Why Do Phishing Attacks Continue to Plague Healthcare?

Fraud , Healthcare , Industry Specific

Experts Offer Tips for How to Avoid Falling Victim(HealthInfoSec) • January 17, 2019    Why Do Phishing Attacks Continue to Plague Healthcare?

Several health data breaches involving phishing attacks - including one that potentially exposed data on more than 100,000 individuals - have been added to the federal health data breach tally this month.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

In addition, of the breaches added to the tally during 2018, about 60 percent involved email (see Phishing Scams In Healthcare: A Persistent Threat.)

With so much media attention on phishing attacks, why do so many healthcare entities still fall victim to these assaults?

"Phishing attacks will definitely continue to increase because they work," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy. "Cybercrooks will always use what gives them the data they want to steal and the disruption they seek to cause."

Another factor, she says, is that far too many healthcare organizations "continue to do the minimum they think they can get away with when it comes to implementing information security."

Biggest Incident

The largest phishing incident posted in January to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame," was reported on Jan. 3 by Centerstone Insurance and Financial Services, which does business as BenefitMall. The incident affected about 111,600 individuals.

In a statement, BenefitMall, which provides payroll and employee benefits administration services, says that on Oct. 11, 2018, the company became aware of an phishing attack that exposed employee email login credentials. The issue generally occurred between June 2018 and the discovery date.

image

"Based on the company's current review, BenefitMall has no indication that any information has been used inappropriately," the company says. "Emails in the affected mailboxes may have included consumers' names, addresses, Social Security numbers, dates of birth, bank account numbers and information relating to payment of insurance premiums."

Once BenefitMall discovered the potential data exposure, it initiated an internal review and retained a computer forensics firm to help investigate the incident and remediate any vulnerabilities in systems. The company has also reported the incident to law enforcement.

In the wake of the phishing incident, BenefitMall has implemented additional security measures, including two-factor authentication for access to its email system. The company says it also has launched an employee education initiative to inform employees about phishing scams and how to guard against them and will continue to deliver additional employee training about email safety and recognizing phishing emails.

Insurer Targeted

The federal tally shows that on Jan. 3, Managed Health Services, a provider of managed care plans based in Indianapolis, reported a hacking incident involving email that affected about 31,000 individuals.

A statement on Managed Health Services' website says the incident involved a vendor, LCP Transportation, which allowed unauthorized individuals to gain access to some of its employees' email accounts sometime between July 30 and Sept. 7, 2018. The incident was caused by a phishing attack on the vendor's systems, the statement says.

image

"The vendor immediately took steps to secure the email accounts and began an investigation, including hiring a computer forensic firm to assist," according to the statement. The investigation concluded that some health plan members' information may have been in the email accounts and could be accessed, Managed Health Services reports. So far, there is no evidence that breached information has been misused, the company says.

The types of information that may have been in the vendor's email accounts could have included name, insurance ID number, address, date of birth, date of service and description of medical conditions of MHS plan members, the statement says.

"Our vendor has disabled the email accounts affected by this incident," the statement notes. "We have tested the email process with them to ensure it is working correctly. Our vendor is making improvements to their system security and conducting employee training about cyber risks."

Physician Group a Victim

In yet another phishing-related incident, Orlando, Florida-based Family Physicians Group, which is part of Humana, also reported an email-related breach in January that affected more than 8,400 individuals.

The physicians group tells Information Security Media Group that patient information may have been exposed between Aug. 7 and Aug. 21, 2018, when email phishing attacks resulted in a "bad actor" gaining access to an employee's email account that contained files that included patient information.

The information exposed included name, date of birth, physician and health plan identification number. To date, the practice has no information indicating that any data has been inappropriately used.

Family Physicians Group says it has taken additional security steps as a result of this incident. "These steps include implementing enhanced email security protections, a forced reset of all FPG employee passwords, and upgrading the email application used by FPG to provide more substantial protections including an e-mail filtering security product to assist in blocking or flagging emails known to be a threat," the physicins group says.

Why So Many Phishing Attacks?

"Phishing and related attacks aimed at employees and other system users will continue to be successful since they rely on human weakness," says Kate Borten, president of privacy and security consultancy The Marblehead Group.

"Despite best training efforts, some people will continue to be hasty or oblivious and respond to malicious messages. Nevertheless, we must continue to raise awareness through good workforce training and simulated attacks."

Herold offers a similar assessment.

"Just last week, I had an organization tell me that they provided the same information security training module each year, for the past six years, and that it 'mentioned phishing,' so they said that was all they needed to do for HIPAA."

Taking Action

Healthcare organizations can take several steps to mitigate the risk of falling victim to a phishing scheme, Herold says, including:

Establish documented information security and privacy policies and supporting procedures that include responsibilities and accountabilities for preventing phishing and other types of social engineering attacks. Provide updated and frequent training to all employees about the security and privacy policies and procedures, plus send reminders to all employees so they keep the topic at top of mind. Include consideration of information security and privacy practices within annual performance reviews. Deploy malware prevention tools, including those that scan for potential phishing attempts based on domains of message origination, message characteristics and other types of heuristical scanning. Implement strong encryption for data in storage and while in transit. Implement data leak prevention tools. Block access to known malicious sites from, or through, business systems and networks.

Implementing two-factor authentication and data segregation practices can also help thwart phishing attacks, other experts note.

Other Worries

Herold says entities must also keep in mind that phishing schemes are often used as the gateway to other types of attacks, such as those involving ransomware.

"Another concern is the increasingly bad software testing and change control practices that I am seeing, along with my information security colleagues, within too many organizations," she notes.

That's especially an issue with B2B businesses, startups and cloud service providers, she contends. "Lack of strong programming and testing practices leaves holes that will be exploited by cybercrooks."