The Healthcare Industry Has a Phishing Problem
Healthcare Phishing Attacks on the Rise During Pandemic
Phishing attacks on healthcare systems have drastically increased in both quantity and magnitude since the beginning of the coronavirus pandemic. In the years preceding the pandemic, hospitals and clinics of every size were regularly targeted by hackers looking to seize invaluable patient medical records or to threaten the release of sensitive information unless a ransom was paid. Now, with COVID-19 forcing most industries to wade further into the digital space, opportunities for cybercriminals to exploit network systems have only grown.
Recent findings by Check Point Software show that the healthcare industry experienced a 45 percent increase in cyberattacks in the fourth quarter of 2020 alone, outpacing every other industry sector. IT incidents accounted for a whopping 92 percent of all breached healthcare records last year.
While health systems routinely experience cyberattacks in the form of malware, ransomware, and trojans, the most lucrative method remains email phishing. With more and more healthcare employees communicating via email, opportunities for medical professionals and support staff to inadvertently interact with cybercriminals are at an all-time high. And because health providers rely on the swift exchange of medical and insurance records, they are especially vulnerable to data breaches.
Why Phishing Attacks Target Healthcare Systems
The illegal sale and distribution of confidential patient medical records is highly profitable. These records are often bought and sold on the black market for 50 times more than personal financial information. While a stolen credit card number can be purchased for one or two dollars, protected health information can be sold for as much as $363, according to the Infosec Institute.
Because individual medical histories, including diagnoses, surgical records, and prescription information can’t simply be changed like a credit card number, they provide cybercriminals with lasting means of defrauding insurance organizations, pharmacies, and medical device companies.
The Center for Internet Security further outlines the real-world scope of the healthcare phishing problem: “[PHI] can be used to create fake insurance claims, allowing for the purchase and resale of medical equipment. Other criminals use PHI to illegally gain access to prescriptions for their own use or resale.” For the bad guys, healthcare networks are a veritable goldmine of resaleable data.
For already overburdened healthcare systems, the exposure of confidential patient medical records can have lasting consequences for providers and patients alike. In some instances, healthcare organizations with especially lax cybersecurity protocols can be found to be in violation of HIPPA privacy rules and subject to steep penalties—up to $25,000 per violation.
How to Spot a Healthcare Phishing Attack
Healthcare phishing attacks come in a variety of shapes and sizes, but they are usually identifiable by a few common traits. Email phishing works by impersonating a trusted source and goading unsuspecting individuals into divulging some sort of secure information. The cybercriminal behind the attack could request access to information directly or pressure the person on the other end of the email message to click a link or open an attachment that could infect network systems.
Below are several examples of email phishing tactics, courtesy of the Federal Trade Commission:
- They include a fake invoice.
- They offer a coupon for free stuff.
- They want you to click on a link to make a payment.
- They say you must confirm some personal information.
- They say you’re eligible to register for a government refund.
- They say they’ve noticed some suspicious activity or log-in attempts.
- They claim there’s a problem with your account or your payment information.
For added context, included below is a real-world example of a phishing email:
At first glance, this email might seem legit, but if you slow down and take a hard look at the details, you should notice a few irregularities. For starters, the subject heading references Chase Bank, yet the substance of the message refers to a PayPal account. Secondly, the sender’s email address appears to be pointed at a chiropractic clinic’s website. Finally, the content of the email is riddled with grammatical errors and confusing jargon.
The above example is typical of an email phishing scam. The threat actors behind these attacks often rely on users to focus on trusted or familiar branding elements and look past glaring issues in the messaging. Unfortunately, these crude attacks have proved alarmingly successful. A recent Security Boulevard report concluded that 30 percent of users will open a phishing email, and another 12 percent will go on to click a malicious link or attachment. Only three percent will report it to a supervisor.
Figures like these point to a growing need for healthcare organizations to adequately train their employees on the dangers of email phishing tactics and establish robust network security protocols to prevent and recover from phishing attacks. Keep reading to discover essential steps every healthcare provider should take to harden their network security against phishing attacks.
A Holistic Approach to Healthcare Phishing Prevention
While creating a truly impervious network security perimeter requires a number of techniques and intervention measures, there are a few steps any healthcare provider can take to eliminate some of the most avoidable forms of data loss or theft. Below we’ve listed four examples you can implement today.
- Security Awareness Training: Adequately training healthcare staff to recognize common email phishing tactics and other cyberthreats can significantly reduce the number of data breach incidents. If you don’t know where to get started, check out some of the free resources provided by KnowBe4.
- Multi-Factor Authentication: Much like porch pirates who steal packages off of doorsteps, cybercriminals are usually opportunists. If you give them any resistance at all, they’re more than likely going to move on to the next potential target. Protect all accounts with multi-factor authentication. Confirm every attempt to sign onto your network with a text message, biometric, or authenticator app.
- Security Software: Choose a reputable, enterprise-grade security software and set it to update automatically. Failure to install patch updates can leave the door open to cybercriminals looking to invade your network and steal your data.
- Backup and Recovery: In the event that a phishing attack is successful, your organization must be prepared to recover lost or stolen data. Having a disaster recovery plan that includes contingencies for cyberattacks is a must. We are happy to recommend a secure cloud or hard storage solution that suits your organization’s unique needs.
Far from an exhaustive list, the topics above should prove useful for healthcare organizations just beginning to review their information security best practices. We recommend working with a trusted IT partner to implement these measures. Having a single, reliable point of contact for all of your managed IT services is the best defense for providers at risk of losing invaluable patient data.
The Best Defense Against Healthcare Phishing Attacks
In addition to training both medical professionals and support staff on the dangers of email phishing attacks, the best decision a healthcare organization can make in staving off complete financial ruin is to partner with an experienced IT service provider with a track record of successfully implementing and managing full-service network security solutions at scale.
At Nicolet Tech, we routinely partner with healthcare providers who require full-spectrum support and round-the-clock security monitoring. Whether your clinic is in need of on-demand network assistance or long-term managed IT services, we have the skills and expertise to keep your business safe for the long haul. Click below to learn more about our full menu of IT services.
- Backup and Recovery
- Cloud Services
- Data Management
- Disaster Planning and Recovery
- Email and Spam Administration
- Hardware Sales and Support
- Managed IT Services
- Network Management
- Network Setup and Maintenance
- On-Demand Services
- Responsive Support
- Software Sales and Support
- VoIP and Mobile Services
We recommend partnering with an IT service provider who values building strong relationships with clients. The experienced IT professionals at Nicolet Tech proudly offer trusted service to several Twin Cities metro healthcare organizations. If your hospital or clinic was recently the victim of an email phishing scam or cyberattack, contact us to schedule your free consultation today.
Our agile approach to network and information security allows us to stay ahead of the competition and, more importantly, the bad guys. If your current managed IT service provider isn’t meeting your needs, we would love to show you the difference our team can make. Healthcare providers should be able to focus on the health and wellbeing of their patients. Let us take care of your digital hygiene.