Guest Column | March 2, 2020

Is Employee Training The Only Solution Against Phishing In Healthcare?

By Ilia Sotnikov, Netwrix

Seton Health Breached Through Email Phishing Scam

Healthcare organizations are being bombarded with phishing attacks. Of the 168 hacking incidents against healthcare organizations in the first half of 2019, more than half (52 percent) were phishing attacks, according to the Protenus 2019 Mid-Year Breach Barometer Report. Some of the most newsworthy hacks included UConn Health (326,000 records compromised) and the Oregon Department of Human Services (645,000 records and 2.5 million emails compromised).

To deal with phishing, healthcare organizations should use several methods, which reduce the likelihood of phishing attacks and minimize potential damage. But the question is, how efficient are these measures and which approach should healthcare providers take to avoid compromise of sensitive data due to phishing attacks?

Why Are There So Many Phishing Attacks On Healthcare Organizations?

There are several reasons why phishing attacks on healthcare organizations are so common. First, they have a high success rate. After all, it takes only one mistake — one employee who is lured into clicking on a malicious link — for the culprit to get inside the corporate network. Plus, some phishing attacks, called spear-phishing, are carefully crafted to target specific users, which increases the likelihood that they’ll open the email and click on the malicious links inside.

Finally, hackers are highly motivated to target healthcare organizations because the personal health information (PHI) they store is quite valuable. According to the Center for Internet Security (CIS), one healthcare record can sell on the black market for as much as $363, while personally identifiable information (PII) sells for just $1 or $2. The reason for this cost differential is simple: Criminals can readily use health records for fraud, identity theft or extortion, and the victims cannot render those records useless nearly as easily as they can cancel a credit card number or close a bank account.

How Can Healthcare Providers Reduce The Chances Of A Successful Phishing Attack?

The first step in blocking phishing attacks is to conduct comprehensive employee training and regularly test how well everyone has absorbed the lessons. Many healthcare organizations are stepping up their efforts in this area. For example, two organizations that suffered phishing attacks in 2019, UNC-Chapel Hill School of Medicine and Katherine Shaw Bethea Hospital, both said that they would be educating their staff about phishing. More broadly, the Netwrix 2020 IT Trends Report found that 56 percent of healthcare organizations are making better cybersecurity awareness one of their top priorities for 2020.

The second critical step is to implement stronger security policies, especially around email security and password complexity. This was the first step taken by Choice Cancer Care Treatment Center after a phishing attack led to a breach in May 2019 — but of course, it’s best not to wait until you suffer a breach to carefully review your policies and update them to reflect current best practices.

While these steps will help reduce the chances of a successful phishing attack, they can’t guarantee 100 percent data protection. There is always a risk that an employee will forget their training and click on a link in a phishing email — especially if it’s a particularly compelling spear-phishing message. Moreover, phishing isn’t the only threat to your PHI; you also need to constantly watch for suspicious user activity across your entire on-prem, cloud or hybrid IT environment. Indeed, the Netwrix 2019 Cloud Data Security report discovered that 49 percent of healthcare organizations now store PHI in the cloud, so it’s crucial for organizations to have visibility into their patient data no matter where it resides to minimize the risk of data compromise.

What Are The Best Practices For Protecting PHI Against Phishing Attacks And Other Threats?

While you should institute comprehensive user training and strengthen your security policies to block as many attacks as possible, you should also adopt measures that will help you detect and investigate successful phishing attacks and suspicious user behavior quickly. By ensuring you can stop hackers before they compromise large volumes of patient data, you will minimize your financial losses, compliance violations, and bad publicity. Here are the key best practices you should implement:

  • Monitor user activities. It’s crucial to gain a better awareness of what’s going on across your IT environment, including who is modifying or copying which PHI. If you can detect unusual activities that might put patient data at risk and investigate promptly, you can take action before you suffer a data breach. Ideally, you want to get alerted automatically to suspicious events, such as multiple failed logon attempts or someone accessing medical information that they have never looked at before.
  • Regularly review and minimize permissions. A hacker who compromises an employee’s credentials can access all the sensitive data that account can reach. Therefore, it’s a basic best practice to make sure that each user has only the absolute minimum privileges they need to do their job. For instance, an assistant should not have access to sensitive patient data. Rigorously enforcing the least-privilege principle with regular permissions reviews will substantially reduce your attack surface. Be sure to pay particular attention to privileged users, since hackers often try to obtain those credentials. In particular, ensure that privileged users don’t have universal access across all systems and data storages (e.g., a SQL admin account should not be a member of the Domain Admin group).
  • Classify your data. If you have visibility into what data you store, where it resides and who has access to it, you can determine which data requires the most attention and choose appropriate controls to protect it. You can use data classification to evaluate risks to PHI as required by §164.308 of HIPAA and store your most valuable data (e.g., test results and diagnoses) only in secure locations.
  • Other anti-phishing techniques. To further reduce the risk of a breach of PHI, be sure to implement basic best practices designed to improve general security, such as staying up to date on software patches, encrypting sensitive data and using antivirus software.

To effectively combat phishing threats and protect your PHI, you need a defense-in-depth strategy. Key elements include regular cybersecurity training, enforcement of the least-privilege principle for both regular users and admins and classifying your data so you can prioritize your data protection efforts and comply with regulatory mandates.

About The Author

Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.