Safe & Sound with Marianne Kolbasuk McGee

Anti-Phishing, DMARC , Business Email Compromise (BEC) , Cybercrime as-a-service

Email Breaches: A Growing Healthcare Challenge

What Steps Should Entities Take to Battle Back?
Email Breaches: A Growing Healthcare Challenge

Data breaches involving phishing and other email-related compromises persist as a top challenge for healthcare providers. So, what are some of the top trends emerging from these incidents?

See Also: Cybersecurity workforce development: A Public/Private Partnership that enhances cybersecurity while giving hands-on SOC experience to students

Phishing attacks are the primary vector in many of the largest health data breaches being reported to the Department of Health and Human Services these days, said Roger Severino, director of HHS' Office for Civil Rights during the 11th annual HIPAA conference this week in Washington, D.C., which was co-sponsored by OCR and the National Institute of Standards and Technology.

In fact, the number of major health data breaches involving email being reported to HHS is climbing, according to OCR.

And it's not just random phishing attacks. Many of these assaults are becoming more sophisticated. "We're seeing more targeted attacks," Severino says.

The number of health data breaches reported to OCR as email incidents tripled in the last four years, HHS data shows.

Biggest Breaches

As of Thursday, OCR's HIPAA Breach Reporting Tool website shows that so far in 2019, some 164 incidents have been reported as "email" breaches, impacting a total of nearly 2.7 million individuals.

Commonly called the "wall of shame," the HHS website lists reported health data breaches impacting more than 500 individuals.

However, the HHS website numbers don't necessarily reflect all the many other "hacking/IT incidents" that involved phishing but were officially reported to HHS as impacting "network severs" or other IT as the "location" of the breached protected health information - rather than "email."

If all those email related breaches were added to together, the numbers surely would be even more troubling.

So far this year, the largest "email" breach was reported as a hacking/IT incident in February by UConn Health. The Connecticut-based health system said that the breach impacted 326,000 individuals and involved a phishing attack on "a limited number of employee email accounts containing patient information."

More recently, managed care company Magellan Health said two of its subsidiaries - National Imaging Associates and Magellan Healthcare - "discovered a potential data breach related to protected health information belonging to members of Presbyterian Health Plan."

Those two phishing incidents impacted more than 230,000 individuals in total, according to the HHS website.

More Insights

Meanwhile, a recent research report by cybersecurity vendor Proofpoint examining the top cyber threats facing the healthcare so far in 2019 shed more light into some of the specific email challenges faced by the sector.

For instance, Proofpoint says:

  • For each targeted healthcare organization, an average of 65 staff members were attacked in Q1 2019;
  • 95 percent of targeted healthcare companies saw emails spoofing their trusted domain. All of them had their domains spoofed to patients and business partners;
  • Targeted healthcare companies received 43 impostor emails in Q1 2019, a 300 percent jump over the same period last year.
  • Subject lines that included "payment," "request," "urgent," and related terms appeared in 55 percent of all impostor email attacks;
  • 77 percent of email attacks on healthcare companies used malicious URLs;
  • Banking Trojans were biggest threat to healthcare over that period, accounting for 41 percent of malicious payloads;
  • 51 percent of email sent from healthcare-owned domains were unverified by DMARC, a sign that might be spoofed.

Fighting Back

So, what are some of the top recommendations to protect against these email threats?

It includes a mix of technology and workforce training, the Proofpoint study notes.

That means training users to spot and report suspicious malicious email; implementing technology that spot and block email threats targeting employees before the email hits their inboxes; and using technology that analyzes internal and external email to spot compromised accounts.

Also, don't forget to isolate risky URLs and websites, the study says.

What steps is your organization taking to prevent becoming the next entity reporting a major health data breach to OCR involving an email-related compromise?

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.