Email Breaches: A Growing Healthcare ChallengeWhat Steps Should Entities Take to Battle Back?
Data breaches involving phishing and other email-related compromises persist as a top challenge for healthcare providers. So, what are some of the top trends emerging from these incidents?
See Also: The 2020 Magic Quadrant for SIEM
Phishing attacks are the primary vector in many of the largest health data breaches being reported to the Department of Health and Human Services these days, said Roger Severino, director of HHS' Office for Civil Rights during the 11th annual HIPAA conference this week in Washington, D.C., which was co-sponsored by OCR and the National Institute of Standards and Technology.
In fact, the number of major health data breaches involving email being reported to HHS is climbing, according to OCR.
And it's not just random phishing attacks. Many of these assaults are becoming more sophisticated. "We're seeing more targeted attacks," Severino says.
As of Thursday, OCR's HIPAA Breach Reporting Tool website shows that so far in 2019, some 164 incidents have been reported as "email" breaches, impacting a total of nearly 2.7 million individuals.
Commonly called the "wall of shame," the HHS website lists reported health data breaches impacting more than 500 individuals.
However, the HHS website numbers don't necessarily reflect all the many other "hacking/IT incidents" that involved phishing but were officially reported to HHS as impacting "network severs" or other IT as the "location" of the breached protected health information - rather than "email."
If all those email related breaches were added to together, the numbers surely would be even more troubling.
So far this year, the largest "email" breach was reported as a hacking/IT incident in February by UConn Health. The Connecticut-based health system said that the breach impacted 326,000 individuals and involved a phishing attack on "a limited number of employee email accounts containing patient information."
More recently, managed care company Magellan Health said two of its subsidiaries - National Imaging Associates and Magellan Healthcare - "discovered a potential data breach related to protected health information belonging to members of Presbyterian Health Plan."
Those two phishing incidents impacted more than 230,000 individuals in total, according to the HHS website.
Meanwhile, a recent research report by cybersecurity vendor Proofpoint examining the top cyber threats facing the healthcare so far in 2019 shed more light into some of the specific email challenges faced by the sector.
For instance, Proofpoint says:
- For each targeted healthcare organization, an average of 65 staff members were attacked in Q1 2019;
- 95 percent of targeted healthcare companies saw emails spoofing their trusted domain. All of them had their domains spoofed to patients and business partners;
- Targeted healthcare companies received 43 impostor emails in Q1 2019, a 300 percent jump over the same period last year.
- Subject lines that included "payment," "request," "urgent," and related terms appeared in 55 percent of all impostor email attacks;
- 77 percent of email attacks on healthcare companies used malicious URLs;
- Banking Trojans were biggest threat to healthcare over that period, accounting for 41 percent of malicious payloads;
- 51 percent of email sent from healthcare-owned domains were unverified by DMARC, a sign that might be spoofed.
So, what are some of the top recommendations to protect against these email threats?
It includes a mix of technology and workforce training, the Proofpoint study notes.
That means training users to spot and report suspicious malicious email; implementing technology that spot and block email threats targeting employees before the email hits their inboxes; and using technology that analyzes internal and external email to spot compromised accounts.
Also, don't forget to isolate risky URLs and websites, the study says.
What steps is your organization taking to prevent becoming the next entity reporting a major health data breach to OCR involving an email-related compromise?