November 9, 2016

Phishing Attacks: A Hacker’s Gateway to Patient Health Records

Cate Stanton

Over the past few weeks, we focused our “Patients at Risk” series on the various threats that hospital insiders present to patient data. Now, we are shifting our attention to ones stemming from external parties.

Phishing attacks are one way hackers break into networks and gain access to sensitive health data. In the healthcare industry, it’s a popular strategy for stealing patient data stored in the EHR. Allen Paller, the Director of Research at the SANS Institute, describes phishing as the primary gateway to hospital networks as 95% of all hacking attacks on enterprise networks gained entry through phishing.

To learn about the array and magnitude of costs that accompany successful hacking indicidents, check our of Cost of a Breach white paper here.

Phishing Isn't Rocket Science

To understand why hackers use phishing tactics so frequently, it’s essential to understand how they work. Most simply, think of it as a play on words; phishing attacks involve hackers going fishing for information.

Phishing in on getting around health cybersecurity by tricking someone into divulging sensitive information that provides the hacker an access point into an organization's network - a type of activity that’s called social engineering.

The processes for carrying out phishing attacks are well-known. Hackers identify institutions, find relevant employees’ email addresses, compose emails, and build fake web pages. Since most people don’t willingly shell out their bank account information, credit card numbers, or passwords, phishers take extra steps to make their correspondence look legitimate. They often use real company logos and email copy. They send the emails from spoofed addresses, and design web pages to look valid even though they are merely ploys to gain credentials. Emails may have attachments containing malware, ransomware, or malicious links. Next, the phisher sends the phony message. If the employee opens the email, link, or attachment, and turns over their information, the phisher records the information, which can be used to access the locked network. In the database, they can gather and steal patient health data information and use it to commit various forms of identity fraud.

Within phishing, spear phishing has proven to be a particularly effective tactic. It involves highly targeted and customized emails designed with specific individuals in mind, allowing correspondence to get past spam filters. The success rate of spear phishing attacks is considerably higher than phishing attacks, with users opening a modest 5% of phishing emails compared to 50% of spear phishing emails. 

The Dangers of Ransomware

A successful phishing attack is one where the hacker enters the network or database because they gain employee credentials or the system becomes affected by ransomware, malware, or another type of unwelcome software.

Ransomware attacks have recently plagued the healthcare industry. Research conducted by HIMSS and Healthcare IT News found that up to 75% of hospitals may have been affected by ransomware in the past year. Ransomware is a type of malware that prevents an organization from accessing certain parts of its system. Typically, data is held hostage and business operations grind to a halt until the healthcare organization pays a certain amount of money to the hackers or the system is replaced, a particularly dangerous situation when patients' lives are on the line.  

Four Steps That Can Make a Big Difference

Evidence points to healthcare employees being unprepared to face phishing threats. A Verizon report found that healthcare workers missed more questions about how to protect confidential information than employees in other industries when surveyed about data security. The report also showed that professional services and healthcare employees performed the lowest on questions asked about safe passwords.

However, it’s not all doom and gloom. Here are four steps that healthcare institutions can take to prevent phishing attacks and medical data breaches:

  1. Educate Employees: Many experts cite employee education and training as the key to stopping phishing attacks because phishing is all about exploiting people’s weaknesses. Beyond teaching employees how to detect fishy correspondence and sites, phishing test kits imitate real incidents, preparing users to act during an actual incident. Additionally, employees should know who to contact in the event they receive suspicious correspondence.
  2. Install Two-Factor Authentication: Falling for phishing becomes less serious if a username and password do not act as a master key to your network. Two-factor authentication gives you a separate way of verifying that employees are who they claim to be.
  3. Backup Data: 93% of all phishing emails contained encryption ransomware in 2016. Storing an institution’s data in more than one place will potentially ensure that critical information remains accessible in some way, and that healthcare organizations can continue to run even when affected by ransomware.
  4. Implement a Behavior Monitoring System: Hackers will almost surely access patient data differently from how authorized users access this information. Hospital privacy monitoring platforms can alert organizations to any suspicious and abnormal activity in access patterns, thereby catching malicious activity before it spirals out of control.

Perhaps it’s most essential to understand that no single product, policy, or strategy should be the sole silver bullet solution to keeping patient data safe from unwanted parties. Rather, a combination of multiple solutions that work together and tackle distinct threats within your system is key to preventing health data breaches.

To learn about the costs healthcare organizations incur as a result of successful hacking attempts including forensics and lawsuits, check you our Cost of a Breach white paper.

Download the Report