Training and social media standards are a couple of tools that can fight off attackers.
Hospital data breaches continue to rapidly increase. According to the 2019 HIMSS Cybersecurity Survey, 82 percent of participating hospital information security leaders reported having a “significant security incident” in the last 12 months, with a majority (56 percent) of these known incidents being caused by “bad actors” such as cybercriminals.
Hospitals have emerged as a primary target because they sit on a gold mine of sensitive personally identifiable information (PII) for thousands of patients at any given time. From social security and insurance policies to next of kin and credit cards, no other organization, including credit bureaus, have so much monetizable information stored in their data centers. This is perhaps the main reason why the average cost of a cyber data breach for hospitals is almost $400 per medical record.
Unfortunately, hospitals are not simply a target of cyberattacks — they are often an easy target.
Today, due primarily to budget and resources, hospital security systems are often less sophisticated and decentralized than those in other industries, such as financial services. For example, oncology personnel might subscribe to one set of security policies, while nurses in the maternity ward might comply with another. In addition, the proliferation of Internet of Things (IoT) devices has expanded the attack surface in ways many hospital IT security admins never thought possible. At the same time, employees are unintentionally, yet regularly, giving away too much information about their job on social media. As a result of this storm, hospitals face unprecedented risk.
Email phishing remains the primary attack vector for nine out of 10 cyberattacks. Today, bad actors primarily use an advanced phishing technique known as email spoofing to attack hospitals, according to the U.S. Department of Health and Human Services. Email spoofing is very effective because it’s not readily detectable by traditional email security tools such as secure email gateways (SEGs) and is difficult for even phishing-trained humans to identify. Because this phishing attack technique is so sophisticated, the undesirable consequences are piling up.
While there are four primary email spoofing techniques, all are designed to make the receiver of an email mistakenly believe that the message is from a trusted source, when, in fact, it is not. Spoofing attacks often attempt to lure a recipient into action, perhaps by clicking a malicious link that redirects to a fraudulent website mimicking the intended destination. In other instances, the spoofing message will impersonate a friend, colleague or third-party vendor.
In hospitals, an attacker might impersonate a doctor, emailing human resources with a request for medical records. Because the spoofed email doesn’t contain a link or attachment, legacy email security tools are unlikely to identify it as fraudulent, and as such, the HR representative is likely to send the requested information without hesitation. It might take months for the hospital to recognize that this instance is what triggered the cyberattack.
Email spoofing attacks have become so successful that they aren’t about to go away anytime soon. Here are three ways hospitals can mitigate the risks:
A survey by KPMG found nearly 30 percent of healthcare and life sciences leaders said a lack of training was their organizations biggest cybersecurity weakness. So, if a doctor has never emailed asking for a patient’s records, then HR should immediately consider this suspicious and call the doctor to verify before completing the request.
On social media channels, we involuntarily gave away about 80 percent of the information that attackers need to develop a spoofing attack. For example, there are hundreds of private nursing groups on Facebook in which members regularly share information about cases. Unfortunately, attackers are known to easily infiltrate these groups. And while many of the nurses try to obscure PII for HIPAA compliance, the shared information is sufficient for attackers to start building profiles to help craft their next targeted spoofing attack.
Hospitals should add an additional layer of security in the mailbox itself. Mailbox-level security uses self-learning technology to detect attacks faster than the legacy tech deployed at most hospitals. The best mailbox-level security solutions use sender reputation scoring to monitor an individual’s communication habits and create a baseline picture of what “normal” email communications should look like. The solution can then monitor mailboxes to flag irregular and suspicious communications.
In today’s threat landscape, hospitals must take a proactive approach toward email security. Training your workforce, creating a social media policy and using a mailbox-level solution can go a long way toward reducing the risks of email spoofing attacks.
Eyal Benishti is the founder and CEO of IRONSCALES.
Navigate the digital transformation with confidence. Register for our newsletter.