How Phishing Impacts Healthcare
It was a murky morning in mid-March 2020 at around 5 a.m. local time when the public announcement system at Brno University Hospital in the Czech Republic started to repeat an unusual message. All personnel were asked to immediately shut down their computers as a cybersecurity measure. If that wasn’t an unpleasant start to the morning, the message was repeated every 30 minutes.
At around 8 a.m., there was another public announcement saying that all surgeries were cancelled due to a cyberattack. Soon after, teams from the Czech National Cybersecurity Center (NCSC), Czech Police and the hospital's IT staff joined forces to help recover the hospital's IT network.
Though dramatic, the incident forms a part of a common trend. Hackers are a resourceful bunch and a period of crisis is a vital soil for their endeavours. Whether a geopolitical crisis or a pandemic, hackers take advantage of the moment when IT security staff may be putting out fires elsewhere.
Recent European Healthcare Security Breaches
The first half of 2020 saw the European healthcare sector falling victim to a number of similar cyber attacks:
Paris’ AP-HP hospital, the largest hospital network in Europe, saw a failed cyberattack
Hospitals in Spain were targeted with phishing that was to initiate a system lock down with Netwalker ransomware
More than 100 mailboxes belonging to National Health Service (NHS) workers in the UK were compromised in a cyberattack targeting patients' personal data
Hammersmith Medicines Research (HMR), a UK medical research company, saw sensitive medical and personal information of over 2,300 former patients released on the internet after the company refused to pay a ransom
Hackers Have Healthcare on Their Radar
Why do sophisticated hackers target healthcare? Motivators include medical records or health insurance information (such as insurance policy IDs) that could be used to commit healthcare insurance fraud.
The continued digitalization of the sector seems to be a double-edged sword: technology continues to play a more important part in how healthcare organizations deliver patient care, conduct research or deliver education; however, the pace of digitalization has, in some cases, outstripped the speed of cybersecurity.
Healthcare’s cybersecurity systems are in a need of an improvement. But how can the sector which doesn’t have cybersecurity as a core business area effectively address this challenge? And where is the best place to start? Access controls? Endpoint protection? Training?
Some would recommend starting with what’s considered the weakest security link in an organization: end users. After all, phishing is a social engineering method and as such, it leverages end users to get access to devices, and eventually networks.
Phishing Attacks: Hook, Line and Sinker
Many end users think they know how to recognize a phishing attack, from lookalike websites to advance fee requests (often from faraway countries boasting a number of spelling mistakes).. Yet, according to the recently published Data Breach Report by Verizon, every fifth data breach involves phishing. The report points out “a substantial increase in the number of breaches and incidents reported.”
“The number of confirmed data breaches increased from 304 in 2019 to 521 this year and phishing has played a significant role in this surge.” –Data Breach Report, Verizon, 2020
The success rate of phishing campaigns stems from their nature — the sense of urgency and/or familiarity the combination of which offers a strong incentive for people to open malicious emails. All forms of phishing such as a business email compromise or BEC (hacker sends an email impersonating a senior company executive), email account compromise (a BEC attack launched from an impersonated sender’s email account) clone phishing (an attack leveraging a genuine, previously sent email) or spear phishing (a very targeted attack) rely on familiarity or urgency or both.
Phishing: Users Are the Weakest Link
Phishing is big business and easy money, especially phishing-as-a-service (PaaS) which is the hackers version of software-as-a-service (SaaS). A timely payment of a monthly fee is all it takes for an aspiring hacker to get access to a service that does all the dirty work. There’s no need to learn how to code, host fake websites or worry about selling the harvested data. Phishing-as-a-service removes technical and logistical issues, and opens phishing as an income stream for a wide group of people.
Credentials compromised via phishing could lead to data breaches. In fact, the Verizon 2019 Data Breach Investigations Report found that 80% of hacking-related breaches leveraged weak and compromised passwords. It isn’t just susceptibility to phishing that makes end users the weakest security link. Though unintentionally, end users are often responsible for compromised credentials. Many do not keep with the company policy or simply reuse passwords, which they use across a large pool of platforms with a varying degree of security out of convenience.
99.9% of Account Hacks Can Be Prevented With MFA
The good news is multi-factor authentication (MFA) is an easy way for healthcare organizations to prevent stolen credentials due to phishing and anything else. Znet.com reports that 99.9% of account hacks can be prevented with MFA. By adding another form of authentication, MFA can prevent a hacker from gaining full access to a network even if user credentials have become compromised.
Duo protects clients applications by using an additional form of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with existing technology.
“Duo offers a very clean self-enrollment process and has a lot of pre-existing integrations with a variety of products we already use. We were able to quickly deploy the solution to our users and since haven’t seen any phishing attempts,” said Richard Bailey, vice president of IT Operations at Pruitt Health.
Similar to Pruitt Health, Marin General Hospital (MGH) also deployed Duo’s MFA solution to protect against an increase in phishing. The hospital needed secure remote access for thousands of physicians, physician staff, partners and contractors, and tos protect access to their email, VPN, EHR and more. They chose Duo because it was so simple to deploy to so many quickly.
Device Trust for Contract Workers
But what about device trust? Devices pose risk, too. Particularly personal, contractor and partner devices, which are often outside the control of the IT department. Many of these are not enrolled in any device management solutions such as EMM (enterprise mobility management) or MDM (mobile device management), but require access to cloud applications such as Office 365, Workday or Salesforce.
Enforcing consistent security policies across managed devices, BYOD (bring your own devices) and third-party (contractor or partner) devices poses a significant challenge for healthcare security teams.
Sentara Healthcare addressed this challenge with Duo Access which comes with the Device Insight application. It enabled Sentara to gather deep insights into the security posture of mobile devices, such as out-of-date operating systems, passcode/lock screens, encryption and biometrics. By doing so, Sentara dramatically reduced the security risk of a data breach caused by phishing and other malicious attacks
Securing Remote Healthcare Worker Access
In the new world where remote working is a norm, many healthcare organizations need to secure remote access for their staff; from physicians and partners to contractors. This also means organizations must secure a wide pool of devices with varying degrees of cybersecurity measures in place, meaning some devices reflect safe online habits while others may be affected by unsafe web browsing, emailing or texting.
Gain Clear Visibility Into All Devices Accessing Your Network
Having control over which devices can access corporate applications is therefore extremely important. Duo’s Device Health application helps organizations achieve this by blocking access attempts from devices which do not meet device health checks previously stipulated by IT admins. With a few clicks, IT admins can identify end users who are using risky devices, for example those running out-of-date operating systems (OS), browsers, Flash and Java versions, etc.
As many industry professionals have pointed out, phishing is not going away. As phishing and spear-phishing campaigns become more sophisticated, it pays to be proactive and protect your organization against phishing attacks.
Recent cyber attacks have prompted the healthcare sector to review its ability to predict, prevent and respond to cyber threats. Bearing in mind that the weakest security link in an organization is its end users, many healthcare organizations have been investesting in cybersecurity education as well as evaluating suitable technology to combat increasingly sophisticated social engineering techniques such as phishing. Many, including Pruitt Health and Marin General Hospital (MGH), have deployed an MFA solution to help defend against and ultimately reduce attacks that bypass traditional security measures (such as firewalls) and protect both the perimeter of their network as well as the inside.
Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.
Then check out our Device Trust webinar.