It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.
In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.
In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.
The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.
Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.
The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.
“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.
One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.
Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.
The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.
“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.
The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.
In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.
The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.
“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.
