Category Archives: healthcare

New research finds hospitals are easy targets for phishing attacks

New research from Brigham and Women’s Hospital in Boston finds hospital employees are extremely vulnerable to phishing attacks. The study highlights just how effective phishing remains as a tactic—the need for defense against and awareness of email scams is more critical than ever.

The research was a multi-center exercise that looked at results of phishing simulations at six anonymous healthcare facilities in the US. Research coordinators ran phishing simulations for close to seven years and analyzed click rates for more than 2.9 million simulated emails. Results revealed that 422,052 (14.2 percent) of phishing emails were clicked, which is a rate of one in seven.

Patient data at risk

Security professionals are acutely aware of the intense scrutiny placed on patient data and the regulatory requirements around HIPAA (Health Insurance Portability and Accountability Act). This new research on phishing in healthcare puts a spotlight on the vulnerability of this kind of data.

“Patient data, patient care, patient trust and financial stability may be on the line,” said study author William Gordon, MD, MBI, of the Brigham’s Division of General Internal Medicine and Primary Care. “Understanding susceptibility, but also what steps can be taken to mitigate it, are critical as cyberattacks continue to rise.”

Odds of clicks decreased with time

There was a positive finding in the study. Researchers noted that clicks on phishing emails went down with increasing campaigns. After institutions had run 10 or more phishing simulation campaigns, the odds of users clicking on fraudulent emails went down by more than one-third.

The findings make the case for solid awareness efforts to educate about the dangers of phishing, said Gordon.

“Things get better over time with awareness, education, and training,” he said. “Our study suggests that while the risk is high, there is an opportunity to mitigate it.”

Healthcare industry struggles with breach rate

Chris Carmody, senior vice president of enterprise technology and services at the University of Pittsburgh Medical Center (UPMC) and president of Clinical Connect Health Information Exchange, noted in an interview with Reuters Health News that phishing is a challenge in an increasingly digital healthcare environment.

“This is definitely a problem in all industries where people rely on e-communications, especially email,” Carmody said in the interview. “And health care is no different. We see clinical users whose primary focus is on patient care, and we’re trying to do our best to help them develop the knowhow to know what to look for so they can identify phishing attempts and report them to us.”

Carmody estimates that his security group at UMPC, which also runs phishing simulations, gets about 7,500 suspect emails forwarded to them each month, with about 12.5 percent of them being actually malicious.

But any number puts a healthcare facility at risk, as these kinds of institutions are particularly vulnerable to breach. A separate report from Beazley Breach Response finds that healthcare organizations suffered the highest number of data breaches in 2018 across any sector of the US economy. Healthcare institutions have a 41 percent reported breach rate, the highest of any industry.

Other figures from ratings firm SecurityScorecard find the healthcare industry is one of the lowest ranked industries when it comes to security practices. The report, titled SecurityScorecard 2018 Healthcare Report: A Pulse on The Healthcare Industry’s Cybersecurity Risk, looked at data from 1200 healthcare entities and ranked healthcare 15th out of 17 industries for overall cybersecurity posture.

The SecurityScorecard report noted the healthcare industry is one of the lowest performing industries in terms of endpoint security, posing a threat to patient data and potentially patient lives. In addition, 60 percent of the most common cybersecurity issues in the healthcare industry relate to poor patching cadence.

Healthcare phishing in the headlines

Healthcare phishing attempts that devastate facilities and lead to patient data leaks regularly make news headlines. In December 2018, an employee of Memorial Hospital at Gulfport, Mississippi was tricked by a phishing scheme and the result was the breached data of 30,000 patients.

The breach was discovered when investigators noticed an unauthorized party had gained access to an employee email account earlier in the month. Among the patient data leaked were emails, names, dates of birth, health data, and information about services patients had received at MHG. Social Security numbers were also leaked on some patients.

Phishing on the rise all over

Massive malware campaigns like Emotet and TrickBot have pushed phishing levels higher this year in many industries. Kaspersky Labs most recent Spam and phishing in 2018 report finds the number of phishing attacks that took place in 2018 more than doubled from the previous year.

Research from Sophos finds that 45 percent of UK businesses were hit by phishing attacks between 2016 and 2018. The study also revealed 54 percent had identified instances of employees replying to unsolicited emails or clicking the links in them.

The Malwarebytes 2019 State of Malware report finds all sectors are impacted by the kind of malware served up in phishing emails. Trojans like Emotet and TrickBot are particularly problematic in education, manufacturing, and retail. While healthcare fared poorly in the Brigham and Women’s study, every vertical is plagued by phishing.

How can business defend against phishing attacks?

Of all of the cybersecurity risks to organizations, the human element is always the toughest to mitigate. But, as the healthcare phishing study shows, user awareness does have a positive impact on click rates—the more campaigns were launched, the fewer employees who fell prey to fake emails.

There are plenty of free awareness and anti-phishing resources available that businesses can tap for training internally. For example, our anti-phishing guide offers suggestions and awareness tips for both employees and customers. And Google has an anti-phishing test you can access online to familiarize users with common phishing techniques. Of course, there are also many companies that offer training products for purchase.

However businesses choose to train employees, it’s important to have regular access to information and tools that promote awareness of evolving phishing techniques. In the healthcare industry, it’s not just about the bottom line—it could actually save lives.

The post New research finds hospitals are easy targets for phishing attacks appeared first on Malwarebytes Labs.

The 3 Biggest Threats Healthcare Data Security is Facing Right Now

The year 2017 suffered the greatest ransomware attack in the history of the internet. The WannaCry ransomware detected in hospitals of the UK. It then exploded across the globe and affected

The post The 3 Biggest Threats Healthcare Data Security is Facing Right Now appeared first on The Cyber Security Place.

How susceptible are hospital employees to phishing attacks?

Cybersecurity threats are a rising problem in society, especially for healthcare organizations. Successful attacks can jeopardize not only patient data but also patient care, leading to cancellations and disruptions in

The post How susceptible are hospital employees to phishing attacks? appeared first on The Cyber Security Place.

Clinic hit by ransomware recovers in hours thanks to solid incident response plan

Maffi Clinics, a chain of plastic surgery clinics in the United States, is notifying patients about a ransomware incident that briefly affected its systems. Unlike most cases involving ransomware, though, this one didn’t leave a scar, illustrating the power of strong security protocols.

According to the breach notice, Maffi encountered “unusual activity” on one of its servers in September last year. The chain immediately instated its incident response plan and shut down its systems to eliminate the chance of any malware spreading through its systems. As it turned out, the administrators’ hunch was correct: the clinic had just received a dose of ransomware.

“We immediately instituted our security breach protocols which involved shutting down all of our computers and servers,” the firm said. “Within hours of discovering the activity, an independent IT consulting firm was onsite at Maffi Clinics and determined that an unidentified source had gained remote access to our server and installed ransomware.”

Within about five hours, the incident was contained and all data was restored. In other words, the clinic denied the attackers the ransom and escaped unscathed. The clinic nonetheless emailed all patients whose information was subjected to the attack out of an abundance of caution. Under the Health Insurance Portability and Accountability Act (HIPAA), Maffi fulfilled its legal obligation to acknowledge the breach, and notified the US Department of Health and Human Services (HHS).

The same notice reveals that Maffi has since implemented and continually evaluated additional safeguards to prevent a similar incident in the future. Nevertheless, the clinic advises patients to keep an eye on their bank accounts for any signs of identity theft, just in case.

“If you detect any suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained,” the breach notice adds. “You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.”

Income, tax and immigration data stolen in breach

The Centers for Medicare and Medicaid Services (CMS) now has details about the data stolen in the breach of that occurred last month. According to the government agency, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised in the breach. No financial information was stolen.

Via: TechCrunch

Source: Centers for Medicare and Medicaid Services