At the beginning of August, the BBC reported that a UK-based “prankster” had successfully spoofed the White House. Through spear phishing emails, this bad actor had not only convinced a senior cyber security officer that he was the president’s son-in-law and senior advisor Jared Kushner, but also veiled himself as the former Chief of Staff Reince Priebus to fool then White House Communications Director Anthony Scaramucci into inflammatory email exchanges. After posting a few of those emails on Twitter, the culprit promised not to do it again and urged the current administration to “tighten up IT policy.” While the jokester later indicated his email spoofing had no harmful intent, the implications go way beyond 1600 Pennsylvania Avenue.
Phishing is a widely used form of social engineering where malicious ne’re-do-wells broadcast disguised emails to a large population in an attempt to steal sensitive information like usernames, passwords, financial and yes, healthcare data. Although not commonly known until 2005, phishing scams first appeared around 1995, with the term first being coined in a Usenet group on January 2, 1996. When America Online (AOL) reigned as king of email communication, scammers regularly masked themselves as banking sites and financial institutions, as well as PayPal and Ebay. These fraudulent emails would often persuade victims to open a link with a malevolent attachment or visit a malicious web site.
Later, these phishing scams bred a more targeted type of phishing called “spear phishing.” For this type of hoax, cyber shysters use targeted emails designed to appear as if from someone the victim knows, such as a colleague, business manager or even someone from the human resources department. These tailored emails often contain subject lines or content that capitalize on the victim’s known interests.
Is Healthcare a Spear Phishing Target?
In the 377 healthcare data breaches last year, the Identity Theft Resource Center (ITRC) and CyberScout report shows phishing attacks were among the top data breach causes. Along with hacking and skimming, these three scams made up 55.5 percent of the breaches. Furthermore, spear phishing appears to be the most likely type of scam targeting CEOs. From 2015 to 2016, the numbers for these methods of breaches rose 17.7 percent. In the first part of 2017, phishing has been used to gain access to UC Davis Health, Torrance Memorial Medical and Washington University School of Medicine, according to Healthcare IT News piece titled “The biggest healthcare breaches of 2017 (so far).” This upward trend isn’t about to subside until an even more lucrative scam arises. With an average cost of a healthcare data breach at about $380 per record, mitigating spear phishing remains top of mind for Datica and its customers.
Spear Phishing Recommendations
For insight into this latest trend, I reached out to Datica Security Engineer Brandon Maxwell. He shared the reason for an increase in spear phishing: high success rates — which make it the number one delivery vehicle for ransomware and malware. “They don’t need complex methods of breaking through security walls when they can simply trick someone inside an organization to hand over what they want,” says Maxwell.
Datica, like every other healthcare IT organization, is also vulnerable to this type of encounter. For example, one spear phishing attempt that we recently blocked came from an imposter who cleverly spoofed one of our executive’s email addresses. He or she used that email address to request a wire transfer from the finance department. Trained to spot such deceit, the department head alerted the appropriate person within Datica about the email and its request, and ultimately averted the scam. Datica now uses this spoof example to warn its own customers to such trickery.
Datica’s Director of Compliance Lori Meals touts four ways healthcare organizations can better protect themselves from such attacks. Her recommendations and thoughts, along with Maxwell’s include:
Awareness, training and testing
All employees need to be made aware of what phishing is and the damage that can result from a successful attack. Maxwell outlines the steps he uses to fully inform Datica employees, “Sharing what a spear phishing email looks like, explaining how to evaluate such an email and then confirming that employees know to whom suspicious emails should be forwarded for evaluation are a strategic way to thwart outside intrusions that could breach an organization’s thickest walls.” Meals strongly encourages periodic testing of employees’ knowledge and awareness of fake phishing emails by crafting internal spear phishing lures that can be distributed internally. However, she cautions against doing testing at specific dates. “You don’t want to make testing so regular that on October 1st, every employee expects a fake spear phishing email,” says Meals.
Putting technical measures in place
Certain technical steps must be in place as the first line of defense against all phishing scams. “When someone is trying to fake an email and send it to someone in your organization, you should have the technical measures in place that will flag that email as suspicious,” says Maxwell.
Measurement and management
Setting and tracking goals, then managing any steps for failure is a critical part of any good compliance program “Having zero percent of employees click on that test should be the organizational goal,” says Meals. “Anything less than a zero level goal would require remediation steps.”
These compliance concepts run parallel with the concepts found in HITRUST. Datica joins an elite group of healthcare vendors in the United States to achieve HITRUST CSF Certification status and believes that this gold-standard for security of healthcare data is the best way to protect its customers.
Datica’s Customer Protections
Security and compliance are deeply woven into Datica’s company culture. If you’ve ever had to let one of your employees go who had access to your environment on the Datica platform, you have encountered Datica’s billing-based method of double verification. The Datica engineering team works hand in hand with the billing department to quickly verify and make customer requested adjustments for access. Datica utilizes stringent measures for Identity proofing to protect its customers. These steps combined with the recommendations above better protect your organization for a spear phishing attack.