- Cyber criminals view the healthcare industry as a prime target. Just this year, we have witnessed hospitals like Hollywood Presbyterian Medical Center, MedStar Health’s Union Memorial Hospital, in Baltimore, Maryland, and Methodist Hospital in Henderson, Kentucky make headlines, as they fell victim to cyberattacks.
The recent Verizon Data Breach Investigations Report (DBIR) saw ransomware attacks rise 16 percent overall this year. And according to a new study by the Brookings Center for Technology Innovation, 23 percent of all data breaches occur in healthcare, tripling over the last two years alone.
Recent research by the Ponemon Institute and BrandProtect polled security teams and leading enterprises on external (Internet-based) threats, such as phishing and mobile-based schemes, and employee or executive masquerades. These threats are pervasive and serious. On average, the 505 enterprises surveyed were victimized more than once a month, and spent an average of $3.5 million annually to recover and remediate these attacks.
Preventing modern healthcare phishing attacks
It is clear that the criminals are improving their technique, so it is essential that healthcare CISOs up their game, too. What’s needed to succeed in this battle against cyber criminals? Three simple things:
Search out cyber threats beyond the perimeter
While network and endpoint monitoring should never be neglected, there is an opportunity for CISOs to get ahead of many cyberattacks by proactively searching for and mitigating online activity that targets the institution. The list of malevolent activities is a long one – for example, the criminals may be impersonating hospital or insurance executives through duplicate online profiles at LinkedIn, Facebook or Twitter. These masquerading profiles are used to gather links and connection to real people within the institution, allowing the criminals to not only build a database of internal contacts, but giving them a “legitimate” means to reach out. There may be unauthorized user groups that falsely appear to represent the institution. There may be domains that mimic the actual domain of the hospital or institution. Complete external cyber monitoring will also provide you with evidence that you have (or have not) been breached. By monitoring black market activity, you will be able to see if your patient records are being offered for sale.
Monitor domain registrations and MX records
By monitoring not only copycat and similar domains, but by also tracking the MX record status of those domains, CISOs can proactively block potential spear phishing or BEC attacks. Cyber criminals play a cat and mouse game with domains – they register or activate an email-capable domain just before they launch their attack, and discard the domain after they strike. In the most sophisticated cases, these attack domains are only online for 24 to72 hours. To email-enable a domain, the criminals simply activate the domain’s MX record, which identifies that domain as email capable. When the MX-record of a copycat or similar domain is activated, that domain becomes a potential launch platform for a BEC or targeted email attack. To stop an attack before it begins, CISOs should implement full-scale domain monitoring with integrated MX-record monitoring. When a potential attacking domain comes online, CISOs can block emails from that IP address or place that domain on their list of untrusted domains.
Educate employees and members
CISOs should take steps to make sure that cyber threat awareness and security best practices are top of mind for all employees, doctors, and network members. An informed user is much less likely to be victimized by a rogue message. Quarterly reminders, or better, monthly, about phishing and spear phishing dangers, or the perils of downloading mobile apps, can go a long way to providing one last line of defense for organizations. These reminders should also offer some clarity on what the recipients should expect from the organization, in the way of data requests – anything out-of-the-ordinary should be questioned immediately. Some of the most popular ways CISOs try to help their constituencies become threat-hardened include newsletters, webinars, lunch time sessions, and actual inbound phishing tests. In addition, new employee onboarding programs should include a module on cyber threat awareness. In the best cases, these educational programs become an institutional priority, with executive suite sponsorship and participation.
Healthcare organizations are a large target for many reasons. EHRs include the personal, family, and billing information of their patients. They are virtually complete personal identity portfolios with Social Security numbers linked to names and dates of birth, parents’ names, maiden names, physical and email addresses, children’s names, and, in some cases, complete information of close friends.
On the black market for stolen records, health records command the highest premium, because cyber criminals, armed with the contents of EHRs, have everything they need to apply for credit cards or mortgages, submit state and local tax returns and more, devastating the lives of the individuals whose identities were stolen.
Additionally, the available attack surface in the healthcare industry is very complex, and not uniformly secure. Two trends in the healthcare industry - the move to EHRs and the evolution of subspecialists that function as independent contractors - have combined to create an electronic landscape that defies description.
A typical healthcare event can involve dozens of institutions and services subcontractors, each one using its own billing and record-keeping system, while still requiring full access to the EHR. Of course, this amalgamated network is challenging to maintain, and not surprisingly, it creates massive opportunities for compromise.
Finally, healthcare enterprises, hospitals and caregiving organizations especially, depend on uninterrupted operations. Hospitals and regional medical centers are critical resources.
When a hospital or regional medical center finds that their operations are interrupted, getting their systems back online instantly becomes the top priority. It can literally be a matter of life and death. And to an individual or a family, access to healthcare is one of the most important assets they can have. It goes without saying that when someone gets a message that suggests their healthcare coverage is at risk, it gets their full attention.
Fundamentally, the cyber criminals have one simple goal. They only have to convince one person that their fake email message, their copycat website, or their bogus tweet is real. They only need one person to fall for their scam in order to profit.
And cyber criminals are good at that. They are increasingly organized, and their scheming messages are near perfect duplicates of the real thing. They have incorporated social engineering to target their messages more accurately. Today, the bad guys have evolved their game far beyond simple phishing.
Modern cybercriminals now employ social engineering to target their attacks carefully, leveraging publicly available data about professional networks, using LinkedIn, Spokeo, Hoovers, DiscoverORG.com and other publicly available resources, to create plausible emails.
These emails are designed to come from executives who are known to the recipients and sometimes cover current business or industry issues, with an eerie familiarity. This greatly raises the likelihood that recipients of these emails click on the link, or open the attachment, springing the trap. According to the latest Verizon DBIR, 30 percent of all phishing emails are opened by their targets and 12 percent actually click on the dangerous link or attachment.
Strong leadership is needed
According to the Ponemon survey, Health Care/Pharma security professionals reported that they were the second-most often attacked industry (just behind financial services) and their annual spending was well above the average, equaling almost $3.9 million per year. Despite this attack volume, healthcare/pharma security teams trailed all other industries in terms of the engagement of their senior security leadership around external threats and creating a process for dealing with external threat monitoring, analysis and mitigation.
Cyberattacks against the healthcare industry are on the rise. The urgency around the operational integrity of healthcare infrastructure, plus the unique value of EHRs and other health data means that there is no end in sight for these attacks.
Ransomware is gaining notorious headlines, but malware attacks and other incursions that lead to breaches are also increasing in frequency. CISOs have opportunities to stay a step ahead. Educational programs for doctors and staff members are critical, but they are not enough.
Proactive cyber monitoring, particularly around MX-record activation, can help to slow the most dangerous socially engineered attacks from ever reaching their intended target.
Dylan Sachs directs Identity Theft and Anti-Phishing efforts at BrandProtect. He works directly with leading financial institutions, healthcare providers and Fortune 500 enterprises to help CISOs and security teams deploy better defenses against modern email and identity theft attacks, including BEC attacks socially-engineered exploits. Sachs also leads the BrandProtect Incident Response Team.