- There was an 80 percent increase in phishing attacks that impersonated someone familiar to the targeted individual, according a study released August 28 by email security firm Mimecast.
Mimecast found that there was one unstopped malicious link for every 50 emails that passed through incumbent security systems.
For the study, Mimecast inspected 142 million emails handled by incumbent email security systems, including Microsoft’s Office 365.
Nineteen million pieces of spam, 13,176 emails containing dangerous file types, and 15,656 malware attachments were missed by incumbent providers and delivered to users' inboxes, according to Mimecast’s analysis.
“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Mimecast Cybersecurity Strategist Matthew Gardiner. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter.”
Phishing attacks can be costly for healthcare organizations in terms of lost PHI, reputation damage, and possible fines and lawsuits.
For example, Augusta University (AU) Health system has been plagued by phishing attacks over the last few years that have led to a series of data breaches. One in September 2017 was particularly costly, with PHI of 417,000 individuals exposed.
Information that might have been compromised in the September 2017 included patient addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information. For some victims, Social Security number and/or driver’s license number may have been involved as well.
In July, Iowa-based UnityPoint Health notified 1.4 million patients of a phishing attack that may have compromised their PHI.
UnityPoint Health said it discovered that a phishing attack had compromised its business email system and may have resulted in unauthorized access to PHI and other personal information for patients.
Patient information that might have been compromised included patient names, addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service, and/or insurance information.
For some individuals, information may have included a Social Security number, driver's license number, credit and debit numbers, and bank account numbers.
And just this month, Oregon-based Legacy Health informed 38,000 patients that their PHI may have been exposed in a May phishing attack.
Legacy Health learned that some employees’ email accounts were compromised by an unauthorized third party because of the phishing attack.
Information that could have been exposed included patients’ name, dates of birth, health insurance information, billing information, medical information and, in some cases, Social Security numbers and driver’s license numbers.
To reduce the risks of phishing attacks, Osterman Research President Michael Osterman advised organizations to take the following steps: conduct an audit of the current security and compliance environment, establish detailed and thorough policies, implement best practices for users to follow, provide adequate security awareness training that is commensurate with the risk associated with each role, and deploy alternatives to employee-managed tools and services.
Healthcare organizations need to change in order to prevent phishing attacks from succeeding.
“Change is not expensive, but it has to be readily accepted. People have to be willing to devote some time and focus to improving the behavior of every user in the hospital so that at the end of the day those users become essentially control officers in the cyber program. They become a CISO’s best friend instead of a CISO’s worst nightmare,” said Alan Levine, a cybersecurity advisor to anti-phishing vendor Wombat Security.
In order to combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.