By Dena Bauckman, Zix
To start the year, news broke of an attack that used a phishing email scam to steal 30,000 medical records from the Florida Agency for Health Care Administration. Similar phishing attacks have happened every month since the November attack, exposing tens of thousands more records. More attacks are assuredly underway — and on the way.
These developments are alarming because of the potential impact and the sobering fact that few healthcare organizations are immune to this type of attack. Fewer than 4 percent of U.S.-based healthcare companies with revenue above $1 billion have adequate email protections in place. That means the vast majority of the industry is extremely vulnerable to all types of email-based attacks. Thanks to the recent increase in impersonation-based scams, healthcare providers will likely see more targeted and effective attacks appear in the inbox.
What Is An Impersonation-Based Attack?
Impersonation-based attacks used to be so bumbling that it was easy to spot the imposters. Fake emails didn’t possess specific personal details and often were filled with clunky messaging, grainy images, and enough red flags to prompt most users to delete immediately. That’s no longer the case. There’s much more to the formula now than graphics and marketing copy.
Today’s impersonation-based attacks are highly sophisticated and extremely convincing. The emails come from what appear to be real people (or companies) you know and trust. The details are stunning, and the messages seem legitimate, largely because hackers have scoured the internet to learn specific details about you, the people in your circle, your job, and so much more. Scraps of personal information gleaned from online company bios, Twitter pages, and LinkedIn profiles are all a hacker really needs in order to spoof you.
While the overall look of these emails has improved, improvements to the content are what makes them so much more convincing. These messages now call out specific people and make references to relevant details. As a result, unknowing users are eager to provide hackers with exactly what they want. If you’re the chief financial officer of an organization and you receive an email from the CEO requesting credential information, what would you do?
Plenty of people innocently give up login credentials, account numbers, and other sensitive information daily. The impersonations have become that good.
Why Impersonation-Based Attacks Are A Growing Threat
Cyberattacks in healthcare are rising rapidly across the board. The number of targeted attacks in 2017 topped the 2016 figures, and more than one-quarter of all attacks were directed at healthcare providers. Impersonation attacks are growing, along with all other cyber threats.
The tactics of hackers are also changing, and impersonation-based attacks satisfy their new agenda. Cybercriminals aren’t necessarily looking to steal the largest amounts of data anymore; instead, they target very specific data. Whether they are driven by ideology or profit, they put the greatest value on highly sensitive information.
Healthcare is an ideal industry from which to extract that data because it bridges the worlds of medicine and finance. Hackers know that almost any healthcare organization they target will have something of value to steal. It’s as easy as identifying an individual employee and impersonating a boss or supplier to get access or information.
These attacks are increasing in frequency and consequence. They are also evolving to bypass existing security measures by using spoofed email addresses or increasingly sophisticated forms of social manipulation. Currently, organizations in every corner of healthcare and physicians across the country are under siege, with a staggering 83 percent falling victim to some form of cyberattack.
Unmasking An Impersonation-Based Attack
These attacks are hard to spot by design, but that doesn’t mean they must continue to be a scourge. A concerted effort on the part of stakeholders inside and outside healthcare makes it possible to protect patients, providers, and private enterprise collectively.
That begins by acknowledging the nature of the problem. Attacks on the email inbox are easy to orchestrate and often effective. That is why the inbox has been and will continue to be the front line of cybersecurity. Once healthcare organizations understand that insignificant emails can often contain major threats, they will adjust their cybersecurity strategies accordingly.
Acknowledging the scale of the problem is another issue. Healthcare data is extremely valuable on the black market. Each record is valued at upwards of $1,000, and the potential value skyrockets when records can be linked to specific individuals. Considering that a credit card number is worth only about 25 cents, attacks targeted at healthcare providers are likely to be aggressive and ongoing. Ideally, urgency around this issue will lead the industry to commit to greater protections.
The healthcare industry must own up to its historical struggles with cybersecurity and take an aggressive stance against the problems it faces. And as waves of new healthcare technology come online, the struggle to stay secure could grow exponentially.
There’s no doubt that impersonation attacks will become more sophisticated, but they don’t necessarily have to become more successful. If healthcare entities can use email security solutions that are designed to specifically identify impersonation attacks, that’d be a tremendous start. Preventive steps to consider include implementing sender authentication protocols such as SPF, DKIM, and DMARC; rolling out advanced threat protection for email; and training users thoroughly and repeatedly.
Failing to be proactive with protection leads to lost public confidence and hefty regulatory penalties. Impersonators may not seem like a major threat facing healthcare providers, but disguise and deception is exactly what they excel at.
About The Author
Dena Bauckman is VP of product management for Zix, where she has worked for 13 years. She has more than 20 years of experience in product management and product marketing and has been CISSP certified since 2007.