Phishing in Healthcare: Yet Another Major Incident'Phishing Continues to Be One of the Primary Breach Vectors in Healthcare'
Yet another large phishing-related health data breach has been reported to federal regulators. This one potentially exposed the data of 109,000 patients at Bellevue, Washington-based Overlake Medical Center & Clinics.
As of Tuesday, the Overlake incident was the third largest breach added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website of health data breaches affecting 500 or more individuals.
"Phishing continues to be one of the primary breach vectors in the healthcare industry. It is cheap, effective and profitable to the cyber-criminal element," says Rich Curtiss, director of healthcare risk assurance services at security consultancy Coalfire.
"Health records command a hefty price on the 'dark web' and are relatively easy to acquire through phishing attacks. Phishing is an organizational threat and not an IT problem. Addressing the threat must be a strategic imperative and, to be truly effective, must be part of the organizational culture."
Email Accounts Exposed
Within hours of Overlake Medical Center & Clinics discovering the phishing attack on Dec. 9, 2019, the organization secured the affected email accounts and immediately began an investigation, according to a recently released statement.
"The investigation determined that the third parties had access to the initially affected account from Dec. 6 to 9, 2019, and the subsequently affected email accounts for just a few hours on Dec. 9, 2019," Overlake's statement says.
So far, the investigation has not determined whether third parties accessed patient information stored in the email accounts. That includes name, date of birth, phone number, address, name of insurer or insurance ID number as well as diagnosis and treatment information, the statement notes.
"While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported as a result of this incident at this time," according to the statement.
Overlake says it has implemented additional security measures to protect its systems. That includes resetting passwords for all compromised accounts; enhancing mandatory workforce education to help employees better recognize and avoid phishing emails; bolstering the technology in use to identify and block suspicious external emails; and implementing multifactor authentication.
A Persistent Problem
Hacking incidents involving email appear to be the most common type of major health data breach being reported to federal regulators so far in 2020 (see Health Data Breach Tally Update: 2020 Trends).
The largest of those was a phishing incident reported Jan. 10 by PIH Health that affected nearly 200,000 individuals (see Health Data Breach Not Reported for Seven Months).
Phishing attacks are becoming more effective as fraudsters improve their efforts to adopt the "look and feel" of a legitimate e-mail, Curtiss notes.
"There are always tell-tale signs but they may not be obvious to the casual user," he notes. "Therefore, a combination of security controls are necessary to minimize the opportunities for a phishing email to exploit a user.
Many phishing emails now include hyperlinks to malicious websites in lieu of attachments to avoid anti-malware software that may "sandbox"' the attachment and inspect it before sending it on to the user, Curtiss explains.
"The human response to phishing email is the hardest to protect against, so it is important to minimize the delivery of 'potential' phishing email while balancing 'false positives', which inhibit legitimate email from being delivered," he adds. "Many security vendors have either software or appliances which claim to 'automatically block' phishing emails, but nobody has cracked the nut with a 100 percent effective balance."
Therefore, the best approach to minimizing falling victim to email phishing is a layered defense posture that includes an organization providing workforce cybersecurity training coupled with regular phishing campaigns testing, plus "a robust technical security infrastructure," Curtiss says.
The Role of an EDR Platform
Brock Bell, principal consultant at security services firm The Crypsis Group, notes: "Having an endpoint detection and response platform in place can act as a front-line defense against successful phishing attacks. Even once we know a user has clicked on a link, the EDR platforms can detect and stop successful next steps, such as a weaponized attachment that is designed to give attackers access into the environment.
"While healthcare companies are far from alone in being the victims of phishing attacks, their data is highly monetizable on the black market, and they are often perceived as having restrictive budgets that can't prioritize IT and expert security staffing - making them a presumptive 'good target'."
Healthcare organizations should conduct a risk assessment "so they can target their cybersecurity spend more efficiently and effectively and ensuring they have a tested incident response and remediation plan in place," Bell adds.