Phishing Attacks Among Greatest Plague Facing Healthcare

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-management.com/news/security/phishing-attacks-among-greatest-plague-facing-healthcare-10028171-1.html

Phishing created big news in healthcare last year – the really bad kind.

This approach for gaining nefarious access to network credentials was
reported to be the cause of two of the biggest attacks reported in the
healthcare industry last year – the hack of 78.8 million identities from
Anthem, and an additional 11 million identities hacked in a breach at
Premera.

Hacking or IT incidents resulted in the release of protected health
information of nearly 112 million individuals, about 65 times the number of
such incidents last year.

While the hacks reported at Anthem and Premera accounted for the lion’s
share of those numbers last year, hackers are using phishing gambits more
widely, raising the need for healthcare organizations to ensure that
employees and staff are aware of the risks.

In a basic phishing attack, hackers use urgent emails or phone calls to
trick a person into revealing information network credentials. When workers
unknowingly share sensitive network access information with a hacker, it
can be the start of a cyber attack that can compromise huge amounts of
protected health information. Because of the ease of entry and lack of
detectability, hackers may be able to roam around a network for weeks
without raising any red flags.

Phishing is not just aimed at the largest healthcare organizations; a
recent survey by the Healthcare Information Management and Systems Society
found that 69 percent of respondents have experienced a phishing attack.

Security incidents involving those from outside the organization (phishing
and other types of attacks) caused significant problems for some of the
organizations responding to the HIMSS survey. Of all respondents affected
by a breach, 21 percent reported the loss of data, and a total of 16
percent reported either significant disruption or actual damage to their IT
systems.



Attacks at Anthem and Primera were frighteningly easy, according to the
annual report on healthcare security breaches, by Bitglass, a security
solutions vendor. In the Anthem and Premera breaches, hackers used an
approach called domain spoofing, in which hackers register variations on
the real domain name, like “prennera.com” or “we11point.com” in the Anthem
breach.

Phishing emails were sent to employees to bait them to use the spoofed
sites, and employees then logged into the fake sites, giving hackers the
credentials. From there, employees then are  diverted back onto their
companies’ sites, so they are totally unaware that they have been the
subject of a phishing attack, Bitglass reports.

While the approaches of the hackers now seem clear in retrospect, it’s not
easy for employees or staff to identify such trickery. They are busy in
their jobs, may be flooded with emails as part of their jobs, and they may
not have the technical acumen to spot misleading emails or spoofed URL
addresses.

Beyond that, many healthcare organizations have not trained employees on
how to spot phishing attempts and thwart them. However, even those
organizations that have conducted this training have seen employees get lax
and fall victim to a phishing email.

For training to be effective and influence long-term behavior, training
needs to be comprehensive, and reminders must be in place over time so that
employees don’t get complacent afterward, says William Woodward, a research
associate at Aite Group, a consulting and research firm.

One-off training events or memos don’t offer enough long-lasting
protection, particularly in healthcare environments, where the risks of
successful intrusion can be catastrophic. “You can’t carry on like you did
before,” he asserts. “The costs of cyber attacks are so high that you have
to invest in deeper training.”

Organizations should be conducting simulations of attacks so employees can
recognize the signs that something is not right; that helps continue the
training so they recognize an email that should not be opened or a phone
call that should be considered suspicious.

Then, organizations should follow up by conducting penetration testing by
expert firms that are ethically hacking employees to assess awareness
levels, Woodward says. If testing finds most employees are still clicking
on phishing emails, then training should be done more regularly.
Twice-a-year training sessions would be the most effective, but that may
not be cost effective for small organizations, he says.

Attacks are getting increasingly sophisticated, Woodward warns. An employee
may click on a link that has the organization’s URL and not notice other
information in the URL that should raise suspicions. Or an employee may get
an email or chat message from a purported IT technician at the
organization, saying he will call soon. Such a message should initially be
treated with skepticism, because while an email address can be verified,
that’s typically not possible with a phone call, Woodward says. “These are
things that shouldn’t be transmitted by email or given over the phone.”

Better cyber security boils down to general awareness, Woodward says.
“Treat it like any other training, with evaluation sheets and systematic
reviews. Bring in external expertise to be more aware of the threat
landscape. They will be up to speed on new tactics and give you external
eyes to assess what you are doing.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.