Barely a day passes without hearing the news of a new large-scale data breach. Cyber-attacks affect organizations of all sizes across all industries; however, the fallout from a data breach affects different organizations in different ways.
For U.S. based healthcare organizations, who are regulated by the stringent rules of HIPAA (The Health Insurance Portability and Accountability Act of 1996), the repercussions of a data breach can be particularly severe. To make matters worse, cyber criminals are becoming increasingly advanced in their methods, which is making attacks more difficult to identify.
Back in May, it was discovered that Unity Point Health had suffered the biggest U.S. healthcare data breach of the year, when it came to light that its employees had been tricked into sharing sensitive information with their attackers via a phishing attack. This lack of judgement led to the unauthorized access of 1.4 million patients’ protected health information (PHI).
Phishing attacks pose a significant threat to the healthcare industry and U.S. businesses more generally – and as attackers become advances in their techniques – the problem looks set to get worse before it gets better. The 2018 data breach investigations report by Verizon revealed that almost half (43%) of data breaches stem from phishing incidents, and consequently phishing is now the biggest cyber threat faced by healthcare organizations.
Phishing attacks come in many different forms, from the general, mass-mailed type, where the sender dupes the recipient into doing something such as downloading malware or logging into a website, to whaling, a type of phishing attack targeted at specific top-level, high-value company executives. Somewhere in the middle of these is spear phishing, where attackers target high-value victims and organizations with carefully crafted emails that to the untrained eye, appear to be perfectly legitimate. Unfortunately, appearances can be deceiving, and as Unity Point Health found out the hard way, spear phishing attacks can be incredibly difficult to spot and all too often result in success for the perpetrators.Not only are phishing attacks costly in the literal sense – the average cost of a data breach is reported to be $408 per record in the healthcare sector, almost 3 times the cross-industry average – they can also lead to significant and long-lasting reputational damage, and in some cases, criminal convictions.
Under the HIPAA Breach Notification Rule, following a breach incident involving PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and in cases affecting more than 500 residents of a State or jurisdiction, the media. What’s more, HIPAA breaches affecting 500 or more individuals are posted on the OCR’s Breach Portal page, or the ‘Wall of shame’ as is more commonly referred to within the healthcare industry.
While phishing attacks are inherently difficult to identify, there’s evidence to suggest organizations could be doing more to protect themselves. According to a survey amongst IT security professionals conducted by Ponemon Institute, many U.S. organizations lack sufficient anti-phishing defences.
Whilst 79% of respondents said that they had experienced an email-related data breach or cyber-attack in the past 12 months, 80% of respondents expressed concerns about their company’s ability to prevent or minimize phishing attacks specifically. In addition, despite the prevalence of data breaches within their organization, only 29% of respondents said that their organization had made significant progress towards addressing phishing threats. Perhaps most worryingly of all, just 34% of respondents said they provide anti-phishing training for employees.What organizations can do to prevent phishing attacks?
Phishing attacks on healthcare organizations are typically implemented with the intention of gaining access to PHI, or to deploy ransomware, both of which can result in significant financial gain for attackers. So long as PHI commands a high value on the black market, healthcare will continue to be a lucrative target. Therefore, it is critical that organizations are proactive in protecting themselves from phishing threats, by implementing multi-faceted defence strategies that aim to address both human and technological security vulnerabilities, including but not necessarily limited to the following:
- Regular staff training – Providing anti-phishing training for staff will ensure they are up to date with the latest phishing techniques and will be better equipped to spot a phishing email from a genuine communication. In some cases, phishing emails contain malware that can allow attackers to gain access to information as soon as the email is opened, therefore, it is crucial that staff are made aware of exactly how to handle suspicious mail to avoid any unforeseen disasters further down the line. There are numerous pieces of software available that simulate a real-life phishing-attacks, which can be a great way assessing whether staff training has been successful or whether there are still areas of vulnerability that require further training or education.
- Secure networks – As technology advances, cyber criminals are developing increasingly sophisticated techniques, so even with extensive cyber security training, employers cannot expect their staff to be able to recognize every single phishing attempt. Therefore, it is vital to ensure sufficient IT security solutions are deployed in order to enhance resistance against any potential attacks. Installing the latest antivirus and antispam software helps to ensure systems are protected while reducing the volume of malicious emails that are received.
- Regular audits – Conducting routine cyber security audits, such as monitoring the antivirus status on all equipment and arranging regular refresher training for staff, will go a long way to safeguarding an organization from a potential attack. It’s also important to regularly check that any data storage files are protected with passwords and encryption to prevent unauthorized users from accessing PHI or other sensitive data.
When it comes to phishing-attacks, failing to prepare really is preparing to fail. Until healthcare entities improve their levels of protection and educate their staff on the dangers of phishing emails, the issue is likely to get worse before it gets better.