October is Cybersecurity Awareness Month
Each week this month we will take on a new cybersecurity subject and ask our experts in the healthcare industry to weigh in.
Week 1: Phishing
According to several industry reports, Phishing is still the most prevalent cybersecurity threat in healthcare. Phishing is a type of social engineering in which an attacker sends a fraudulent message designed to trick a person into revealing sensitive information, or to deploy malicious software onto the victim’s infrastructure, such as ransomware.
Phishing attacks, which continually evolve and grow more sophisticated, pose significant threats to every healthcare stakeholder. These vulnerabilities encompass various critical aspects, including a lack of awareness training, insufficient email detection software capable of screening malicious content, the absence of email scanning mechanisms for harmful links, a deficiency in tools for email sender and domain validation, and limited IT resources for managing suspicious emails. Given the ever-increasing sophistication of phishing tactics, it is critical for healthcare organizations who handle PHI to adopt proactive practices including employing, at a minimum, multi-factor authentication (MFA) and enhancing staff recognition by tagging external emails. Additionally, continuing to train and educate employees so they can identify and respond effectively to suspicious emails should be an essential part of any healthcare organization’s cybersecurity strategy.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Phishing is a widely used tactic – -across all sectors – – by attackers to exploit human vulnerabilities. It is a type of social engineering where the attacker is manipulating a user to gain access to data or systems. In healthcare these attacks are a major attack vector and are successful way too often. Attackers frequently pose as someone in the same organization or a partner, to take advantage of the “let me help” attitude of so many in healthcare. In healthcare, email is the number one attack vector for breaches. We tend to think we can solve this problem with tools, filters, and other add-ons. What we must remember about phishing is that it is fundamentally a social engineering technique, not a “cyber-attack”. Education and training of the staff must play a large role in stopping and mitigating phishing attacks. Your employees what to look for and what to look out for. You should still implement measures to protect email systems and protected information but don’t neglect the staff.
By committing to protecting patients, employees, and systems from phishing attacks organizations can be proactive in staying ahead of evolving cybersecurity threats. Educating employees, using advanced security technology, and monitoring systems for attacks, are just a few ways healthcare organizations can protect themselves from increasing cyber-attacks.
Zandy McAllister, Chief Information Security Officer, Anatomy IT
Phishing cyberattacks launched against healthcare organizations are becoming more frequent and harder to identify. Hospitals and health systems can protect themselves from this growing risk through frequent and consistent enterprise-wide training. Even the busiest administrative executives and providers need to participate in regular training because they are typically the most common and vulnerable targets, so they need to be the most prepared.
Cybersecurity efforts in the healthcare industry are a continued balancing act between patient experience and defending against phishing attacks. Not only do patients expect their health networks to meet their needs, but they also expect that their patient information is secure from bad actors. Attackers use phishing techniques to exploit vulnerabilities in human judgment, manipulating people into providing sensitive information in order to gain access to confidential patient data.
To protect against this, healthcare providers are turning to AI technology and its algorithms to streamline patient identity verification, secure patient information, and detect fraud. An AI-driven algorithm will continue to improve as it ingests more and more data, allowing organizations to scale their fraud detection efforts and helping healthcare organizations to quickly identify and communicate any potential phishing attempts with their patients. As phishing remains a pervasive cybersecurity threat, healthcare organizations must leverage the learning abilities of AI to keep sensitive patient information safe against the evolving tactics of attackers.
Phishing by far is the number one threat, but it’s not the only one. It is used the most because it’s the most successful across healthcare. That fact, tells us, that we are not doing enough on the end user awareness and cybersecurity training. The foundational elements of any cybersecurity program are People, Technology, and Processes. People are at the forefront as they are the first line of defense when an attack happens and the last line of support for recovery efforts after a successful attack attempt. Technology can help us identify, detect, and even respond to these attacks, but they all rely on the human factor – people — at the core. Reducing the susceptibility and probability of a user falling victim to a phishing attempt, through security awareness training and education programs, is by far the greatest return on investment for any organization. Invest in your people and they will protect your organization.
While cyberattacks appear to be more common among larger providers, recent evidence indicates a noticeable shift towards smaller entities. Surprisingly, business associates (BAs), which include clearinghouses, accounted for a staggering 25% of all breaches in 2023. Your practice may have world-class security protocols in place, but it can still be vulnerable to attacks through connections with BAs or care partners. In reality, the weakest link in the security chain is the most likely target for exploitation by malicious actors. Organizations should inquire with BAs and other third-party partners whether their services meet the highest privacy and security standards established by the healthcare sector’s governing bodies. Achieving critical industry-recognized certifications and accreditations demonstrates a commitment to data security and signify a dedication to safeguarding data. As we work together to protect every provider, staff member, and the patients they serve by staying secure online, meeting privacy and security standards will ensure that your clearinghouse, other business associates, and your own facility adhere to the best security practices.
Rick Passero, Chief Information Security Officer, Anatomy IT
Phishing is still, by far, the most common type of cyberattack we see directed at hospitals and health systems. Threat actors, however, are becoming more sophisticated, using ChatGPT and other forms of generative AI to create phishing emails that are largely indistinguishable from the real thing. Attacks using fraudulent robocalls and voicemails, called ‘vishing,’ or text messages, ‘smishing,’ are also on the rise. Cybersecurity awareness and training are essential to identify and protect organizations from these constantly changing threats to the organization.
Unfortunately, we’ve seen how passwords alone as a single factor have been either compromised through scraping, keylogging, phishing, browser caching, social engineering, and other techniques. We’ve also seen how multi-factor authentication requests have been circumvented countless times either through MFA fatigue attacks or again, social engineering, to convince victims to accept MFA requests. No matter how impenetrable our defenses may seem to be, we humans continue to be the weakest links in cybersecurity. Phishing has been a wildly successful technique employed by threat actors, and continues to be a strong weapon in their arsenal when trying to gain initial access. With that in mind, the vigilance and efficacy by which we can recognize and report phishing content can be the determining factor between falling victim or thwarting the next attack strain.