Hackers have evolved with healthcare. In the “early days” of healthcare technology, hospitals focused on physical security (protecting the computers and having backups). Then, the focus shifted to safeguarding patient and proprietary information within the cloud (like access management). Now, data protection in healthcare has become just as complicated as medical technology has become sophisticated – yes, you can hack somebody’s pacemaker or shut down a hospital’s ICU system with a single email. So while something like a malware-infested email seems very “back to the basics,” fighting the threat is not. In short, while the threat surface to hospitals has expanded – as it has with every industry that now runs off IoT – one particular threat is unrelenting: phishing.
In most attacks, the entry point required only a small number of employees to be compromised for the attacker to gain a foothold into the targeted organization. From there, an attacker can monitor activity and proliferate their presence within the network.
The damage is significant – starting with material impact to brand perception and customer trust, the loss of which is real and recognized, but difficult to quantify. This is compounded by real costs; finding and purging your organization of the threat, employee training (or re-training to remain vigilant against phishing attacks), ransomware-related payments, and loss of productivity.
Then there are the fines. Premera will have to pay over $10M as their breach triggered HIPAA violations that need to be resolved.
To tackle this problem, healthcare providers need a new strategy, because daily headlines reminds us that the current one isn’t working. To improve data protection, it’s important to understand why the healthcare industry is so particularly vulnerable to phishing attacks.
1. Reliance on Microsoft-based and legacy systems: Unlike many other segments, healthcare tends to have a much more Microsoft-heavy infrastructure. This is driven in part by the fact that many of the medical systems and hardware that are part of the core operations of a healthcare system are tied to Microsoft technology. Microsoft, due to its massive installed base, has always been a popular target for hackers. (The US Cyber Command recently issued a warning regarding an Outlook vulnerability that hackers are exploiting to deploy malware onto to the workstations of unsuspecting users.).
The shift that needs to happen isn’t just a matter of IT swapping an Operating System, it’s a cultural one unique to healthcare. Last year The New Yorkerreported on doctors’ inherent resistance toward integrating more screen time into their profession. From fear of being replaced to concerns around preserving the patient-doctor relationship, healthcare systems face the challenge of changing their technical defense as well as employee hesitations.
2. Staff training: To properly train employees to recognize a phishing email, education has to go beyond the hospital IT staff. Additionally, a once-a-year information dump training isn’t effective anymore. As hackers improve on their tricks, any employee can fall victim to the newest tricks that developed since last year’s training. Healthcare staff tend to be highly mobile and reactive within their environment, making it a challenge to schedule training for non-core matters (like email security). Combined with the frenetic pace of their work, this makes them more likely to “engage” with an email (by clicking a link or downloading an attachment) without realizing the implication.
3. Valuable patient data: And of course, healthcare organizations hold a treasure trove of data that is alluring to an attacker – personal details, social security numbers, insurance and payment information, familial associations, and the like. These data sets are extremely useful for attackers to sell on the dark web and to use for perpetrating identity theft and fraud.
Many healthcare organizations are using little to no phishing defense, and the ones that are may not be using the tools that address these core issues that makes the industry so vulnerable to these attacks. Cybersecurity leaders in healthcare should shape their strategy to address these key reasons:
1. Modernize and use cross-platform solutions: Deploy a solution that can protect your users from phishing across a variety of platforms including web browsers, Microsoft Outlook, and mobile email apps like Gmail and Outlook. Combine this with a strategy to keep upgrading your end user infrastructure on an ongoing basis. Start by identifying your weakest links – the oldest and most vulnerable end-user computers – and create an operational budget to upgrade on a quarterly or bi-annual basis.
2. Train users in the teachable moment: Appreciating the many, high-stress demands on their time, take an approach that does incremental and contextual training within their normal email usage. In-person and video-based training fades with time. Instead, engage your users as they receive suspicious emails and highlight the aspects that make them dangerous – perhaps the sender is coming from a look-alike domain, or a shortened URL in the email actually takes the user to a dangerous site that will hijack their credentials. This approach has the dual benefit of being far less intrusive and far more effective, because it genuinely modifies user behavior over time.
3. Privacy-first: HIPAA puts important but challenging constraints on the tools that we can use in healthcare. Switch from caring about the contents of the email to its characteristics. Identify solutions that use meta-data and other non-intrusive approaches to identify and isolate bad emails without triggering privacy concerns and violations.
Unfortunately, healthcare has several key characteristics that make it a juicy target for bad actors – aging infrastructure, overclocked staff, and a treasure trove of PII / PHI. To provide an effective defense against phishing, these organizations need to understand the particular reasons why these are risk factors. Software alone won’t do it.