As the healthcare industry closes the books on 2018, it is still reeling from more than 327 major data breaches that exposed personal health information (PHI) on at least 9.8 million US citizens this past year.
Sixty percent of the attacks reported to federal authorities involved phishing or other email attacks, impacting up to 5.88 million individuals. And the costs can be steep. According to Ponemon Institute's 2018 Total Cost of a Data Breach report, the losses associated with a data breach in the healthcare industry now average $14 million per breach, not including regulatory fines or possible civil and criminal penalties.
Sophisticated social engineering tactics play a key role in these attacks. By exploiting the weakest link in any healthcare organization's defenses—the human psyche, attackers are able to steal PHI without relying on technical vulnerabilities. Without significant action, the year ahead could be a whole lot worse. Here's why, and what it may take to reverse these trends.
A Bitter Pill to Swallow
Social engineering used to be as easy as standing on a street corner offering passersby free Starbucks cards in exchange for their employee email passwords. As a society, we’re beginning to understand the dangers that come with free handouts. While this feels like progress, it simply means cybercriminals must be more creative with their ruse.
As a result, what were once lone wolves and loose-knit groups of scam artists have metastasized into sophisticated cybercriminal organizations that operate much like legitimate businesses. Different teams perform distinct functions, such as creating email templates, curating lists of potential victims, utilizing captured credentials to obtain access to PHI, and monetizing the data once they’ve managed to exfiltrate it. Unfortunately for the healthcare industry and the general public, business is booming.
Data from a healthcare breach can include names, addresses, birthdates, social security numbers, credit card details, driver's licenses numbers, and more. That kind of data can score anywhere from $1 to $1,000 per record on the dark web.
The average cost per stolen record to the healthcare organization is currently $408, or at least $2.4 billion in losses industry-wide in 2018. The potential revenues per record to the cybercriminals who steal them can be billions more, particularly if the stolen data includes sensitive health information.
Data theft is not the only danger lurking in email. Up to 91% of ransomware attacks against the healthcare industry start with a malicious email. In successful infiltrations, lives are literally put at risk until hospitals or healthcare networks pay up. Today, two-thirds of all ransomware attacks target the healthcare industry, to the tune of an expected $7.6 billion in losses in 2019, according to CSO Online.
Diagnosis: Deception
While secure email gateways (SEGs) and other email security systems are effective at detecting the malicious links and malware-infected attachments, they're defenseless against today's most advanced email threats.
By mining contact databases, company websites, LinkedIn profiles, and more, cybercriminals can now produce insanely personalized, plain-text emails that are engineered to inspire a cortisone rush of stress, or a quick hit of dopamine, via a message sent by what appears to be a known and trusted sender.
The idea is to throw a harried, overworked nurse, back-office accountant, or a distracted C-level executive off-kilter just long enough to cough up login credentials before they think to confirm a message's legitimacy. No links or malware are required for this type of scam, meaning that they easily bypass existing security defenses in many organizations.
As a result, advanced phishing scams targeting the healthcare industry have jumped 80% in just the last year. Typical subject lures include "Password update required" notices from the "IT department," or "new messages" alerts from an Office 365 inbox.
While invoice fraud involving a request for an "urgent payment" from the "CFO" is a top phishing lure in most industries, it's less of a factor in healthcare, according to HIPPA Journal. That's presumably because stolen PHI is so much more lucrative. Either way, the staggering legal and financial repercussions of successful email attacks have healthcare professionals feeling shell-shocked.
The Search for a Cure
"Users are really scared to use email today," Randall Frietzsche, CISO and privacy officer of Denver Health, tells HealthTech Magazine. "I want to not only reduce the risk of phishing email and ransomware, but I also want to increase users' confidence in using email."
With that in mind, look for some organizations to cobble together solutions to augment their existing security controls in hopes of spotting incoming attacks. The most security-conscious organizations will ultimately gravitate towards modern, AI-based solutions that were designed specifically to combat advanced socially-engineered email attacks.
Instead of modeling bad content, these solutions model normal “good” behavior by mapping the communications between individuals, organizations, and infrastructures to detect and disrupt identity deception, social engineering ploys, and other forms of email fraud.
Cloud Email Protection, for example, is able to model the normal email behavior of trusted identities at Internet scale. Drawing on insights from the more than 2 trillion email messages we analyze each year, our solution is able to protect organizations from social-engineered attacks using deeper, more relevant insights that grow smarter and more effective with each new email sent or received. CEP uses these behavioral models to detect aberrations, such as when a trusted contact is impersonated using address spoofing, look-alike addresses, or display name deception. Agari’s solution can even detect when the trusted sender’s email account is compromised, meaning the attacker actually has control over the sending email account.
Inboxes on the Mend
According to organizations that have deployed these solutions, one of their major benefits is the ability for employees to open, click, trust everything that hits their inboxes. In fact, one Global 500 healthcare company reports it is now able to block advanced phishing attacks missed by traditional security systems—preventing data breaches initiated by email completely.
Still, whether they plan to take this or some other approach to defeating social engineering-based email scams in the year ahead, organizations might want to get cranking. Targeted phishing attacks are now expected to be the #1 threat for healthcare organizations. According to Ponemon, the odds that one of those attacks causes a data breach in the next 12 months is far higher than most organizations believe.
To learn more about how to defend your organization against advanced phishing attacks, download “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud” from Osterman Research.