Phishing EHR Medical Records

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access

Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector.

BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file.

In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user to initiate a Zoho Remote Desktop Control session, which it is claimed is necessary to cancel the subscription. Zoho is legitimate business software; however, in this case, it is used for malicious purposes. While the user converses with the threat actor that answers the call, a second member of the team will use the remote access session to silently weaponize legitimate tools that can be used for an extensive compromise of the victim’s network.

BazarCall was first utilized by the Ryuk ransomware operation in 2020/2021. Ryuk was disbanded and reformed as Conti, and both were prolific ransomware-as-a-service operations. The campaigns were identified by security researchers at AdvIntel, who have tied the campaigns to three cybercriminal groups that broke away from the Conti ransomware operation before it shut down.

According to AdvIntel, BazarCall started to be used by the Conti ransomware gang in March 2022, and in April, a new ransomware group – Silent Ransom – broke away from the Conti operation and adopted the BazarCall technique for initial access. The technique was refined and a second threat group – Quantum – broke away from Conti and started using its own version of BazarCall. In June, a third group – Roy/Zeon – broke away from Conti and started using its own version of BazarCall.

Each threat group impersonates different companies in the initial emails, such as Duolingo, MasterClass, Oracle, HelloFresh, CrowdStrike, RemotePC, Standard Notes, and many more. The lures used vary but generally relate to an upcoming payment due to the end of a subscription or trial period, with the brands impersonated related to the industry being targeted.

AdvIntel says that while the Silent Ransom group was the first threat group to resurrect the BazarCall phishing tactic, seeing the success, efficiency, and targeting capabilities of the tactic, other threat groups have begun using the reversed phishing campaign as a base and developing the attack vector into their own. “This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” warn the researchers.

Defending against callback phishing emails can be difficult to the lack of malicious content in the initial phishing emails, which means they are unlikely to be flagged as malicious by email security solutions. The best defense to prevent the attacks is to ensure that callback phishing is covered in security awareness training and to include examples of callback phishing in internal phishing simulations.

The post Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access appeared first on HIPAA Journal.

Why Healthcare Workers should be Using a Password Manager

Healthcare workers access electronic Protected Health Information (ePHI) on a daily basis – most often via the use of password-protected EHRs. In order to mitigate the risk of ePHI being hacked, compromised, or unavailable due to a cyberattack, healthcare workers should be using a password manager that generates, stores, and auto-fills complex passwords.

Earlier this year, HHS issued a threat brief warning about the risks to ePHI stored in EHRs. The brief identified the top five threats against EHR as phishing attacks, malware and ransomware, encryption blind spots, cloud threats, and the misuse of credentials by employees. It also reported that the most common cause of healthcare data breaches in 2021 was compromised credentials.

According to the 2021 Data Breach Investigations Report, credentials are most often compromised by brute force attacks on weak passwords and phishing. Therefore, the best way to protect ePHI in EHRs is to use complex passwords and reinforce login credentials with two-factor authentication so that, if login credentials are exposed in a phishing attack, phishers cannot get into EHR systems.

Why Healthcare Workers should be Using a Password Manager

The Issue with Complexity and 2FA

Remembering complex passwords that use a combination of upper- and lower-case letter, numbers, and special characters is difficult. In addition, complex passwords take longer to key into an EHR than short numeric or alphabetic passwords. Therefore, even if a healthcare worker remembers their password, the additional seconds keying the complex password into an EHR could make the difference between life and death in a medical emergency.

The issue with reinforcing login credentials with two-factor authentication (2FA) is that the time between attending a patient and accessing their EHR can be further extended if a healthcare worker has to wait for a One Time Passcode (OTP) to deactivate 2FA access controls. Any delays or mistakes entering the code can have serious consequences if a healthcare worker becomes stressed (in an already stressful situation) and mistakes are made treating the patient.

How to Overcome these Issues

The way to overcome these issues is with a password manager that generates, stores, and auto-fills complex passwords and that supports Authenticator Apps. The password manager is deployed on the EHR so that, when a healthcare worker needs to access a patient´s ePHI, they do so by logging into the password manager with their master password. The password manager auto-fills the healthcare worker´s login credentials for the EHR and generates an OTP passcode.

The process takes as long as entering a weak password (because master passwords are usually long passphrases that are easier to remember than complex passwords) and has the security advantage that healthcare workers have to physically copy and paste the OTP into the login field (usually with a click of a mouse or swipe of a screen). Therefore, as mentioned above, if login credentials have been exposed in a phishing attack, phishers cannot get into the EHR systems.

Which Password Managers have these Capabilities?

Most vault-based password managers with cross-platform synchronization have the capabilities to generate, store, and auto-fill complex passwords. Some have better support for Authenticator Apps than others; and, with regards to Authenticator Apps, it is better to use an app that generates “rolling” Timed One Time Passcodes (TOTPs). This is because, although the passcode refreshes every thirty seconds, a code is always instantly available to be copied and pasted into the login field.

The significance of cross-platform synchronization is that patient EHRs have to be accessed from multiple locations, and the devices in these locations might not all run on the same operating system or use the same browser. Consequently, password managers such as Bitwarden are ideal for securing healthcare worker´s login credentials and protecting the confidentiality, integrity, and availability of ePHI. The Bitwarden password manager also meets the HIPAA password requirements.

Closing Thoughts on Why Healthcare Workers should be Using a Password Manager

Most of the preceding text has focused on protecting ePHI maintained on EHRs by replacing weak, hackable passwords with complex passwords, and mitigating the risk of exposing login credentials in phishing attacks. But there is another reason why healthcare workers should be using a password manager – to protect personal data when using employers´ computer systems.

One of the most surprising statistics to come out of the 2021 Data Breach Investigation Report was that 66% of the data compromised in healthcare data breaches was personal data – not medical data. The report attributes this apparent anomaly to medical data being more stringently protected than other data and attackers simply taking what they can when the opportunity presents itself.

Consequently, even if healthcare organizations do not deploy password managers to protect ePHI maintained on EHRs, healthcare workers should be using a password manager to protect their own login credentials, payment details, and other sensitive data that could be used by a hacker to commit identity fraud. This article provides a comparison of the best free and low-cost options.

The post Why Healthcare Workers should be Using a Password Manager appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack.

Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source.

The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing 9,567 people, loses around 63,343 hours every year to phishing attacks, with the cost equating to around $1,500 per employee.

Phishing is the starting point of the costliest cyberattacks. In 2020, more than $1.8 billion was fraudulently obtained in Business Email Compromise (BEC) attacks, with the average cost of a BEC attack now $5.97 million. Phishing is often the starting point of ransomware attacks, which can have mitigation costs of the order of tens of millions of dollars. On average, an attack costs $996,000 to resolve.

Phishing may be the most common way for cybercriminals to gain access to email accounts, networks, and sensitive data, but these attacks can easily be prevented with the right technology and user training.

Organizations need to implement email security gateways/spam filtering solutions for all email accounts. This technical measure alone will prevent the majority of phishing emails from arriving in inboxes. Antivirus software and firewalls should be used to protect all endpoints, including computers, phones, tablets, and Internet of Things devices. These solutions should be regularly updated, ideally automatically.

Multi-factor authentication should be used on all accounts that require passwords to login. In the event of a password being obtained in a phishing attack, multi-factor authentication will prevent the password from providing access to the user’s account. Microsoft explained in a 2019 blog post that multi-factor authentication blocks more than 99.9% account compromise attacks.

Employees are the last line of defense in an organization, so it is vital for security awareness training to be provided. Employees need to be taught cybersecurity best practices to eradicate risky behaviors and must learn how to identify and avoid phishing attacks.

Employees should be made aware of the red flags in phishing emails such as call outs to open attachments or click links, unusual wording and formatting, spelling and grammatical errors, threats of negative consequences if rapid action is not taken, and too good to be true offers. If any red flags are identified, it is vital to verify the source of the email or text message and to make content with the sender to confirm a request is authentic. Employees should be conditioned to stop and think before taking any action requested in an email or text message and never to respond, open attachments, or click links in messages if there is any doubt about the sender or request.

According to Verizon, “There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down.” In 2012, phishing email click rates were around 25% but by 2019 they had fallen to around 3% as a result of improved awareness of phishing and more extensive end user training.

Given the scale of the threat from phishing, once-a-year security awareness training sessions are no longer sufficient. While annual training may meet the minimum requirement for compliance with HIPAA, it is not sufficient to reduce the risk of a successful attack to low and acceptable level. Security awareness training for the workforce needs to be an ongoing process, with regular training provided throughout the year accompanied by phishing simulation exercises where the phishing identification skills of employees are put to the test. Through training and phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced.

CISA has produced a tip sheet for Cybersecurity Awareness Month to help individuals fight the phish.

The post Cybersecurity Awareness Month: Fight the Phish! appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information.

The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019.

It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access.

An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information, medical history, and treatment information may have been compromised.

All affected patients have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,407 patients were impacted by the breach.

Hunt Regional Healthcare Victim of Cyberattack

Greenville, TX-based Hunt Regional Healthcare has announced it experienced a cyberattack on May 14, 2019 in which hackers gained access to its computer network and the protected health information of certain patients.

The attackers potentially accessed files containing patient names, telephone numbers, dates of birth, Social Security numbers, race, and religious preferences. The incident has been reported to the FBI and Hunt Regional Healthcare is assisting in the investigation.

Hunt Regional Healthcare has said no evidence of unauthorized data access or data theft have been discovered, but patients are being notified as a precaution and are being offered free access to IDExperts credit monitoring and identity theft protection services.

It is currently unclear how many patients have been affected by the breach.

The post 21,400 Patients Impacted by St. Croix Hospice Phishing Attack appeared first on HIPAA Journal.

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

Phishing is one of the leading causes of healthcare data breaches. The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information.

In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August.

Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively.

Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing

The anti-phishing solution provider Cofense (Formerly PhishMe) recently published an Industry Brief which explored the problem of phishing in the healthcare industry.

The report, entitled ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, confirmed the extent to which the healthcare industry is targeted by cybercriminals. The healthcare industry accounts for 1/3 of all data breaches, which have resulted in the exposure or theft of more than 175 million records.

It is no surprise that the healthcare industry is targeted by hackers as healthcare organizations store vast amounts of extremely valuable data: Health information, insurance information, Social Security numbers, dates of birth, contact information, and financial data. Information that can easily be sold to identity thieves and fraudsters.

Further, the healthcare industry has historically underinvested in cybersecurity with security budgets typically much lower than in other industry sectors such as finance.

Cofense data shows that healthcare organizations fare worse than other industries in terms of susceptibility and resiliency to phishing attacks. To measure susceptibility, Cofense used data from its phishing simulation platform – Susceptibility being the percentage of healthcare employees that were fooled by a phishing simulation. Resiliency to phishing attacks is the ratio of users who reported a phishing attempt through the Cofense Reporter email add-on versus those that did not.

Across all industries, the susceptibility rate was 11.9% and the resiliency rate was 1.79. For healthcare, susceptibility was 12.4% and resiliency was 1.34. The insurance industry had a resiliency rate of 3.03 while the energy sector had a resiliency rate of 4.01.

The past few years have seen cybersecurity budgets increase and a greater emphasis placed on security and risk management. The extra funding for anti-phishing defenses is having a positive effect, although there is considerable room for improvement.

Source: Cofense

How Are Healthcare Employees Being Fooled by Phishers?

An analysis of the phishing email simulations that most commonly fooled healthcare employees reveals a mix of social and business emails. The type of email most likely to fool a healthcare employee was a requested invoice, followed by a manager evaluation, package delivery notification, and a Halloween eCard alert, all of which had a click rate above 21%. Emails about holiday eCard alerts, HSA customer service emails, and employee raffles also commonly fooled employees.

Data from Cofense Intelligence shows invoice requests to be one of the most common active threats, often used to deliver ransomware. 32.5% of healthcare employees were fooled by those emails in simulations and only 7.2% reported the emails as suspicious.

The Cofense report includes further information on the most commonly clicked phishing emails and advice for healthcare companies to help reduce susceptibility to phishing attacks. The Cofense Healthcare Industry Brief can be downloaded on this link (PDF).

The post Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

 

So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.