Why physicians are on the hook to not take the bait on phishing attacks
It’s become widely known that protected health information is a hot commodity on the Dark Web. Research shows that a single medical record is worth at least 10 times that of a credit card number, sometimes even more. A Social Security number may only go for $1; a credit card number fetches between $5 and $100; but medical records are worth as much as $1,000.
Phishing is often the path of least resistance for attackers, so It’s only natural that they are adapting their phishing tactics to target information from not only healthcare organizations and patients but also physicians to gain access to this PHI. They know that this tactic will require the least amount of effort for greater gains, and humans are often the weakest link in the security chain.
Attackers can leverage phished credentials or use password-spraying techniques against physicians to gain access to sensitive information found in email inboxes. We find incident response cases where a hacker had intercepted email in real-time using inbox rules that look for relevant key words or attachments.
A bad actor may also use the email inbox to reset or hijack credentials for electronic health record portals to quickly access a database of patients to whom the physician has access. With this access, they could, for example, remove the record of a fatal allergy or change dosage information for a prescription, or the prescription itself, which can seriously harm a patient.
Phishing physicians also may result in access via a VPN or other remote method into the healthcare provider. EHR applications and healthcare organizations’ networks then can be targeted directly and may result in accessing the greatest numbers of PHI records at once, a full breach of past and current patients. We have even seen evidence of criminals hijacking medical staff paychecks via the payroll system, which leveraged the same captured credentials.
Preventative security measures should continuously be in place. An important approach is to train physicians and everyone in a healthcare organization on cybersecurity awareness techniques and the “Do’s and Don’ts” of phishing and other tactics.
Red team exercises by the internal IT or security group can test the strength of the defenses of a security operations center (SOC) and the security solutions they monitor. The healthcare organizations should also strongly enforce multi-factor authentication properly on all relevant enterprise and EHR services, including email and payroll portals, to make it more difficult for bad actors to gain unauthorized access. Additional forms of authentication are used as added precautions to help validate a user’s identify and block an attacker from entering the system.
If a physician has any doubt about an email because it seems outside of the norm, they should try to verify the sender by hovering over hyperlinks to confirm it is from a legitimate domain or simply contact the sender. Physicians should also forward suspect emails to the IT staff for a more in-depth review. If it is deemed a bad email, staff can put on a “watch list” and warn others in the organization so as to prevent an avoidable breach.
Lastly, physicians should be suspicious of any attachments, especially those that are executables or contain executable content, such as PDFs or Office documents with macros.
Keeping medical records safe is a collective responsibility—from patients who must consider the security of their own network and devices, to physicians handling the information and the IT staff of the healthcare organization that stores and safeguards records.
Regulatory standards such as HIPAA and HITRUST help guide organizations on how to keep this data protected in transit and at rest, but ultimately the healthcare organizations that run the email software and other patient portals must think like an attacker and protect physicians from sophisticated phishing tactics. And the physicians and other staff must be aware and trained on what to look for.