In healthcare, the pressure is always on to drive down overall costs and provide higher levels of patient care. The result: a never-ending quest to increase efficiency. EMR’s, telehealth tools, and other third-party IT solutions that enhance productivity and streamline clinician workflows have become the norm.
While these solutions are a critical part of any modern healthcare organization, this focus on efficiency means that security often takes a backseat. More than 40 percent of hospitals allocate only 1-2 percent of their overall budget to cybersecurity, while 8 percent allocate none at all!
This lack of cybersecurity, combined with the fact that healthcare records are worth significantly more money on the dark web, makes the healthcare industry a prime target for cybercriminals. An estimated 89 percent of all healthcare organizations have experienced a data breach, with the last few years being particularly rough.
In 2016, the industry experienced 328 breaches that affected 16 million patient records, while 2017 saw the number of breaches rise to 477, affecting 5.6 million patient records. 2018 is on track to be even worse, with a total of 337 breaches, affecting 8.6 million patient records in the first three quarters alone.
While the number of successful breaches is staggering, the tactics used tend to fall into only a handful of categories. So what are they, and how can your organization protect itself?
This four part blog series counts down the top threat actions that cause healthcare data breaches and explores how modern identity and access management (IAM) solutions can mitigate these risks. Our first part takes a closer look at social attacks, such as phishing schemes.
Social Attacks Leverage Your Organization’s Weakest Link—Its People
Unfortunately, a hospital’s greatest threat is often its own employees—a fact of which threat actors are all too aware. Employees are human after all, and humans make mistakes. One study found that 78 percent of healthcare employees showed at least some lack of cybersecurity preparedness, while 37 percent were an outright risk to their organization.
Social attacks, also known as social engineering attacks, take advantage of this weak link. In these incidents, threat actors target people directly with the goal of gaining access to their data and systems. Afterall, tricking a user into giving up login credentials using a false url or email attachment is far easier than an attack that requires coding, bypassing firewalls, or hacking software.
Due to their simplicity, these schemes are common in healthcare, accounting for 8 percent of all threat actions taken during cybersecurity incidents within the industry, according to Verizon’s 2018 Protected Health Information Data Breach Report.
The lucrative nature of healthcare records means the motive behind these attacks is typically financial, but medical fraud is another common motive, as stolen credentials can provide direct access to social security numbers and other PHI. On average, victims of identity theft stemming from social attacks spend $13,500 to reimburse their healthcare provider for fraudulent claims, restore their credit, and correct inaccuracies that are now in their healthcare records.
Phishing Schemes & Methods of Social Attack
When it comes to types of social attack, phishing schemes are by far the most popular method used to penetrate cyber security. In fact, they account for nearly 70 percent of all social attacks in healthcare, according to the Verizon report.
Here’s how it works: much like actual fishing, phishing attacks try to “lure” users into revealing sensitive personal information, such as login credentials, by impersonating a legitimate source. Most often via email, a message is sent to an individual with the goal of influencing the user to open a malicious file or click on a malicious link.
Perhaps the message appears to be a from a hospital administrator asking the user to download and complete an attached form, or maybe it’s a phony “fraud alert” requesting the user take immediate action and click a link to reset his or her login credentials. Either way, if the user falls for the “bait” and takes the requested action, their assets are compromised.
While you may be thinking that you’d never fall for that, many people do, and attackers only need one successful attempt. However, their success rate is much higher than that; it’s estimated that worldwide 80,000 victims fall for phishing schemes every day.
And there’s evidence healthcare employees are particularly susceptible to these attacks. One study found that 24 percent of physicians couldn’t successfully identify phishing emails, compared to just 8 percent of their non-provider counterparts (such as office workers).
Furthermore, both the largest healthcare breach of all time (Anthem Blue Cross) and 2018’s largest (UnityPoint Health) can be traced back to phishing attacks. The phishing attack that led to the March 2018 UnityPoint breach sent emails to employees that appeared to be from an executive within the organization. Multiple employees were fooled, ultimately compromising the PHI of 1.4 million individuals.
Taking phishing schemes to the next level, pretexting accounts for just under 12 percent of social attacks, according to the Verizon report. With pretexting, a cyber criminal poses as a legitimate source, such as the help desk or a direct superior, and emails, calls, or otherwise engages an employee under a fabricated “pretext” in order to trick the employee into giving up login credentials or other sensitive data.
While there are other social tactics, these two constitute the majority of successful social attacks. Bribery (7.8 percent), forgery (2.9 percent), propaganda (2.9 percent), elicitation (1.9 percent), extortion (1.9 percent), and influence (1.9 percent) round out the other social tactics cited in the Verizon report.
Multi-Factor Authentication—Added Protection Against Social Attacks
While protection against phishing schemes and other social attacks starts with regular education and training through methods, awareness alone can’t eliminate all human error. Relying on a single authentication factor to protect sensitive information puts your organization a single mistake on the part of an unwitting end-user away from a breach. Therefore, relying on only a traditional username and password alone simply can’t protect your organization from the barrage of social attacks targeting healthcare.
This is where requiring multiple authentication factors can make all the difference. Deploying a multi-factor authentication (MFA) solution puts additional layers of security in place that prevent cyber criminals from accessing a hospital’s network, even in the event an end-user falls victim to a social attack. Without the second authentication factor, the attempt would be unsuccessful, even if the attacker obtains the user’s username and password.
While MFA offers effective protection against social attacks, it’s also critical that this added security doesn’t negatively impact hospital productivity, especially for busy clinicians who need quick, efficient access to electronic medical records (EMRs) and other clinical apps. Therefore, it’s important to find a flexible solution that only requires additional authentication when the situation warrants it—keeping friction and user inconvenience to a minimum.
Some MFA solutions offer risk-based authentication (RBA) that looks at a number of factors to determine risk, including context (time of day, location, etc.), application sensitivity, number of login attempts, personal characteristics (a user’s role, tenure, etc.), and even behavioral factors that account for users who more likely to expose themselves to risk, such as users who have had prior security incidents or failed internal phishing tests.
For example, while requiring a busy clinician to use MFA when accessing a workstation within hospital walls might be burdensome and unnecessary, the same can’t be said for an end-user accessing an organization’s network remotely—be it a third-party contractor, vendor, or even a clinician logging in from home or while traveling. In fact, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to deploy MFA for users who are accessing sensitive or private patient information remotely.
Up Next - Malware and Ransomware
While the barrage of social attacks in healthcare isn’t likely to let up anytime soon, and hackers will only continue to get more clever with these schemes, that doesn’t mean healthcare organizations have to accept that a successful attack is inevitable. Together, regular security training and awareness, combined with flexible MFA, can greatly minimize the risk of human error, while stepping up organizational security.
In part 2 of this blog series, we’ll be discussing another leading cause of breaches in the healthcare industry: malware and ransomware. So, stayed tuned!