Phishing EHR Medical Records

How Can Healthcare Organizations Prevent Phishing Attacks?

Posted by HIPAA Journal

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information.

Phishing on an Industrial Scale

More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years.

Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’ credentials. Many of those websites also have an SSL certificate, so they appear to users to be secure websites. A website starting with HTTPS is no guarantee that it is not being used for phishing.

Study Provides Insight into Phishing Tactics

While phishers often use their own domains to phish for credentials, a recent report from Duo Security showed legitimate websites are increasingly being compromised and loaded with phishing kits. The study identified more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and sold to accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.

Duo Security notes that persistence is maintained by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to prevent detection. The Webroot report also highlighted an increase in the use of benign domains for phishing.

The phishing kits are typically loaded into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should monitor for file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to improve resilience against brute force attacks.

How to Prevent Phishing Attacks

Unfortunately, there is no single solution that will allow organizations to prevent phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare industry, phishing defenses are a requirement of HIPAA and steps must be taken to reduce risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in financial penalties for noncompliance.

Defenses should include a combination of technological solutions to prevent the delivery of phishing emails and to block access to phishing URLs. Employees must also receive regular training to help them identify phishing emails.

As OCR pointed out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires organizations to provide regular security awareness training to employees to help prevent phishing attacks. OCR explained that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

Due to the increased use of HTTPS, it is no longer sufficient for users to check that the site is secure to avoid phishing scams. While a site starting with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be trusted. Users should also be told to pay particular attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to disclose any login credentials.

Even with security awareness training, employees cannot be expected to recognize all phishing attempts. Phishers are developing increasingly sophisticated phishing emails that are barely distinguishable from genuine emails. Websites are harder to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to fool end users. Technological solutions are therefore required to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.

A spam filtering solution is essential for reducing the volume of emails that are delivered. Organizations should also consider using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not rely on blacklists and banned IP addresses to block attacks. Blacklists still have their uses and can prevent phishing attacks, but phishing websites are typically only active for a few hours – Before the sites are identified as malicious and added to blacklists. A range of additional detection mechanisms are required to block phishing websites. Due to the increase in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.

Healthcare organizations should also sign up to threat intelligence services to receive alerts about industry-specific attacks. To avoid being swamped with irrelevant threat information, services should be tailored to ensure only treat information relevant to each organization is received.

The post How Can Healthcare Organizations Prevent Phishing Attacks? appeared first on HIPAA Journal.

New Study Reveals Lack of Phishing Awareness and Data Security Training

Posted by HIPAA Journal

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia.

For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks.

When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is.

Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know what ransomware was, compared to 28% of male workers. 31% of respondents said they did not know what ransomware was prior to taking part in staff training sessions.

The survey revealed security awareness training was lacking at many businesses. 30% of office workers said they did not receive regular training on how to deal with cyber threats. Even though the threat level has risen significantly in the past two years, many businesses have not responded. The 2015 data vulnerability report shows 72% of companies regularly communicated cyber threat information to employees and provided regular training, but in 2017 little has changed. Only 70% of companies provide regular training and threat information to employees. 11% of companies offered no security training whatsoever.

The recently published Global State of Security Survey by Pricewaterhouse Coopers, which was conducted globally on 9,500 executives in 122 countries, suggests the percentage of companies that do not provide security awareness training may well be far higher – 48% of respondents to that survey said they have no employee security awareness training program in place.

Many Employees Pay Ransoms Personally

One of the most interesting insights into ransomware attacks on businesses from the Intermedia study was many employees are so embarrassed and concerned about installing ransomware that they pay the ransom demand out of their own pocket.

Out of the office workers that had experienced a ransomware attack, 59% personally paid the ransom. 37% said the ransom was paid by their employer. The average ransom payment was $1,400. The ransom was typically paid quickly in the hope that data could be restored before anyone else found out about the attack.

While employees were not asked whether they would be made to pay the ransom by their employers, paying the ransom quickly to prevent anyone discovering the attack is unlikely to work. Even when the ransom is paid, businesses still experience considerable downtime. The same study also indicates one in five ransom payments will not see viable decryption keys provided by the attackers.

The post New Study Reveals Lack of Phishing Awareness and Data Security Training appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

Posted by HIPAA Journal

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.