- Email security defenses in the healthcare sector lag behind other industries, with healthcare organizations currently in the reaction stage of bolstering its defenses, according a recent Mimecast analysis.
Mimecast regularly performs email security risk assessments across all sectors, pulling data aggregated from actual inbound email traffic from client organizations. For the first time, Mimecast broke down that data to determine how the healthcare sector is faring against email-borne threats compared to other sectors.
Report Findings: Lagging Healthcare Email Security
What Mimecast found was that the healthcare sector’s email defenses aren’t as strong as other industries, with more than 16 percent of the inspected 2.2 million emails were seen as false negatives – spam and or contained malware or malicious content that still got through email filters.
For comparison, the other sectors saw an average of about 12 percent false negatives.
“There’s a significantly higher percent of bad mail getting through,” Cybersecurity Strategist Matthew Gardiner told HealthITSecurity.com. “We broke it down further, and of that 12 percent, one in every 3,741 emails contained malware. Not all of these attacks are based on malware.”
“It’s a great stepping stone from an attackers point of view,” he added. “The rate of malware getting through is almost twice as often than other industries, which is one in 5,300 emails with malware overall.”
Cyber impersonation attacks, such as wire transfers, also proved problematic for healthcare. About one in 350 emails are impersonations, which Gardiner explained is almost 10 times more likely than other sectors with just one in 4,290 email impersonation attempts.
There’s a theory much like the explosion of disease reporting after the virus is first discovered, as the Department of Health and Human Services requires organizations to report, “it feels like there’s this surge in healthcare breaches,” said Gardiner.
But to Gardiner, the problem is that the average healthcare organization tends to be smaller and less sophisticated from an IT point of view. Many also struggle with smaller IT budgets, meaning healthcare IT teams can’t afford the security that big businesses like banks can afford.
“Healthcare has a double problem, where a regular business doesn’t have medical tech,” said Gardiner. “Essentially they have to cover two domains.”
“They’re also paying for underinvestment of years ago,” he added. “Even if you had all of the money in the world, you couldn’t mature instantly. It takes years to build out tech and practices. It’s my sense that they’ve been more under duress in recent years, as they’re in catch-up mode.”
Best Practice Email Security
Healthcare organizations need to employ a three-pronged security approach. Gardiner explained that it starts with defensive tech, which is currently lagging behind the times. After, they should focus on their people.
“The security program hasn’t been a strong aspect with health providers as much as it has in financial services; it’s a training aspect,” said Gardiner. “Phishing exposes technology. And if your tech doesn’t catch it, then it’s up to the people.”
The third angle is the sophistication of business practices. Gardiner stressed that “if if you’re weak in all three areas, the attack gets in, and there are no checks and balances…. Weaknesses in all three areas becomes exposed.”
Health organizations need to focus on general security controls, such as keeping sensitive data in a fewer number of places, encrypting it at rest, access controls, patching, and the like. Gardiner explained that they should pivot to phishing and ensure that their anti-phishing tools has been evaluated within the last year, as “the attacks and the tech have changed.”
Next, providers must evaluate security awareness training, educating staff creates a layered security approach, he said. Lastly, they need to look at the most sensitive business practices to make sure they’re not vulnerable to “a single point of failure.”
Gardiner stressed the need for strong governance, especially when it comes to impersonation emails. For example, when a hacker attempts to dupe employees into wire transferring funds, there needs to be accountability or a second point of validation, like a verbal confirmation or an existing banking relationship.
State of the Industry
Right now, healthcare is in the reacting stage. Reflecting on his 20 years in the security industry, Gardiner explained that there’s a normal cycle for businesses when it comes to cybersecurity. They first feel the pain of breaches and security lapses and then they react.
“Healthcare maybe felt the pain heavily in the last three years, and my sense is now they’re reacting,” said Gardiner. “But you can show up with all of the money in the world, and you can’t solve the problem in a day.”
“Required disclosure creates awareness that more needs to be done,” he continued. “Healthcare providers are reacting… the numbers don’t really prove that the problem is being solved. But it’s directionally headed in the right direction.”
However, Gardiner is optimistic that it will be less of a challenge for the healthcare sector to catch-up than it was with other industries given cloudification and data evolution, which makes the problem more solvable.
“The IT systems and security controls that we use are progressing, but the hackers are progressing faster and that’s been the game for a while,” Gardiner said. “It’s not that we’re not progressing, we’re just not progressing fast enough.”
“There is hope: The security industry itself is becoming more accessible, and easier to manage,” he added. “We can’t solve all customer problems, but we can help minimize challenges.”