- Implementing a strong employee security training program is consistently noted as a key way for covered entities to prevent healthcare phishing attacks. Organizations of all sizes need to ensure that staff members can recognize malicious emails or links, not click on them, and know whom to notify about the incident.
Research continues to show that phishing attacks are affecting numerous industries around the globe. Healthcare is no exception and entities need to work on prevention, detection, and mitigation strategies.
Three-quarters of organizations experienced phishing attacks in 2017, according to Wombat’s 2018 State of the Phish report. Approximately half of surveyed information security professionals added that the rate of attacks increased from 2016.
Wombat reviewed data from tens of millions of simulated phishing emails sent over a 12-month period from October 1, 2016 to September 30, 2017. Additionally, more than 500 survey responses from infosec professionals were gathered. Surveyed industries included but were not limited to telecommunications, retail, healthcare, technology, and government.
Fifty-three percent of companies reported they experienced a targeted attack, or spear phishing, the report found.
Organizations also listed their top implemented technologies to combat phishing attempts. Email/spam filters (97 percent), advanced malware analysis (47 percent), outbound proxy protection (44 percent), and URL wrapping (31 percent) were the most popular options.
"Social attacks take advantage of employees trying to be helpful so it stands to reason that social awareness of attack methods plays a critical role in protecting against phishing," 451 Research Senior Security Analyst Eric Ogren said in a statement. "Enterprises with corporate phishing education programs empower employees to help protect themselves and the business."
Researchers also evaluated the average click rate on phishing tests by industry. Healthcare had the ninth highest click rate, with 10 percent. Telecommunications (15 percent), retail (14 percent), and consumer goods (13 percent) were the top three.
Comparatively, small insurance companies were found to have the highest percentage of "Phish-prone" employees in the small to mid–size organization category, according to a KnowBe4 study.
The study used a data set of more than six million users across nearly 11,000 organizations. Initial training and simulated phishing helped click rates drop to just 13 percent after 90 days, researchers found.
Insurance (32.66 percent), manufacturing (30.99 percent), and technology (30.09 percent) were the industries with the highest phish-prone percentage. Healthcare and pharma was at 27.75 percent.
"Ninety-eight percent of cyber-attacks rely on social engineering and email phishing is the bad guys' preferred method,” KnowBe4 CEO Stu Sjouwerman said in a statement. “Attackers go for the low-hanging fruit: humans. Humans are the de-facto No. 1 choice for cybercriminals seeking to gain access into an organization.”
A 2017 study conducted by HIMSS Analytics showed that email was the most likely cause of a data breach, with 78 percent of providers stating that they experienced a healthcare ransomware or malware attack in the past 12 months.
Forty-three percent of large provider organizations said they had at least 16 malware and/or ransomware attacks.
Email is also an essential tool for healthcare organizations. Ninety-three percent of surveyed healthcare IT professionals said email is mission critical to their organization. Specifically, 43 percent said that it was mission critical and downtime could not be afforded.
"This study confirms that no healthcare provider is immune to this growing threat of email-related cyberattacks,” HIMSS Analytics Senior Director Bryan Fiekers said in a statement. “While the results show that larger providers are being hit harder, especially with ransomware, these same organizations are also the ones leading the charge in defining industry best practices to address these threats.”
Respondents reported that preventing malware and/or ransomware attacks, training employees about cybersecurity diligence, and securing email were their top cyber resilience strategies.
Healthcare organizations should implement various types of training tools for comprehensive cybersecurity education. This can include computer-based training, classroom training, monthly newsletters, and email alerts. Additionally, bi-annual training and/or monthly security updates will be very beneficial.
All training materials should be properly documented. HIPAA regulations require employee training and that the process is documented. Organizations are able to create programs that fit their unique needs, but workforce training and management must be implemented.
Healthcare data breaches are not going to disappear anytime soon, but entities can take critical steps toward prevention, detection, and response to lessen the likelihood of an incident taking place. Employee security training is one necessary area to work toward comprehensive healthcare data security.