Though it seems that phishing is an outdated mode of hacking, the brutal truth is that it is still alive and is a real threat to the healthcare industry. In fact, it has become a preferred method for hackers to breach healthcare organizations to steal valuable medical data and has devastated the healthcare industry over recent years. The primary purpose of a phishing attack is to gain a grip in the organization by infecting a computer or other endpoint.
A recent data breach investigations report has found that financial pretexting, i.e. obtaining financial information under false pretenses and phishing has represented around 95 percent of all breaches, with email being the key element.
Attackers use various social engineering tricks to catch the victim into clicking on the malicious link. They search for public sources to fetch information about the organization in the email to make it look trustworthy. The attackers often create an urgent scene. For an instance, there is some admin IT task that needs to be done to access to their email, and then they ask us to click on the link given and the system is attacked.
Medical Records are their Prime Target
Today, attackers are becoming more successful at penetrating networks because their techniques are getting more precise and sophisticated. A recent survey expressed that attackers are mostly attracted to valuable medical records. Over one-quarter of the organizations had experienced a successful phishing attack that had infected their network with malware. Also, attackers are very conscious of timing for phishing emails. Hence, they follow the time strictly and trick victims.
At times, attackers also launch spear phishing attacks against corporate executives within a company. If they can enter the network with ease, the attackers can lay low for months collecting data on email flows. Once they have enough information, they create a fake scene of being a top-ranking executive and carry out evil schemes. This situation is termed as ‘CEO Phishing’, which is the ultimate authority scam.
Phishing schemes involve impersonating an authority figure and CEO Phishing is the best example of this. What better option does the attacker have than holding the authority of a CEO? In such a case, the attackers could pose as the CEO and direct the CFO to wire money to a supplier, which is basically an account set up by the attackers.
Effective Training Can Resolve the Issue
Employee training is considered as one of the best ways to fight phishing and it should be done on a frequent mode. The training should be impactful, timely, relevant, and robust in the case of employees handling patients’ digital healthcare data. Also, arranging such sessions once a year does not prove enough to combat phishing and hence, such sessions should be organized often.
The training should focus on training employees to look for every minute detail of a phishing attack and what not to click on in an unsought mail. This is because the email is considered as the most frustrating thing as it easily opens the door for malicious attacks.
Best Security Tools
Tools such as Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol improves email security by providing greater accuracy on the sender’s identity. DMARC is designed to identify forged sender addresses that appear to be from legitimate organizations by providing the accurate domain name in the ‘From:’ field of email message headers. It enables organizations to stop scammers from using an email domain to attempt infiltration. The protocol basically assists the organization to stay assured that an email received from the domain name is registered to servers that you own and prevents someone spoofing your email domain.
Below are the techniques any organization should implement to prevent from the phishing attacks.
- Audit of the Current Cybersecurity Environment
Today, the vast use of mobile and IoT devices carry a huge number of threats. Hence, organizations should conduct an exhaustive and ongoing valuation of their susceptibilities. Also, it is beneficial for the companies to stay aware of the threats, keeping updated patches, and using defensive tools that protect against evolving malware.
- Segment Networks
One of the toughest challenges of safeguarding patient data is to keep the sensitive information quarantined from the rest of the network, making the cyber attackers difficult to reach it. Implementing segmentation employs routers, firewalls, and other various tools to restrict access to parts of the network, providing an added layer of security to PHI.
- Train End Users
Healthcare industry is the only industry where inside threats prove superior to those from outside an organization. Hence, to prevent accidental exposure from insiders, training employees to detect and report suspicious email activity is pivotal. It has also been believed by various healthcare companies that training can help to reduce attacks while improving confidence.
There is no doubt that phishing is a significant danger to healthcare organizations. It is the most chosen method for attackers to steal medical records and to deploy Ransomware. Therefore, healthcare organizations need to mold their systems to prevent phishing attacks from arising. As discussed above, to battle phishing, organizations need to train employees on how to detect and avoid phishing emails. Adopting best security practices and deploying appropriate technology would lessen the chances that a phishing attack would succeed.
– Ashwini Deshpande