Phishing Health Care: Prevent Criminals from Taking Advantage of Emergency Situations
Editor's Note: This is the third post in an ongoing series dedicated to the health care industry.
Links to previous posts:
- Introduction post: Through the Health Care Lens
- Second post: When Health Care Goes Online
- Fourth post: Securing "Break-the Glass" Access Protocols
Phishing and email-borne malware has a disproportionately large impact on the healthcare industry. Among the 3,950 breaches examined in the 2020 Verizon Data Breach Investigations Report, 521 took place within health care organizations, making the industry the most frequently victimized among those included in the report. Financially-motivated criminal groups are particularly likely to target health care organizations, and human error often plays a role in their success.
This isn’t a new trend, but recent events have amplified its effects. Amidst the crisis that the current global pandemic has caused in the healthcare industry, many employees are experiencing a sense of fear and urgency. As a result, they are reading their email less carefully than usual and responding to messages faster and with less thought. Cybercriminals have responded by sending out growing volumes of coronavirus-themed spam and registering numerous COVID-related website domains to which to send traffic via malicious URLs embedded in the email.
Even though health care industry employees tend to be well-educated and security-conscious, it’s impossible to prevent all human error. Given the expansive nature of email-borne attacks, it’s wise to employ a multi-layered, defense-in-depth strategy to counter the threat. Encouraging your employees to remember the basics—all-around security awareness and good password hygiene—is important, but so is investing in a solution stack that will allow you to protect sensitive data at its source.
Anatomy of a Phishing Attack
The majority of social engineering attacks take advantage of email. Cybercriminals’ primary objective is to motivate their victims to take action—usually by clicking on an embedded link or opening an attachment. The messages are designed to prey upon their readers’ emotions and elicit a quick and incautious response.
A commonly employed tactic is to leverage a compromised third party’s email account, such as a local clinician in a small practice or a vendor with whom the victim has long had a relationship. With access to the compromised email account, attackers can craft urgent-sounding messages and send them to thousands of people on distribution lists. Communications are usually short and sweet—often along the lines of “Can you check on this?” or “Did you notice this?” System administrators may be targeted with messages stating the user was notified of an alert. Checking up on alerts is, of course, among their professional responsibilities, so they’re likely to be tempted to click.
Attackers may also embed a malicious URL within a file or document created in Office 365 or Google Docs. Because these apps are popular and widely trusted, employees may forget that following links inside documents can open the door to compromise of the healthcare organization’s network.
Once the malicious link is clicked, it can trigger an automatic download of malware or ransomware, allowing attackers to infiltrate and traverse the network. The end result may be credential theft, extortion, or data loss.
Shoring up your defenses against phishing attacks on healthcare organizations
Developing a security-conscious culture within any health care industry organization is a must. Instilling good habits in employees through ongoing training as well as open discussion can go a long way towards reducing the threat posed by phishing attacks.
Because human nature is inherently imperfect, it’s wise to supplement user security education programs with technologies that can remind employees when email communications are particularly risky and block the movement of sensitive or regulated data. Forcepoint Data Loss Prevention (DLP) Endpoint includes enhanced employee coaching capabilities that system administrators can configure to provide popup reminders of the organization’s policies. The solution can also be set to prompt users to think carefully about security each time they encounter an embedded link.
Leveraging the data classification capabilities integrated into Forcepoint DLP, your security organization can also engage users to assist in classifying data themselves. This helps employees think about which files, documents and other data types are sensitive, subject to regulatory mandates, or otherwise critical to protect. It encourages enhanced accountability and risk awareness among employees.
Finally, you can take advantage of new solutions like Forcepoint’s Remote Browser Isolation technology powered by Ericom. This solution allows users to connect to known low-risk sites, automatically blocks high-risk sites, and opens sites whose risk profiles are unknown within a remote, isolated, cloud-based container. This isolates web content from the end user’s browser and prevents malware from infecting their endpoint device. We’ll share more details about Forcepoint RBI here on the blog soon.
There’s no single solution that can protect your organization from 100% of email-borne attacks, and no guarantee your employees won’t fall victim to a sophisticated hoax. But a multifaceted data protection strategy that includes automated tools for protecting data at rest and in motion along with ways of reminding employees to exercise forethought and care.