- The term “Payment Notification” is the top healthcare phishing attack subject, appearing in 58 percent of healthcare phishing attack campaigns in 2018, according to the latest data from Cofense.
Other popular subjects in healthcare phishing attacks are “New Message in Mailbox” and “Attached Invoice.”
Cofense (formerly PhishMe) found that 7 percent of emails are malicious in healthcare, compared with 10 percent across industries.
The healthcare industry is an attractive target for phishing campaigns “because few industries collect more lucrative personal data: name, Social Security number, email address, home address, date of birth, and usually one or more credit card numbers,” Cofense related in its report The State of Phishing Defense 2018.
For the report, Cofense analyzed more than 135 million phishing simulations, 800,000 reported emails, and nearly 50,000 real phishing campaigns targeting organizations in 23 industries.
Healthcare had a low 1.63 resiliency rate, which is the ratio between people who report a phish versus those who fall victim to one.
This compares with a resiliency rate of 6.19 for the energy sector and 4.73 for the utilities sector. However, healthcare is higher than the financial sector at 1.38.
Overall, the resiliency rate of users across industries has increased over the past four years due to a large increase in the reporting rate, Cofense related.
“We see phishing emails bypass technology controls every day and more and more end-users recognizing and reporting these threats that slipped past million-dollar defenses,” said Cofense Cofounder and CTO Aaron Higbee.
“The results of our research detailed in the ‘State of Phishing Defense’ shows that resiliency is building across key industries thanks to those same people that were once deemed as the weakest-links in an organization. These trends are powerful and reinforce that humans are a key element to a successful security program,” Higbee added.
In addition to using deceptive subject lines, phishing attackers impersonate people who are trusted by the targeted individual.
A recent study by Mimecast found that there was an 80 percent increase in impersonation-based phishing attacks.
“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” warned Mimecast Cybersecurity Strategist Matthew Gardiner. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter.”
Phishing attacks can be costly for healthcare organizations in terms of lost PHI, reputation damage, and regulatory fines and lawsuits.
In a recent HealthITSecurity.com feature article, security experts recommended that healthcare organizations take a number of steps to reduce the risks from phishing.
First, healthcare organizations should use the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to improve its email security by providing greater accuracy on the identity of the sender.
DMARC is designed to identity forged sender addresses that appear to be from legitimate organizations or individuals by providing the exact domain name in the “From:” field of email message headers. It enables organizations to stop scammers from using an email domain to attempt infiltration.
Other steps that organizations can take include conducting an audit of the current security and compliance environment, establishing detailed and thorough anti-phishing policies, implementing best practices for users to follow, providing adequate security awareness training, and deploying alternatives to employee-managed tools and services.
Healthcare organizations will need to change in order to prevent phishing attacks from succeeding.
“Change is not expensive, but it has to be readily accepted. People have to be willing to devote some time and focus to improving the behavior of every user in the hospital so that at the end of the day those users become essentially control officers in the cyber program,” said Alan Levine, a cybersecurity advisor to anti-phishing vendor Wombat Security.
Healthcare organizations should train employees on how to spot and avoid phishing email, adopt best practices, and deploy appropriate technology to lessen the chances that a phishing attack will succeed.