Healthcare’s Email Problem: Insider Threats, Data Retention, Phishing

May 07, 2021 - Reports consistently highlight the risk of vulnerability exploits and ransomware to healthcare. But email is often the key access point in these attacks, through phishing and stolen credentials. As insiders remain a leading threat, it’s paramount for providers to better understand the email problem, as well as the best ways to improve training and reduce the risk of compromised data.

Security incidents reported to the Department of Health and Human Services (HHS) and previous Mimecast-HIMSS Media data show healthcare’s email defenses lag behind other industries. In 2019 alone, 72 percent of providers reported experiencing an email-based cyberattack.

In fact, the Verizon Data Breach Investigations Report consistently names insiders as the largest threat to healthcare.

Of HHS’ ongoing breach investigations, at least 40 percent are tied to email. And each year, multiple email hacks impact data of both former and current patients, some even impacted data more than a year old.

In May 2020, a month-long hack of an employee email account impacted the data of 78,070 National Cardiovascular Partners patients. Recently, Total Health Care Plan began notifying 221,450 patients that their data was compromised after several employee email accounts were hacked.

In the last year, similar events were reported by American Medical Tech, Cano Health, EyeMed, and Einstein Healthcare, among a host of others.

“Healthcare is an interesting, dynamic area: they’re operating with small- and medium-sized budgets, but they’re in need of enterprise security,” said Fortified Health Security CEO Dan L. Dodson. “It doesn't matter the environment, the challenge exists for all providers.” 

“To be effective, they have to make sure they’re not only deploying capital to provide safeguards, but also doing the things that aren't expensive,” he continued. “Often we look for the next shiny object or silver bullet to solve the problem, when in reality it doesn't exist. We need to do blocking and tackling -- and that doesn’t cost a lot of capital.”

In light of these risks and the necessity of email within the healthcare space, HealthITSecurity.com spoke with Dodson, Barracuda Networks CTO Fleming Shi, and Barracuda Networks Senior Security Researcher Jonathan Tanner, to shine a light on common mistakes, needed technologies, and overall best practices.

What Providers Get Wrong About Email

As healthcare becomes more reliant on digital technologies, email has become a primary source of communication. However, as insiders are typically the leading cause of healthcare data breaches, hackers are continuously preying on human weaknesses, making email a massive vulnerability for healthcare organizations.

Adding to the challenge is that a number of providers rely on long-running, on-prem mail servers, explained Shi.

One of the largest examples seen in 2021 is a set of four zero-day vulnerabilities found in certain on-prem Microsoft Exchange Servers. The tech giant issued an out-of-band patch and even an indicators of compromise tool, as hackers were successfully exploiting these flaws to take control over a victim’s network.

“Whether an internal powerpoint or patient file, email shouldn't be considered a data repository.”

But a number of security researchers took to Twitter to ask: Why are enterprises leveraging the outdated, vulnerable platform for communication, especially when there are more secure versions available?

Shi recommends providers that have continued to lean on vulnerable email platforms instead shift to a Software-as-a-Service (SaaS) version of these mail services, as the offering allows for more sophisticated security solutions to protect users through the availability of APIs.

The other massive roadblock for healthcare providers are password policies.

For Shi, these policies are terribly set security measures that hackers can very easily anticipate and exploit. Providers should instead enforce multi-factor authentication for everything, including email, network access, Virtual Private Networks (VPNs), and SaaS applications.

“Password policies are honestly not particularly effective since they can't prevent password reuse and users can still find ways to create bad passwords regardless of what the password policy is,” said Tanner. 

“Educating users on password best practices would be more effective than trying in vain to enforce such best practices through complexity rules,” he added. “It ultimately falls on the user alone to ensure strong passwords.”

Email Best Practices and Needed Tech

Email is seemingly a necessary evil, which begs for stronger protections and better cyber hygiene. Shi explained that if providers intend to rely on exchanging sensitive information over email, they should be using a secure email delivery system able to provide data encryption at rest and in transit.

“If the sensitive content is in files and collection of files, I also recommend avoiding sending them via attachments,” said Shi. “With many options out there, the content will be encrypted at rest and sharing can be made simple.” 

“However, the attackers often impersonate file share notifications to attempt credential theft, so I also recommend deploying a link protection service that will analyze the link for legitimacy at the point of click,” he added.

As Dodson describes it, the first thing healthcare providers need to do is ask whether the employee actually needs a company email address to do their job. And if so, do they need to be able to remotely access it?

For example, an employee may need an enterprise email address within their function in the billing office, but they won’t need access to the account when they’re out of the cubicle.

“Most providers are just handed email addresses when they sign on,” explained Dodson. “But providers need to ask if it’s needed, when they don’t need email to drive their job function. When I talk to organizations in the IT or cyber teams that don’t understand the concepts, it’s a culture thing.”

“If you want to limit your attack surface, that’s one place to look as these features are enabled for people who don’t need it,” he continued. “It’s difficult in the current environment with working from home, but providers still need to consider it.”

Once the attack potential has been reduced, the next step is to employ two-factor authentication or MFA to employ further safeguards in the event an attacker is able to see access credentials, Dodson explained.

"Any sensitive data should only be stored and available through properly secured systems managed by healthcare providers.”

MFA is a powerful way to combat poor password practices, Tanner added. However, it may not be possible for providers to require its use for every user, as some may not have the devices or technical proficiency to employ MFA.

“Encouraging or perhaps making default with an option to disable MFA could go a long way to help secure patient data,” he said. “Of course, many providers don't even offer MFA in the first place so that would certainly be a missed opportunity for those who don't." 

“By requiring a second authentication factor, the complexity of an attacker accessing an account even with the password becomes much more complex, if not impossible for most attackers,” Tanner added.

Tanner took it a step further, adding that email is likely not the best form of communication for highly sensitive information. By using a more secure means, it would limit the scope of where sensitive data is stored -- “namely, not in any number of email inboxes.”

“Many providers use internal systems to store and relay sensitive information and simply send emails stating that new information is available to a user when applicable, which helps reduce the scope of where information is stored and transmitted,” he added.

However, stolen or compromised data are not the only threats: Email hacks and phishing can lead to compromised credentials and the exploit of other vulnerabilities within a provider network.

For example, if an attacker obtains a single set of patient credentials, their data can be compromised. But as many individuals reuse credentials across a number of accounts, a password breach can inflict further damage by compromising their healthcare profile.

Meanwhile, the theft or compromise of credentials from doctors, nurses, or anyone working in the healthcare sector with access to many users' information could lead to much larger data breaches, explained Tanner.

While policies will vary by entity, security awareness training is a critical part of reducing insider risk in healthcare. Dodson recommended that at a minimum, entities should conduct monthly internal phishing campaigns with an enforcement function to support the education.

While it’s more challenging amid the heightened reliance on work-from-home policies, it’s a needed step to improve cyber hygiene across the enterprise.

“Regardless of safeguards in place across the organization, providers also need to be continuously hosting infosec training,” he added. “Limiting the attack surface or added employee training and awareness are proven to reduce the likelihood of an event.”

How Long Should Data Be Kept in Email Accounts?

In the last year, COVID-19 and the pandemic response have amplified the threat of phishing and spotlighted just how frequently and successful hackers modify their tactics to prey on human nature to compromise credentials and pivot to other vulnerable, connected devices.

“Healthcare is an interesting, dynamic area: They’re operating with small- and medium-sized budgets, but they’re in need of enterprise security.”

Email hacks spur lengthy reviews to determine just what patient information was contained in the accounts and potentially accessed, which often leads to delayed notifications and a hefty price tag for recovery costs.

It begs the question, how long should data be kept in employee email accounts?

“The first direct answer is that email is not a file or data repository and should not be used as such,” said Dodson. “Whether an internal powerpoint or patient file, email shouldn't be considered a data repository.”

Email is a critical component of mature cyber programs, but determining how long and where to store this information is an organization-by-organization decision, he explained. It boils down to what makes sense for the organization, which is not a hard and fast rule.

Tanner again stressed that data should never reside in email platforms in the first place, but determining how long information should reside there is a complex issue.

For starters, if the information is part of a patient medical record, Tanner stressed that there’s no reason the email should reside on an email platform for any longer than it takes to read the message and reply to it: likely a matter of days or perhaps weeks.

However, it’s not always that simple. If the email contains data not stored elsewhere, quickly removing the message could negatively impact the patient’s care. 

Healthcare also faces another issue: providers only have control over its own side of email storage and retention.

“Even if emails are not stored for any long period of time by healthcare providers, they will likely still be stored in the patient's inbox and thus the same information can still be compromised through the patient -- granted at least in this case it is a single patient versus all patients of a particular healthcare worker," he added.

To resolve these issues, Shi recommended that providers store email data within a message archiver, when available, and not on the email platform, to maintain HIPAA compliance. Archivers will typically have different security mechanisms than the email platform itself.

“For example, you can restrict access to only compliance officers and keep a verbose audit log that you can feed into a SIEM,” explained Shi. “Having an archiver opens the option to have a shorter retention period on your email systems." 

“Ideally, any sensitive data should only be stored and available through properly secured systems managed by healthcare providers,” Tanner added. “This keeps all data under the control and supervision of the provider, making it easier to know when data has been compromised.”

Keeping data within the provider’s control also enables better incident response monitoring to detect breaches and understand their scope, he concluded. “With such systems in place and secure messaging capabilities built-in, no sensitive information would nor should ever be sent via email and thus phishing would be the only email-related concern to data privacy."

As it’s clear email will remain a key tool for healthcare into the foreseeable future, providers should review previous insights from NIST, H-ISAC, and Microsoft to better understand the threats posed by the platform and best practices for securing insiders.