Avoid the Phish! How to Recognize a Phishing Attack and Avert It!

Pat Stricker, RN, MEd
Senior Vice President
TCS Healthcare Technologies

Last month’s article, Healthcare Data Breaches: Their Frequency, Impact, and Cost, discussed the overall impact that cybersecurity breeches are having on healthcare. Healthcare continues to lead all industries in the number of beaches with 27% and has the highest cost for data breaches at $408/record, nearly three times the cross-industry average of $148. While the number of data breaches in healthcare remained relatively the same between 2017 and 2018 (359 and 351), the number of healthcare records exposed increased at an alarming rate of over 250% (5,138,179 to 13,020,821). This shows that hackers are getting bolder. They realize each healthcare record is worth $50 on the black market, much more than Social Security and birth date records ($3) or credit card information ($1.50).  That is because healthcare records contain personal, financial, and medical data that can be used for Medicare fraud – the most profitable type of identity theft.

Studies also show that healthcare employees are seven times more often responsible than employees of other industries for causing breaches due to human errors and/or careless actions such as: inappropriate conversations; misuse or careless handling of mail, emails, and other hard copy documents; leaving computer screens or hard copy records unattended and visible to others; and sharing passwords or not logging off a computer when not in use.

However the biggest threat posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information, giving them access to email or cloud accounts that contain patient data. These are usually innocent, unknowing acts by the employees, but they are very consequential to the organization. The links or documents in the phishing emails can expose PHI or embed malware within the computer system or network, resulting in serious network problems or system stoppages. This obviously causes significant issues and costs for the healthcare organization and financial gain for the hackers.

This is exactly what happened in the largest healthcare data breach in 2018. A health system email system exposed 1.4 million records when hackers sent emails to employees from a fake account that appeared to be coming from an executive within the organization. The email asked the users to disclose their email credentials. Once the employees clicked on the link or the attached document, the hackers gained access to internal email accounts and then to patients’ records. This phishing attack was not uncommon. The 2018  Verizon Data Breach report confirmed that phishing attacks are increasing, accounting for 43% of all data breaches. Other research found that over 90% of data breaches are the result of phishing emails and an average of 16 malicious email messages are sent to every email user every month.

That is scary!  That means we have at least 16 chances each month of clicking on a phishing email and creating a data breach or a ransomware attack causing a possible system outage of the entire computer network at our organization. How would you like to be the person responsible for causing the data breach and costing the organization millions of dollars in fines or paying a ransom to get the system up and running again?  Some employees have even been terminated due to this type of error, if it was done against normal company policies. I’m sure none of us would want to be in that situation, so we have to educate ourselves to be aware of possible phishing schemes and know how to avoid them. Let’s start by defining some key concepts.

Phishing is a scam aimed at getting an online user to reveal personal or confidential information for the purpose of identity theft. There are three types of attacks

· Phishing – a general email that is sent as spam or as an email addressed to a large, non-specific group of users. The goal is to get users to open embedded links or attached files that, when clicked on, allow the hackers to access to the user’s system. Once in the organization’s system hackers can delve deeper to obtain personal information, credentials, logins, passwords, and other data.

· Spear phishing - a more sophisticated and elaborate targeted phishing attack that focuses on a specific company or individual and combines tactics like personalizing or impersonating users so the spear phishing email is extremely believable and compelling. The goals are to bypass or evade email filters and antivirus software and gain access to a system in order to introduce malware and other attacks. This type of approach was used in the large breach described above.

·  Whaling – a specific attack that targets specific members of an organization’s upper management team by name. The goal is to obtain confidential company information by using a webpage or email that appears to be legitimate (corporate logo, color scheme, address, brand identity). It is usually presented as an urgent matter that needs attention, such as an internal corporate issue, a new or updated policy, significant complaint, or legal issue.

A phishing scam typically starts with a legitimate-appearing email from a person, company, or website asking the user to update personal information, such as a password, credit card, social security number, or bank account number. The message looks authentic and comes from organizations a user may have accounts with. It also may include legitimate-looking company logos and formats that the company uses. In fact, it usually looks so authentic that recipients respond to about 20% of them. In fact, the 2015 HIMSS Cybersecurity Survey of 300 health information professionals indicated that phishing attacks were their biggest future security fear and the “#1 thing that keeps Chief Information Security Officers up at night”. The 2019 HIMSS Cybersecurity Survey of 166 health information security professionals still found phishing to be a major concern, especially for those healthcare systems that are not conducting adequate phishing tests. One reason this is so worrisome is that the threat is directed at all levels of employees in an organization and it is relatively easy to get someone to unknowingly click on a link or document. It is not something Information Systems can control with tools and countermeasures.  

Phishing attacks often introduce ransomware into computer systems by sending emails from legitimate-looking banks or credit card companies requesting the recipient to “update” their personal information (birthdate, social security number, passwords, etc.). When the attachment or link is clicked, malicious malware is introduced into the system, which can spread from one system to another. Ransomware can also be introduced, encrypting documents, music, pictures, and other files and making them inaccessible. The organization can be held hostage until they pay a ransom to unlock the files. If the ransom is not paid within a defined time the ransom is increased. Organizations that have routine back-ups of their system can eliminate having to pay the ransom and restore their system, but it still results in system downtime and a lot of time and effort to get the system operational  again. Organizations that do not have system back-ups have to pay the ransom or risk losing all their data.

Systems that are using older versions of software that are not receiving automated cybersecurity updates are very susceptible to phishing attacks. We cannot get lulled into thinking that the security programs on our system or our Information Technology (IT) department will handle all these threats. While some employees are specifically targeted because of their position or because of the types of information they have access to, all individuals and companies should assume they are or could be targets of phishing attacks. All it takes is for one person to click on a link that contains the malware. And I’m sure you don’t want to be “that person” who takes down the entire system!

Tips for Preventing Phishing Attacks

To make sure you are not a victim of a phishing attack, let’s review some things you can do to prevent getting “hooked”.  These two articles, 8 Ways to Prevent “Phishing Scams” and 10 Tips to Prevent Phishing Attacks, provide the following useful suggestions to help guard against phishing.   

The weakest link in any security system is the human element and that’s particularly true when it comes to phishing attacks. Employees are the biggest threat, since they are the ones who initiate the action that allows the phishing attack to occur.  In addition, hackers have become more creative in manipulating and influencing people, which allows them to gain access to computer systems and obtain sensitive information.

Staff Education, Testing, and Monitoring

The most important aspect in preventing phishing attacks is education. Management staff is responsible for making sure all staff members are routinely provided with phishing training and continuously tested and monitored to assure they can recognize the threats and know how to avoid them. Phishing training sessions are recommended at least every quarter to condition employees to look for and report phishing emails. This type of training and monitoring can reduce the percentage of successful phishing attacks. Some companies also include monthly “phishing tests” in which test emails are sent to all employees to see if they are able to identify and handle them appropriately. Those who get “caught” are reminded and given additional education. Companies that encourage employees to report potential phishing threats rather than reprimand them for failing phishing tests tend to have greater success in curtailing threats. 

The following are resources that include free phishing and cybersecurity quizzes, tests, tools, resources, and staff training programs that can be used by individual case managers to test their knowledge and awareness and by the management and IT staff to assess the organization’s level of potential threats, develop training and testing programs, and track program results. I hope you will find these useful.

Phishing Quizzes, Tests, and Tools

Cybersecurity Quizzes, Tests, and Tools

Conclusion

There’s no question that phishing poses a significant danger to healthcare organizations, as it is the preferred method for hackers to gain access to systems in order to capture PHI and/or deploy ransomware for their financial gain. In addition, all system users are potentially able to fall victim to a phishing attack and introduce malware into the system, so that is a daunting challenge for the IT department, who have little control over how email and internet is used by all employees.   

As case managers, we must realize that cybersecurity is not just an IT function. Sure, the IT team does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards. While IT may be responsible for managing the overall cybersecurity of an organization, adopting security best practices, and deploying appropriate technology to lessen the chances that a phishing attack will succeed, each of us has an individual responsibility to be aware of what our roles are in assuring safe security practices. We need to be aware of our vulnerabilities and what we must do to assure the integrity of our computer systems. We need to be “stewards of security”, empowered and accountable to create a culture that raises awareness and reduces security incidents.

Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for “phishy” schemes. I’m sure you don’t want to be the one responsible for allowing a malware, virus, or spyware to gain access to your organization’s computer system, or worse yet, the one responsible for a devastating and costly data breach resulting from your phishing attack.   

Watch out for the “phish”!

NOTE: For more information about what each of us can do, refer to this previous newsletter article “Cybersecurity for Case Managers: Responsibilities of Individual CMs”.

Pat Stricker, RN, MEd, is senior vice president of Clinical Services at TCS Healthcare Technologies. She can be reached at pstricker@tcshealthcare.com.