This is week 2 and the theme is Fight The Phish. Phishing attacks and scams have thrived since the COVID pandemic began in 2020 and today, phishing attacks account for more than 80 percent of reported security incidents. Week 2 of Cybersecurity Awareness Month will stress the importance of being wary of emails, text messages or chat boxes that come from a stranger or someone you were not expecting. Think before you click on any suspicious emails, links or attachments and make sure to report any suspicious emails if you can!
There are three basic principles end-users can employ to mitigate the risk of a phishing attack via email. Simple and effective, these tried-and-true steps remain important best practices for every healthcare provider organization.
- Use caution before you click – If an email subject line or introductory offer sounds too good to be true, it probably is. Bad guys are also bad with grammar. Poorly written messages are an immediate red flag for an email phishing attack. Also be leery of unknown senders and remain especially vigilant with links or attachments. Click only on those email messages you trust.
- Hover first – Pay close attention to hyperlinks within email messages. Hover over the link first to see where it leads to. If you aren’t familiar with the website, do a quick search using your browser. A phone call to the website is another safe approach to inquire about the email message.
- Check the address – Brands can be copied. Logos are easily replicated. Always check the sender’s full email address before trusting the source. Look for extra letters, misspelling, or out of place words in the address. Be 100 percent certain the sender is legitimate and when in doubt report the message to your IT security team.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
In 2020, 75% of organizations around the world experienced a phishing attack. When you dig into that number, 96% of those phishing attacks arrived by email. This is the number one area for improvement across all sectors. Phishing awareness is not only about knowing the definition of phishing but employees in an organization need to be trained on things like 1) the various kinds of phishing attacks, 2) What a phishing email looks like, 3) How to respond to requests for certain kinds of information, 4) Impacts of phishing attack, and 5) New types of attacks and how it is impacting the world. Employees also need to be taught about how to respond and report potential phishing attacks immediately to the internal security teams.
With so many sophisticated codes and hacking techniques, phishing still remains the most easily available means for bad actors to gain access through unsuspecting or undertrained staff who unknowingly let the disguised fox into the hen house.
This is where huge time and resource in arming people of an organization against phishing and whaling becomes a huge part of 90% of the 90/10 rule. The 90/10 cybersecurity rule is simple: 90% of security measures rely on users to adhere to best practices while 10% of security measures are technical in nature.
Organizations are learning more and more that significant security awareness training, especially around phishing/whaling is not only necessary, but crucial to avoiding costly breaches and legal quandaries that have brought some giant institutions to its knees.
Keep your workforce constantly trained and updated, and you will be close to achieving some credence of the 90% of the 90/10 rule. Of course, this is still not all that is needed to be impregnable, but at least it would ensure the phishing nets are kept light!
The fact that anyone with the right training can prevent phishing scams, while it may seem like added pressure, is good news. It only takes a few seconds to look over the body of an email and determine that things do not look right. No significant time is lost, and one person may avoid making a costly mistake that could disrupt or end an entire company. Take a second, stop to read, and hover before clicking.
Phishing is a growing problem in healthcare and tends to fall into two categories. One would be ‘broadcast’ type of attempts that are simple and impersonal. The second – and more dangerous – are sophisticated types of phishing attacks. These tend to be personalized and include a fairly specific and urgent call to action. Phishing is all about trying to get a target to give information that allows the Phisher to do something else, whether that’s gain access to a network, receive a digital payment, or seize a system and hold its data for ransom.
The typical mitigations for things like phishing are to educate users, making sure they are security-aware and won’t click on a link from someone they don’t know; and that they are using strong passwords. But it also helps to validate participants in a communication through a third-party tool and to protect the information in that communication – either through a native application, if it’s a mobile scenario, or an encrypted channel.
Cybercriminals have taken advantage of the anxiety and uncertainty caused by the pandemic, leveraging the global event to manipulate unsuspecting individuals. Phishing, while always a popular tactic for cyberattacks, has become a prime opportunity to exploit the pandemic and trick email recipients into offering valuable information unbeknownst to them. With the healthcare industry being an obvious target for such attacks, it’s imperative that healthcare organizations educate staff on phishing, what it looks like and the consequences a successful attack can have on the entire organization. Incorporating tools and technology such as multi-factor authentication, updated spam filters and Security Information Event Management (SIEM) solutions that help identify fraudulent activity in real-time can help organizations be proactive to help mitigate any potential threats. When it comes to the fight against phishing, preparedness is the most reliable defense.
Fighting the phish has been an ongoing battle for decades. Since the first phishing scheme in the mid-90s, it has been inevitable that someone within an organization is going to click on a phishing email despite best efforts to raise awareness about cyber threats. Security awareness training, especially in a healthcare setting where personal patient data is stored, is critical in spotting simple phishing attempts. However, without a best-in-class spam filter, more sophisticated attacks can still evade your security staff, putting valuable patient information at risk. While spam filtering technology is a must to protect an organization, it is not enough by itself and should be the minimum baseline. A combination of security technology and ongoing training is ultimately the best defense. Email users should be constantly alert and overly skeptical. While educating staff on how to identify a phishing scheme on their own is important, it’s also crucial to encourage employees to ask questions when they are unsure about the legitimacy of an email. Healthcare organizations should make it easy and efficient for staff to reach out to the technology or security teams for a second opinion when they are in doubt about an email.
When a ransomware attack occurs from a technical exploit, it’s usually a soft target in personnel. Phishing is always the first or last resort of an attacker. When they can’t get in from a server or work station vulnerability, they’ll look to exploit a gullible person. It usually comes in the form of an email directing them to a watering hole (website) where they’re tricked into revealing credentials; or with malware in the form of a malicious Word document or .pdf file. Once its opened, the hacker then has access behind the firewall. It’s critical for security teams to proactively train and test their employees, with regular refreshers and transparency to call out the total success or failure rate of the organization. Encouraging through progress makes a much more resilient team.
Don’t Miss our Cybersecurity Virtual Panel Discussion on October 26 at 1pm ET
It has been six years since our first panel discussion addressing the growing and alarming rise of cybersecurity threats to healthcare. In the ensuing years, data breaches and ransomware attacks continue to plague the industry. In fact, through double extortion, the two attacks are often combined.
The COVID-19 pandemic and the increased usage of telehealth and connected personal and medical devices have led to an exponential volume of incidents, enticing more malicious actors and more sophisticated attacks. And while technology advancements in Cloud, IoT, and 5G offer organizations the chance to modernize their IT infrastructure, cybersecurity threats are advancing on parallel lines as digital healthcare evolves.
On this year’s panel discussion, our experts from around the industry will discuss the challenges healthcare organizations face, what the future may hold, and what can be done to fortify security protocols and guardrails to minimize risk.
Moderator David Harlow, Esq.
Host of Harlow on Healthcare
- Heather Randall, PhD, Chief Compliance Officer, Sphere
- David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
- Parham Eftekhari, Founder & Chairman, Institute for Critical Infrastructure Technology (ICIT)
- Vikrant Arora, VP & Chief Information Security Officer, Hospital for Special Surgery