This appeared last week and it was really good summary of what to do about minimising the risks and damage from malevolent e-mail.
4 Ways Organizations Can Prevent Healthcare Phishing Attacks
Healthcare phishing attacks are an easy way for cybercriminals to take advantage of organizations but implementing certain safeguards can protect patients, providers, and health systems.
By Jill McKeon
September 24, 2021 - With one wrong click, a healthcare phishing attack can take down entire networks, encrypt files, and put patient data in jeopardy. The smartest attackers take advantage of victims by claiming to be a colleague, business associate, or other trusted source, and using social engineering to obtain information.
The National Institute of Standards and Technology (NIST) defines phishing as “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
Bad actors are increasingly targeting the healthcare sector with these schemes and successfully obtaining information and distributing malware via email. In April 2021, the Health Sector Cybersecurity Coordination Center (HC3) released an alert warning the healthcare sector of the increasing prevalence of phishing campaigns.
Phishing scams have claimed hundreds of thousands of medical records, patient financial information, and other personally identifiable information (PII) across the healthcare sector.
In addition to causing care disruptions and posing risks to patient privacy, phishing can decimate a health system’s bottom line. A 2021 report conducted by the Ponemon Institute on behalf of Proofpoint revealed that the average annual cost of recovering from a phishing attack has more than tripled since 2015, from $3.8 million to $14.8 million.
The best way to prevent your organization from becoming a victim of a healthcare phishing attack is to stay informed. Understanding what red flags to look for, properly educating employees on cyber hygiene, implementing technical safeguards, and keeping up with the latest sector threats will give healthcare organizations an edge over malicious hackers.
Identify Common Phishing Email Tricks and Tactics
The first step toward protecting an organization from phishing is understanding the attacker’s motives and tactics.
“In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems,” the Cybersecurity & Infrastructure Security Agency’s (CISA) website states.
“An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network.”
Phishing typically refers to attacks conducted through email, but bad actors can also use phones and social media platforms to target victims in a similar manner. Some attackers use vishing, which uses voice communications, or smishing, which uses SMS messages to orchestrate an attack.
Telltale signs of traditional email phishing attacks include suspicious sender email addresses, generic greetings (e.g., “Dear Valued Customer” or “Sir/Ma’am”), poor grammar and sentence structure, and suspicious attachments, CISA explains. The sender may try to imitate a legitimate business by using an email address that closely resembles a real business but omits a few characters.
Recipients should also be wary of any unsolicited email that asks them to download an attachment. Sometimes attackers will also spoof hyperlinks and websites in an attempt trick the recipient into clicking on a suspicious URL.
Threat actors also like to take advantage of holidays and crises to catch victims when they least expect it. HC3 warned organizations in December 2020 of the growing prevalence of COVID-19 vaccine-related phishing emails. The emails typically promised early access to the vaccine if the recipient was willing to pay or provide compromising information.
Bad actors often pretend to be a government agency, a recruiter offering the recipient a job, or a high-level executive at a big company. Phishing scams are often incredibly successful, as they only require one unsuspecting individual to click a link or download an attachment to infiltrate an organization’s system. If one employee takes the bait, healthcare providers and their patients may have to face the consequences.
Any organization’s leadership team must understand the basic indicators of phishing in order to teach employees, implement preventive cybersecurity measures, and mitigate risk.
Invest in Regular Employee Cybersecurity Training
Under the HIPAA Privacy Rule, covered entities are required to implement a security awareness training program for all members of the workforce. However, research shows that healthcare lags behind other industries in terms of employee cybersecurity training, despite being a primary target for attackers.
Lots more here:
https://healthitsecurity.com/news/4-ways-organizations-can-prevent-healthcare-phishing-attacks
As far as I am concerned – given the scale and level of damage that is resulting in the health sector – we need to treat the issue as a war and to aggressively plan how best to really reduce the damage. This article is a very good start but there really also needs to be action and funding around each of the suggestions to make a difference for the better.
Education, awareness, technology and common sense and the keys to controlling this scourge and depriving the criminals of the revenue they need to keep being such a nuisance.
Well worth a read!
David.
No comments:
Post a Comment