Phishing Schemes Continue to Plague the Healthcare SectorExperts Offer Insights on Mitigating the Threat
Recent health data breaches involving phishing schemes are reminders of the persistent threat email-related scams pose to healthcare organizations - and the urgent need to mitigate that threat.
This week, Kalispell (Montana) Regional Healthcare reported a phishing-related breach affecting nearly 130,000 individuals. And on Oct. 4, UAB Medicine in Birmingham, Alabama, reported a breach affecting nearly 20,000 individuals that involved a phishing campaign that attempted to divert payroll deposits.
Phishing attacks are the primary vector in many of the largest health data breaches recently reported to the Department of Health and Human Services, said Roger Severino, director of the Department of Health and Human Services' Office for Civil Rights, at a HIPAA conference last week. "We're seeing more targeted attacks," Severino says (see: Email Breaches: A Growing Healthcare Challenge).
The Role of Education
A major component in mitigating the threat of phishing attacks is educating staff about how to recognize fraudulent email.
Targeted phishing will continue to be successful because of insufficient workforce awareness and training, says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"As attacks become more sophisticated, organizations must invest in rigorous training, including frequent simulated phishing attacks and discussion of the outcomes. Then individuals who fall for a phishing attack should be subject to consequences, including disciplinary action," she says.
Rich Curtiss, director of healthcare risk assurance services at security risk management firm Coalfire, offers a similar perspective.
"To minimize social engineering success, it is critically important that an organization have a structured insider threat program," he says. "An insider threat is often construed as representing only malicious activity, but accidental or inadvertent incidents comprise the vast majority of insider threats. Call it the 'inadvertent insider threat.'"
Kalispell Regional Health Attack
In its breach notification statement, Kalispell Regional Health, which includes several hospitals, says that during the summer, it discovered that several employees were victims "of a well-designed email that led them to unknowingly provide their KRH login credentials to malicious criminals."
KRH says it immediately disabled the employees' accounts, notified federal law enforcement, and launched an investigation. "On August 28, we learned that some patients' personal information may have been accessed without authorization. A deeper investigation specifically determined which patients' information may have been accessed as early as May 24," the notification states.
The organizations reports that the information exposed may have included patient's name, Social Security number, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating/referring physician, medical bill account number and/or health insurance information. So far, there's no indication that the information was misused, KHR says.
As of Thursday, the KRH incident was not yet posted on HHS' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals. But a KRH spokeswoman tells Information Security Media Group that the incident affected more than 129,600 individuals.
UAB Medicine Incident
In its notification statement, UAB Medicine, an academic medical center of the University of Alabama Birmingham, says "criminal hackers recently gained access to certain employee email accounts containing patient information" after sending an email created to look like an authentic request from an executive asking employees to complete a business survey.
"Despite education and training to recognize this type of phishing attack, a number of employees accessed the survey and provided their username and password to the hackers, allowing the hackers to access the employees' email accounts as well as the payroll system," the statement says. UAB Medicine's electronic health record and billing systems were not impacted by the attack, the statement notes.
"UAB Medicine discovered emails had been compromised in the phishing attack Aug. 7, 2019. The affected accounts were secured upon identification, and passwords for those accounts were reset," the statement says.
"The investigation revealed the cybercriminals were attempting to divert employees' automatic payroll deposits to an account controlled by the hackers. UAB Medicine prevented all attempts by the hackers to re-direct payroll deposits."
UAB Medicine reported the incident to HHS on Oct. 3 as impacting nearly 20,000 patients, according to the HHS health data breach reporting website.
The PHI compromised, UAB Medicaine says, may have included the patient's name with other data elements, such as medical record number, birth date, dates of service, location of service, and diagnosis and treatment information. Social Security numbers were included for a small subset of patients, the organization notes.
Multilayered Defense Needed
Defending against phishing attacks requires a multilayered approach, security experts say.
"There is not one silver bullet or perfect technical tool to keep us ahead," says Cathie Brown, vice president of professional services at security and privacy consulting firm Clearwater. "It takes a holistic, continuous program that is a mix of technology and user training. Security awareness training is probably the best defense on social engineering attacks."
Artificial intelligence and behavioral analytics tools can play a role in minimizing the damage from phishing attacks, she adds.
"And recently, I talked with a healthcare system that allows users to forward emails to the IT department to assess before clicking on a link. That's just one creative way to support users while they are trying to do the right thing," Brown says.
Curtiss of Coalfire notes: "The regulatory requirements and contract with patients for safeguarding sensitive electronic protected health information screams for more in-depth cybersecurity training and support. Plenty of vendors offer partial technical solutions, but it really comes down to providing comprehensive cybersecurity training to the digital workforce."
He adds: "Until organizations move from a compliance or 'check the box' training approach to a thorough, insightful, and comprehensive approach to cybersecurity training, phishing attacks will continue to be productive and profitable."
Technology tools, such as front-end and back-end anti-malware solutions, can play a role in mitigating the risk of phishing attacks, he points out.
"A front-end solution attempts to intercept the phishing email and/or attachment before it hits the inbox. Back-end solutions attempt to intercept the malicious payload from being deployed after a user clicks on the link or attachment."
The key to mitigating the phishing threat, he says, is to apply a combination of effective cybersecurity training, enforceable policies and procedures, applied technical solutions, and the technical resources to monitor and manage these activities.
"Wrap this nicely in an insider threat program and ensure it has the priority for budget and leadership awareness."