If you could implement one priority today, it should be cybersecurity training to help staff learn how to recognize and avoid phishing attacks. Phishing is still the number one method used by cyber criminals to break into healthcare networks. It doesn’t have to be number one – it can be fought with awareness.
Phishing is a cybercrime in which scammers try to lure information or get a response by disguising themselves as a trustworthy source. Phishers use multiple platforms – phones, tablets, laptops and desktop computers, using email, text and social media. Most phishing attacks still come through email, but phishing through text messaging is growing.
In healthcare the payoff for criminals is twofold: if they can shut down a healthcare network and steal protected health information (PHI) they might demand a ransomware payment to return the data or unlock access; they can also sell PHI on the dark web. PHI is much more valuable than credit card or social security numbers because it can be used to commit medicare and insurance fraud or obtain prescription drugs.
How Phishing Works
Savvy criminals use social engineering to trick unsuspecting victims to either respond, click on a link, or open an attachment. The phishing looks real, maybe from a known brand, but it’s fake.
- The social engineering happens when the phisher decides who their targeted victims will be and creates strategies to collect information they can use to attack.
- Next, the phisher will create fake emails, texts or phony web pages to send messages that lure data from their victims.
- They often impersonate a known brand, like a bank, social media company or a government agency.
- They often use emotion, fear tactics, or a sense of urgency to convince users to click, open or respond.
- The messages appear trustworthy but if the recipient responds, the attack begins.
- Attacks can steal huge volumes of data and make it inaccessible to the organization attacked.
- Attacks can result in ransomware with a demand for payment; the stolen PHI may be sold on the dark web, or used to commit insurance fraud or obtain prescriptions.
Phishing takes lots of different forms. Some phishers ask the victim to enter data into a form, others to click on a hyperlink within the email. Others suggest the user open an attachment. Sometimes the ‘click’ or the ‘open’ is the only step needed to send malware into the recipient’s network.
When PHI is accessed, the HIPAA Breach Notification rule is triggered. An unauthorized disclosure of PHI to criminal hackers is presumed to be a breach that must be reported to the U.S. Department of Health and Human Services.
Phishing Trends from 2021
An annual phishing report from Vade, a cybersecurity consulting firm, shows trends in phishing tactics year to year. Key findings from the most recent report:
- Financial services is the most impersonated industry. Chase, PayPal, and Wells Fargo join the list of the most impersonated financial services brands.
- Facebook dominated all other social media brands on the Phishers’ Favorites list. Other social media brands include WhatsApp (#4) and LinkedIn (#17). Despite other social media brands lagging behind Facebook on the list, social media brands overall represented 24% of all phishing pages, compared to 13% in 2020.
- Microsoft is the most impersonated cloud brand and the top corporate brand in phishing attacks.
Other popular brands impersonated by criminal hackers included Comcast, PayPal, Amazon, Netflix, Adobe, DHL, Apple and Yahoo, among others.
Another trend reported by Vade, and by Proofpoint, another cybersecurity consulting firm, is that phishers use current events to heighten emotion and grab attention. For more than two years now, the pandemic has provided images, key words and a sense of urgency to invite response or clicks. There have been numerous phishing attacks that “spoof” agencies, like the CDC or the World Health Organization (WHO), promising help, funding or vaccine information, as long as the email recipient replied or clicked open an attachment. The federal government’s promise of stimulus funds also gave phishers topics to trick users in to entering credentials, or opening links.
HIPAA Training Fights Phishing
Because phishing preys on people, not machines, people need help to arm themselves with defenses. An annual HIPAA risk analysis and regular cybersecurity training is essential.
Tips from the Cybersecurity and Infrastructure Security Agency (CISA) include:
- Play hard to get with strangers. If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments found in that email. Be cautious of generic greetings such as “Hello Bank Customer,” as these are often signs of phishing attempts.
- Think before you act. Be wary of communications that implore you to act immediately. Close and delete the email, or shut down the URL demanding fast action.
- Protect your personal information. Phishers gather personal information about individuals from public places, like social media sites. They can use the information to trick you into thinking you know them.
- Be wary of hyperlinks. Avoid clicking on hyperlinks in emails and hover over links to verify authenticity. Also ensure that URLs begin with “https.” The “s” indicates encryption is enabled to protect users’ information.
- Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you.
- Shake up your password protocol. According to National Institute of Standards and Technology (NIST) guidance, you should consider using the longest password or passphrase permissible. Or use a password manager.
- Install and update anti-virus software. Make sure all of your computers, Internet of Things devices, phones, and tablets are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
HIPAA Risk Analysis and Risk Management helps fight phishing by helping uncover risks and threats. The Security Rule Checklist will reveal where access management, password protection and training need to be revised or strengthened. A culture of compliance among a team of confident and trained staff is your best and strongest defense against cyber crime.