4 Ways Organizations Can Prevent Healthcare Phishing Attacks

By Jill McKeon

September 24, 2021 - With one wrong click, a healthcare phishing attack can take down entire networks, encrypt files, and put patient data in jeopardy. The smartest attackers take advantage of victims by claiming to be a colleague, business associate, or other trusted source, and using social engineering to obtain information.

The National Institute of Standards and Technology (NIST) defines phishing as “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”

Bad actors are increasingly targeting the healthcare sector with these schemes and successfully obtaining information and distributing malware via email. In April 2021, the Health Sector Cybersecurity Coordination Center (HC3) released an alert warning the healthcare sector of the increasing prevalence of phishing campaigns.

Phishing scams have claimed hundreds of thousands of medical records, patient financial information, and other personally identifiable information (PII) across the healthcare sector.

In addition to causing care disruptions and posing risks to patient privacy, phishing can decimate a health system’s bottom line. A 2021 report conducted by the Ponemon Institute on behalf of Proofpoint revealed that the average annual cost of recovering from a phishing attack has more than tripled since 2015, from $3.8 million to $14.8 million.

The best way to prevent your organization from becoming a victim of a healthcare phishing attack is to stay informed. Understanding what red flags to look for, properly educating employees on cyber hygiene, implementing technical safeguards, and keeping up with the latest sector threats will give healthcare organizations an edge over malicious hackers.

Identify Common Phishing Email Tricks and Tactics

The first step toward protecting an organization from phishing is understanding the attacker’s motives and tactics.

“In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems,” the Cybersecurity & Infrastructure Security Agency’s (CISA) website states.

“An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network.”

Phishing typically refers to attacks conducted through email, but bad actors can also use phones and social media platforms to target victims in a similar manner. Some attackers use vishing, which uses voice communications, or smishing, which uses SMS messages to orchestrate an attack.

Telltale signs of traditional email phishing attacks include suspicious sender email addresses, generic greetings (e.g., “Dear Valued Customer” or “Sir/Ma’am”), poor grammar and sentence structure, and suspicious attachments, CISA explains. The sender may try to imitate a legitimate business by using an email address that closely resembles a real business but omits a few characters.

Recipients should also be wary of any unsolicited email that asks them to download an attachment. Sometimes attackers will also spoof hyperlinks and websites in an attempt trick the recipient into clicking on a suspicious URL.

Threat actors also like to take advantage of holidays and crises to catch victims when they least expect it. HC3 warned organizations in December 2020 of the growing prevalence of COVID-19 vaccine-related phishing emails. The emails typically promised early access to the vaccine if the recipient was willing to pay or provide compromising information.

Bad actors often pretend to be a government agency, a recruiter offering the recipient a job, or a high-level executive at a big company. Phishing scams are often incredibly successful, as they only require one unsuspecting individual to click a link or download an attachment to infiltrate an organization’s system. If one employee takes the bait, healthcare providers and their patients may have to face the consequences.

Any organization’s leadership team must understand the basic indicators of phishing in order to teach employees, implement preventive cybersecurity measures, and mitigate risk.

Invest in Regular Employee Cybersecurity Training

Under the HIPAA Privacy Rule, covered entities are required to implement a security awareness training program for all members of the workforce. However, research shows that healthcare lags behind other industries in terms of employee cybersecurity training, despite being a primary target for attackers.

A survey conducted by Osterman Research on behalf of KnowBe4 revealed that 24 percent of healthcare worker respondents said that their employer has never reached out to them about security and data privacy training.

Only 22 percent of healthcare respondents reported feeling confident that they could describe the negative impacts posed by cybersecurity risks to senior management. In addition, only 30 percent of respondents across all sectors reported fully understanding the risks and consequences of phishing threats.

The survey also found that employees who underwent security training more than once or twice per year were more knowledgeable about cyber threats, underscoring the importance of investing in thorough and frequent cybersecurity training.

NIST created the “Phish Scale” with the goal of helping organizations to implement phishing awareness training programs.

Most phishing awareness programs involve sending fake phishing emails to employees to see whether they click or don’t click on the links in order to determine organizational risk levels and further educate employees.

The Phish Scale compiled key elements of existing phishing training exercises and established a rating system for users to observe and detect whether a particular phishing email is harder or easier for its target audience to fall for.

“By using the Phish Scale to analyze click rates and collecting feedback from users on why they clicked on certain phishing emails, CISOs can better understand their phishing training programs, especially if they are optimized for the intended target audience,” NIST explained.

To maintain enterprise-wide security, organizations must provide employees with training and resources on phishing and cyber hygiene. A strong phishing awareness program can save organizations millions of dollars in the long run while protecting patient privacy.

Implement Technical Safeguards

The best way to make sure that employees do not fall victim to a phishing attack is to implement technical safeguards that prevent phishing emails from ever reaching their inboxes.

Keeping devices patched, installing antivirus software, and implementing endpoint security systems are great places to start.

It is equally crucial to have sufficient web filters that automatically sort certain keywords and categories into spam. HC3 recommends that healthcare organizations create a blacklist and block malicious domains to prevent access to risky websites.

In addition, HC3 suggests that organizations remove company data from data brokers. Data brokers, such as Zoominfo, specialize in collecting data and selling it for third-party use. Bad actors can easily leverage this data and create highly specific phishing emails that are harder to detect.

Organizations should also consider integrating anti-spoofing technologies into their security programs. Spoofing typically refers to a bad actor faking the sender email address to trick the recipient and gain access to a secure network, according to NIST.

Anti-spoofing technology includes Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, and Reporting and Conformance (DMARC). These technologies can help organizations safeguard their systems by ensuring email authentication.

Technical safeguards are not foolproof, but they can significantly mitigate risk and reduce the likelihood of a successful phishing attack.

Stay Up-to-Date on Latest Sector Guidance and Threat Alerts

Cybersecurity best practices are constantly evolving along with the technologies that they protect. The FBI, CISA, HC3, and other major groups and agencies consistently release threat briefs and sector alerts to inform entities of cybersecurity risks. NIST often publishes best practices to help organizations prevent and respond to phishing attacks and ransomware as well.

Additionally, the FBI frequently issues flash alerts about notorious cybercriminal organizations and the risks they pose to certain industries. HC3 also issues threat briefs to alert the healthcare sector of any looming cybersecurity threats.

The Healthcare and Public Health Sector Coordinating Council recommended in its “Health Industry Cybersecurity Tactical Crisis Response Guide” that organizations leverage threat intelligence feeds from top organizations to stay on top of the latest news.

The council specifically pointed out organizations like H-ISAC, a global nonprofit focused on sharing cyber threat intelligence, and InfraGard, the FBI’s portal that serves to share cybersecurity information to protect the nation’s critical infrastructure.

Other tools include CISA’s Automated Indicator Sharing (AIS) capability, the SANS Internet Storm Center, and Spamhaus.

In the event of a phishing attack, organizations are required by HIPAA to notify patients, the government, and sometimes the media if the incident involved more than 500 individuals. Crafting an incident response plan can help organizations to respond quickly and can help reduce further damage.

Successfully preventing cyberattacks requires an organization’s entire workforce to first be well educated about the indicators and risks of phishing. Implementing technical safeguards, conducting regular employee training, and following the latest cybersecurity guidance can save organizations from becoming the next phishing victim.

Cybersecurity News