wrong, could be beneficial. Additionally, if a cursor hovers over a link it
reveals itself as a different address.

CERT cautions that employees should “be suspicious of unsolicited phone
calls, visits, or email messages from individuals asking about employees or
other internal information.” Moreover, it can be beneficial to try and
verify unknown individuals’ identities. Employees can ask a caller or
person emailing to verify his or her identity directly with the company.

“Do not provide personal information or information about your
organization, including its structure or networks, unless you are certain
of a person’s authority to have the information,” CERT explains on its
website. “Do not reveal personal or financial information in email, and do
not respond to email solicitations for this information. This includes
following links sent in email.”

CERT also suggests the following tips to keep facilities secure in email
communications:

- Do not reveal personal or financial information in email, and do not
respond to email solicitations for this information. This includes
following links sent in email.
- Don’t send sensitive information over the Internet before checking a
website’s security (see Protecting Your Privacy for more information).
- Pay attention to the URL of a website. Malicious websites may look
identical to a legitimate site, but the URL may use a variation in spelling
or a different domain (e.g., .com vs. .net).

The National Institute of Standards and Technology (NIST) suggests in its
“Guide to Cyber Threat Information Sharing” that organizations should
consider anonymizing email samples and removing any sensitive information
that is not relevant to incident responders. This is because email headers
may contain infrastructure information such as internal IP address or host
names.

“For phishing and other attacks, it is natural to look for instances of the
targets’ names, email or account names, in the body as well as the subject
and attachments of the message,” the guide states. “Organizations may also
not wish to share the fact that they have been attacked, so reports may
employ pseudonyms such as “USBUS1”. If this is the case, then any artifacts
of the attack, such as packet captures or files should be examined for
revealing target IP addresses, domains, and URLs.”

Technical safeguards will also be essential to health data security. In its
“Guidelines on Electronic Mail Security,” NIST suggests that facilities
enable anti-spam and anti-phishing features.

“These features often have rather permissive settings by default, so it may
be beneficial from a security perspective to set them to a higher level,”
the guide states. “Also, users should be educated on reviewing tagged or
filtered messages to identify ones that have been incorrectly labeled. Some
mail clients allow users to configure filtering features such as creating
lists of safe senders and senders to block.”

How is this still relevant to healthcare data security?

Many of the top healthcare privacy and security headlines revolve around
sophisticated cyber attacks where hackers have infiltrated data bases to
gain access to sensitive data. However, by also having access to employee
usernames and passwords, hackers could potentially get even farther into
these types of databases.

Or, hackers could try and gain sensitive information after an initial
breach. For example, a phishing scam could be made to fool patients, or
individuals whose information was part of an initial breach. The scammers
could send emails to patients, posing as a hospital or other credible
source. Patients could then unknowingly supply the hackers with even more
data that was not originally accessed.

Healthcare organizations need to stay smart and keep themselves current on
what the latest threats are to privacy and security. Thorough employee
training, along with the right training exercises, will help users
understand the safest ways to send and receive information through email.
Additionally, keeping patients aware of what to look out for could also be
beneficial. Socially engineered attacks are likely not going away anytime
soon, and will continue to become more sophisticated. However, facilities
need to remain aware of all possible threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!