Healthcare cybersecurity is one of the main concerns for healthcare providers nowadays. According to a survey conducted by Arlington Research and commissioned by Kaspersky, 52% of surveyed telehealth practitioners reported clients declined to participate in telehealth appointments because they did not trust telehealth cybersecurity. A third of those surveyed indicated that physicians had their patients’ data compromised while performing remote telehealth sessions. Furthermore, 32% of respondents felt that third-party vendor vulnerabilities caused cybersecurity challenges and made their organization prone to phishing attacks.
What is a Phishing Attack?
A healthcare phishing attack (otherwise known as phishing scams) can bring entire networks down, encrypt files, and compromise patient information with just one wrong click. The National Institute of Standards and Technology (NIST) defines phishing as “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
Healthcare Cybersecurity: Financial Effects of Phishing Attacks
Phishing scams in the healthcare industry have resulted in the theft of thousands of medical records, patient financial information, and other personally identifiable information (PII). Phishing can wreak havoc on a health system’s bottom line while disrupting care and jeopardizing patients’ privacy. According to a 2021 report conducted by Proofpoint, the average annual cost of recovering from a phishing attack has tripled since 2015, from $3.8 million to $14.8 million.
Phishing Scams Prevention
Phishing scam prevention is becoming increasingly important as more malicious actors use online scams to steal personal information. Staying informed is the most effective way to avoid becoming victims of a healthcare phishing attack. Understanding what potential problems to look for, properly educating employees on cyber hygiene, incorporating technical safeguards, and staying up to date on sector threats will give healthcare organizations a competitive advantage over cyber criminals. Here’s how healthcare organizations can take action to reduce their vulnerability to phishing attacks.
Recognize Common Phishing Emails Techniques and Strategies
Phishing typically refers to email-based attacks, but malicious actors can also target victims via phones and social media platforms. Some attackers use vishing, which uses voice communications or smishing and SMS messages, to facilitate a cyber attack. Understanding the attacker’s motivations and tricks is the first step in protecting an organization from phishing.
Signs of Healthcare Phishing Mails
Typical email phishing attacks include suspicious sender email addresses, generic greetings, poor grammar, sentence structure, and suspicious attachments, according to the Cybersecurity & Infrastructure Security Agency CISA. The sender may attempt to impersonate a legitimate business by using an email address that looks similar but is missing a few characters. Malicious actors frequently pose as a government agency, a recruiter offering the recipient a job, or a high-level executive at a big corporation. To trick the recipient into clicking on a suspicious URL, attackers will sometimes spoof hyperlinks and websites. According to NIST, spoofing refers to a bad actor impersonating the sender’s email address to deceive the recipient and access a secure network.
Healthcare Cybersecurity Training Programs
The HIPAA Privacy Rule requires covered entities to implement a security awareness training program for all employees. See TBHI’s previous article HIPAA Privacy Rule Overview for more information. Despite being a primary target for attackers, healthcare lags behind other industries regarding employee cyber security training. According to a survey conducted by KnowBe4, 24% of healthcare workers said their employer has never approached them about healthcare cybersecurity training. Only 22% of healthcare respondents felt comfortable informing senior management about the negative consequences of cybersecurity risks. According to the survey, employees who received security training more than once or twice a year were more knowledgeable about cyber threats, emphasizing the importance of investing in comprehensive and frequent cybersecurity training.
The “Phish Scale” was created by the NIST to aid organizations in implementing phishing awareness training programs. The Phish Scale took important features from existing phishing training exercises and created a rating system that allows users to see and detect whether a particular phishing email is more difficult or easier to fall for by its intended audience.
Healthcare organizations must provide employees with phishing and cyber hygiene training and resources to maintain institutional security. A strong phishing awareness program can save healthcare organizations millions of dollars while also protecting patient privacy in the long run.
Using Technical Safeguards Against Phishing Attacks
Technical controls can also help stop phishing attacks by preventing them from reaching their intended targets. HC3 recommends that healthcare organizations create a blocklist and block malicious domains to avoid access to risky websites. Security programs should include anti-spoofing technologies as well. As noted above, spoofing refers to a bad actor impersonating the sender’s email address to deceive the recipient and access a secure network.
Technical safeguards aren’t entirely safe, but they can potentially reduce risk and the chances of an impactful phishing attack. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, and Reporting and Conformance (DMARC) are all anti-spoofing technologies. By ensuring email authentication, these technologies can assist organizations in securing their systems.
Keep Updated with Healthcare Cybersecurity Guidelines
Emerging technologies have sparked recent excitement in the healthcare industry, but telehealth cybersecurity concerns have kept providers on the fence about incorporating them into their practices. Researchers advised healthcare organizations to concentrate on endpoint security, update the software regularly, have an email security solution, and engage all employees in cybersecurity training to reduce risk. NIST frequently issues best practices to assist organizations in preventing and responding to phishing and ransomware attacks. See TBHI’s previous article, NIST Cybersecurity Guidance Update for Clinical HIPAA Cybersecurity, for more information regarding healthcare cybersecurity guidelines.
Providers can avoid phishing attacks with proper user education and a secure, HIPAA-compliant hosting environment. Healthcare providers who take these diverse and assertive steps will find themselves well-prepared to prevent the devastating impacts of cyber attacks. The healthcare industry’s challenge is to strengthen the security level of these networks to give safety and peace of mind to everyone concerned as the healthcare dependency on telehealth is increasing. See TBHI’s recent article How Healthcare Cybersecurity Is Changing In 2022 for other detailed suggestions.
HIPAA Compliant Cybersecurity: Practical Implementation Tips
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.