Surely we still cannot be falling victim to phishing emails! If you look at the latest breaches in the health care industry, you will quickly see that this is exactly what is happening. In the breach aftermath, most of these breaches are deemed as “sophisticated attacks,” but we can’t possibly be categorizing phishing as “sophisticated” now, right?
Anatomy of a Phishing Attack
Before we delve into the details of these breaches, let’s first discuss how a basic phishing attack works.
Step 1: An attacker sends a generic email (phishing) or a more specific email to a target group (spear phishing). The email will appear to originate from a trusted source. The recipient will be enticed to either click on a link that will download malicious software or click on a link that will bring the user to another web site. In the first scenario, the user will download malware, usually in the form of a keylogger. The keylogger will obtain the keystrokes of the user to acquire passwords and send these back to the attacker. In the second scenario, the user will be redirected to another web site and be tricked into entering confidential passwords or sensitive information. Usually these web sites will be disguised as more common web sites, such as an email or online banking login page.
Step 2: The attacker now has your password credentials and can access the system as you. This can be a system as simple as your email or possibly access to your corporate network. If you are like most people, you use the same password for several systems, which provides the attacker access to those systems also.
Step 3: Now the attacker can export data from the systems he has access to. Also, the attacker can impersonate you and possibly perform actions on your behalf.
For 2015, the list includes Anthem, Premera Blue Cross, Saint Agnes Health Care Inc., Seton Healthcare Family, and Partners HealthCare. The number of patient records possibly compromised from each of the breaches ranges from 3,300 to 78 million.
All of the organizations mentioned earlier fell victim to a phishing attack. Partners, Saint Agnes and Seton all had email accounts hacked after a phishing attempt compromised employees’ corporate email credentials. The mailboxes of the email accounts hacked contained sensitive patient information. Why patient information was being sent via email is a conversation for another day since today we are focusing on phishing. Anthem had the passwords of five tech workers compromised and those credentials were used to access the corporate network. Premera has not released exact details of its breach; however, it has been reported that a phishing attack was the catalyst.
Top 5 Lessons Learned
- Training – All employees need to be educated on the appearance and risks of phishing. Do not click on links in emails and encourage your users to use different passwords. Be sure to check out our IT Security Training programs and phishing tests here.
- Email is not secure – Email is not a secure method of transmitting sensitive information. Data at rest and data in transmission is at risk to being accessed by unauthorized individuals. Not only do you have to be concerned about your email credentials from being compromised and utilized, but you also have to be concerned with the email downloaded on computers, laptops, home computers and mobile devices.
- Breach notification – Various laws and regulations require organizations to notify the victims within a certain timeframe. Know the requirements that your organization is required to follow.
- Increase email security – Multi-factor authentication on email is a growing trend. Options include out-of-band authentication or IP address restrictions.
- HIPAA compliance – Make sure you are compliant with HIPAA Privacy, Security and Breach Notification rules. Be sure to check out our HIPAA Compliance Reviews here.