Hospitals coming under increasing hack attacks
Phishing created big news in healthcare last year – the really bad kind.
This approach for gaining nefarious access to network credentials was reported to be the cause of two of the biggest attacks reported in the healthcare industry last year – the hack of 78.8 million identities from Anthem, and an additional 11 million identities hacked in a breach at Premera.
Hacking or IT incidents resulted in the release of protected health information of nearly 112 million individuals, about 65 times the number of such incidents last year.
While the hacks reported at Anthem and Premera accounted for the lion’s share of those numbers last year, hackers are using phishing gambits more widely, raising the need for healthcare organizations to ensure that employees and staff are aware of the risks.
In a basic phishing attack, hackers use urgent emails or phone calls to trick a person into revealing information network credentials. When workers unknowingly share sensitive network access information with a hacker, it can be the start of a cyber attack that can compromise huge amounts of protected health information. Because of the ease of entry and lack of detectability, hackers may be able to roam around a network for weeks without raising any red flags.
Phishing is not just aimed at the largest healthcare organizations; a recent survey by the Healthcare Information Management and Systems Society found that 69 percent of respondents have experienced a phishing attack.
Security incidents involving those from outside the organization (phishing and other types of attacks) caused significant problems for some of the organizations responding to the HIMSS survey. Of all respondents affected by a breach, 21 percent reported the loss of data, and a total of 16 percent reported either significant disruption or actual damage to their IT systems.
Attacks at Anthem and Primera were frighteningly easy, according to the annual report on healthcare security breaches, by Bitglass, a security solutions vendor. In the Anthem and Premera breaches, hackers used an approach called domain spoofing, in which hackers register variations on the real domain name, like “prennera.com” or “we11point.com” in the Anthem breach.
Phishing emails were sent to employees to bait them to use the spoofed sites, and employees then logged into the fake sites, giving hackers the credentials. From there, employees then are diverted back onto their companies’ sites, so they are totally unaware that they have been the subject of a phishing attack, Bitglass reports.
While the approaches of the hackers now seem clear in retrospect, it’s not easy for employees or staff to identify such trickery. They are busy in their jobs, may be flooded with emails as part of their jobs, and they may not have the technical acumen to spot misleading emails or spoofed URL addresses.
Beyond that, many healthcare organizations have not trained employees on how to spot phishing attempts and thwart them. However, even those organizations that have conducted this training have seen employees get lax and fall victim to a phishing email.
For training to be effective and influence long-term behavior, training needs to be comprehensive, and reminders must be in place over time so that employees don’t get complacent afterward, says William Woodward, a research associate at Aite Group, a consulting and research firm.
One-off training events or memos don’t offer enough long-lasting protection, particularly in healthcare environments, where the risks of successful intrusion can be catastrophic. “You can’t carry on like you did before,” he asserts. “The costs of cyber attacks are so high that you have to invest in deeper training.”
Organizations should be conducting simulations of attacks so employees can recognize the signs that something is not right; that helps continue the training so they recognize an email that should not be opened or a phone call that should be considered suspicious.
Then, organizations should follow up by conducting penetration testing by expert firms that are ethically hacking employees to assess awareness levels, Woodward says. If testing finds most employees are still clicking on phishing emails, then training should be done more regularly. Twice-a-year training sessions would be the most effective, but that may not be cost effective for small organizations, he says.
Attacks are getting increasingly sophisticated, Woodward warns. An employee may click on a link that has the organization’s URL and not notice other information in the URL that should raise suspicions. Or an employee may get an email or chat message from a purported IT technician at the organization, saying he will call soon. Such a message should initially be treated with skepticism, because while an email address can be verified, that’s typically not possible with a phone call, Woodward says. “These are things that shouldn’t be transmitted by email or given over the phone.”
Better cyber security boils down to general awareness, Woodward says. “Treat it like any other training, with evaluation sheets and systematic reviews. Bring in external expertise to be more aware of the threat landscape. They will be up to speed on new tactics and give you external eyes to assess what you are doing.”