The old stereotype used to be that doctors didn’t work on Wednesday because they were out playing golf or fishing. Today, healthcare phishing is no joke to doctors, many of whom work on Wednesdays and weekends, or for other healthcare professionals. It is a real danger to everyone in healthcare.
In fact, phishing has become the preferred method for hackers to get access to healthcare organizations to steal valuable medical data and/or deploy ransomware.
The 2018 Verizon Data Breach Investigations Report found that phishing and financial pretexting — obtaining financial information under false pretenses — represented 93 percent of all breaches investigated by Verizon, with email being the main entry point (96%).
Often phishing is the way attackers deploy ransomware, which has devastated the healthcare industry over the last couple of years. DBIR found that ransomware accounts for 85 percent of the malware in healthcare.
In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine.
It only takes one person to fall for the bait for an entire organization to be infiltrated and held for ransom.
The phishing threat to healthcare has been growing over the last few years. According to an American Medical Association and Accenture survey of 1,300 US physicians, 83 percent of respondents had experienced a cyberattack and more than half of those said the attack came in the form of a phishing email.
These attacks can have devastating consequences. Nearly two-thirds of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.
"Unwary employees think [the phish] looks like a real e-mail, and they click on it without thinking about where this may be coming from."
More than half of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or impact patient safety (53%).
In an interview with HealthITSecurity.com, John Schoew, Managing Director of Health Cybersecurity at Accenture, said that phishing is a popular method for attacking healthcare organizations because it has proven effective.
“Unwary employees think it looks like a real e-mail, and they click on it without thinking about where this may be coming from,” he observed.
Attackers use various social engineering ploys to trick the victim into clicking on the malicious link (e.g., company letterhead, official looking graphics). The attackers will search public sources to cull information about the organization and use that information in the email to make it look credible.
“There are types of information that are publicly available that can be used to make a phishing e-mail look quite legitimate and that can be hard to detect if you’re not wary,” Schoew cautioned.
The attackers “often make it seem urgent. For example, there’s some administrative IT task that needs to be done to maintain access to their e-mail, and they’ll ask them to click a link,” he said.
Target Is Valuable Medical Records
Attackers are becoming more successful at penetrating networks because their techniques are becoming more sophisticated.
Osterman Research President Michael Osterman told HealthITSecurity.com that attackers are attracted to valuable medical records.
His firm recently conducted research on phishing and found that more than one-quarter of organizations had experienced a successful phishing attack that had infected their network with malware.
Attackers are very conscious of timing for phishing emails. They know that timing is everything when it comes to tricking victims.
“I was talking to a product manager from an anti-spam company,” related Osterman. “His wife had left her employer 30 days earlier, and he received this message from Earthlink saying, 'your account needs to be updated.' And so, since his wife had an Earthlink account and she had left her employer, he tried to update that. He got fooled by it because the timing was exactly right,” he related.
“One of the ones I receive fairly often is that the e-mail box is nearly full on my Office 365 account, or there's a problem with it and I have to update my records, so the mail delivery doesn't stop. And, people see that in the course of their work and say, ‘Oh man, I've got to do something about this because I can't afford to have e-mails stop,’” Osterman explained.
Another trick is to tie a phishing attack to something in the news with a link to a “news story” or “donation site” for victims of some natural disaster, he said.
Sometimes, attackers launch spearphishing attacks against corporate executives within a company. If they can penetrate the network, the attackers can lay low for months collecting data on email flows. Once they have enough information, they pose as a top-ranking executive and carry out nefarious schemes.
"By collecting information from an individual compromised asset, an attacker learns a great deal about the institution itself in which that compromised machine now operates."
For example, they could pose as the CEO and direct the CFO to wire money to a supplier, which is really an account set up by the attackers.
“Because the CFO receives this message that looks like all the others that they've received, very often they'll just say ‘fine’ and wire off the money. And then, it’s in the hands of the bad guys,” Osterman said.
Alan Levine, a cybersecurity advisor to anti-phishing vendor Wombat Security, agreed. “If an email purports to come from a person who seems to be an authority, then it is very likely that people who receive the email will not look for the specific things that may indicate that there is a potential risk with the email and will instead be more interested in promptly reacting to it,” he noted.
The primary purpose of a phishing attack is to gain a foothold inside the organization by infecting a computer or other endpoint.
“Then an attacker will use that individual platform that he now controls to do a variety of things,” Levine stated. “He wants to move from PC to PC, within a subnet, and laterally across subnets in order to compromise or control as many other devices as possible. Now he has a base of operations.”
“By collecting information from an individual compromised asset,” he continued, “an attacker learns a great deal about the institution itself in which that compromised machine now operates. Maybe he gets a copy of the GAL, which is the global address list. Now he’s got a lot more email addresses he can send phishes to.”
The attacker can elevate his privileges within the network, “moving from a workstation administrator to a server administrator, until finally he is an active directory administrator, which will give him the ability to download all of the credentials for everyone in the active directory system,” he explained.
Ransomware Delivery Mechanism
Oftentimes attackers conduct phishing campaigns to deploy ransomware. “If you're able to install ransomware on one or more endpoints, you can effectively shut down a hospital or a health clinic,” Osterman said.
“Healthcare organizations are particularly susceptible because the value of what they do is so high. A hospital, for example, is often going to be willing to pay simply because they can’t afford not to have access to their electronic systems,” he noted.
Osterman cited the example of the 2016 ransomware attack on Hollywood Presbyterian Medical Center that encrypted its electronic health record (EHR) systems so that the hospital had to revert to paper-based processes. That hospital ended up paying the $17,000 ransom in Bitcoin.
Schoew observed that ransomware delivered by a phishing attack has been a real problem for healthcare over the last few years. The Accenture-AMA survey found that nine percent of organizations had their systems and data held for ransom. The survey also found that close to one-third of physicians from medium-sized practices said it would take a full day to recover from a ransomware attack, and hospitals could be down for days.
“There’s the financial impact of downtime in the hospital just during normal business operations; there’re also fines that they can be subject to in the event of a breach of patient data…and there’s brand and reputation damage,” he said.
Sentara Healthcare CISO Dan Bowden said that phishing attacks have been a real headache for his organization.
“Email is one of the most frustrating things that we have to deal with because, in spite of all the great controls you can build to protect your organization’s assets, with email you basically put the door in the hands of one of the folks in your organization,” he told HealthITSecurity.com.
Sentara has a rigorous training program to enable employees to recognize and avoid phishing emails.
“In the past, we were doing quarterly phishing campaigns. Now we are doing monthly phishing campaigns. We’re enhancing the level of training in the event that someone clicks on an email that they shouldn’t,” he said.
Schoew agreed with Bowden that employee training is one of the best ways to combat phishing and that it must be done frequently.
“The training needs to be robust when there are employees handling patient’s digital healthcare data. That training has to be timely, it has to be impactful, and it has to be relevant,” he advised. “Often, we see that the training is rote and repetitive, and it is only done, perhaps, once a year, which isn’t enough.”
The training should focus on showing employees what to look for in a phish attack and what not to click on in unsolicited emails.
"Email is one of the most frustrating things that we have to deal with because...with email you basically put the door in the hands of one of the folks in your organization."
Some security vendors offer phishing-as-a-service, where they conduct campaigns to test employees’ ability to spot phishing emails. If an employee clicks on a fake phish, he or she is informed of the mistake and receives additional training, Schoew related.
Unfortunately, training isn’t always the answer. “There is at least one portion of the population in a healthcare environment that is relatively untrainable. Now that may not be politically correct to say, but I believe it's true, and it is the physicians and their direct staff,” said Levine.
“That is the number one reason why healthcare organizations do poorly on surveys and do poorly in general when it comes to reacting to everything from simple phishes or identity theft, all the way to ransomware, IP address, and worse,” Levine said.
Data from Wombat Security’s learning management system bears out Levine’s claim. The healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.
The Wombat learning management system includes questions about avoiding ransomware attacks and identifying phishing threats, two topics dear to the heart of healthcare CISOs.
Security Tools and Best Practices
Sentara uses the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to improve its email security by providing greater accuracy on the identity of the sender.
DMARC is designed to identity forged sender addresses that appear to be from legitimate organizations by providing the exact domain name in the “From:” field of email message headers. It enables organizations to stop scammers from using an email domain to attempt infiltration.
“What DMARC basically does is it helps your organization be assured that an email coming from your domain name is actually registered to servers that you own. And so, it prevents things like people spoofing your email domain,” Bowden explained.
“Anything we can do to check the authenticity and the reputation of links and attachments, we do that. We’re tagging email as it comes in, so the recipient knows it came in from the outside,” he said.
If an email seems suspicious, employees are instructed to forward the email to the Sentara security team. “Then we do some homework and investigate to find out if it is suspicious. There’s a handful of tools and resources that we use to try to mitigate phishing risks,” he said.
Unfortunately, attackers are finding ways to beat anti-phishing tools.
“It’s just a constant game of catch-up,” Bowden said. “Every CISO would probably say phishing is the thing we worry the most about, even with the great tools and solutions that are out there.”
Osterman advised organizations to take the following steps to reduce the risks from phishing attacks: conduct an audit of the current security and compliance environment, establish detailed and thorough policies, implement best practices for users to follow, provide adequate security awareness training that is commensurate with the risk associated with each role, and deploy alternatives to employee-managed tools and services.
"Anything we can do to check the authenticity and the reputation of links and attachments, we do that."
What happens if the training and security measures still fail to prevent a phishing attack from succeeding? First, you need to “stop the bleeding” and then make sure the threat has been contained and that other threats are not lurking on the network, advised Schoew.
“What if you pay, and the attacker is unreliable?” asked Levine. “What if the key he gives you to unlock the data he has readily encrypted via these cyberattacks doesn't work? Now you're out the money, you have the public embarrassment, and maybe a negative public reputation, and on top of that you still don't have access to your systems.”
Healthcare organizations need to change in order to prevent phishing attacks from succeeding.
“Change is not expensive, but it has to be readily accepted. People have to be willing to devote some time and focus to improving the behavior of every user in the hospital so that at the end of the day those users become essentially control officers in the cyber program. They become a CISO’s best friend instead of a CISO’s worst nightmare,” Levine said.
There’s no question that phishing poses a significant danger to healthcare organizations. It is the preferred method for attackers trying to steal medical records and/or deploy ransomware.
To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.