A growing body of evidence suggests employees throughout the healthcare sector may be uniquely vulnerable to phishing attacks. If finding itself a growing target for cybercriminals weren’t bad enough, the industry is also seeing associated lawsuits piling up.
Montana-based Kalispell Regional Healthcare was recently hit with a suit after it disclosed that multiple employees had fallen victim to phishing attacks that led to the breached data of more than 140,000 patients over a three-month period.
This comes on top of a class-action lawsuit recently filed against Massachusetts-based Baystate Health after it was hit by a phishing-related data breach, and a $7.5 million settlement from UCLA Health over a breach first disclosed in 2015.
Unfortunately, these are hardly isolated events. In fact, they may be symptomatic of a growing problem throughout the entire healthcare sector.
A Phishing Epidemic
The $1.2 trillion pharmaceutical industry now ranks among those hardest hit by email attacks. And it's easy to see why. Cybercriminals can use lateral phishing attacks to steal IP on research and medicines worth billions. And health insurers are barraged with attacks seeking to steal valuable patient data. Everyone is vulnerable, but it's overworked hospital staff that may be most at risk. In a major study from Brigham and Women's Hospital in Boston, employees at six geographically dispersed US healthcare institutions clicked 14.2% of the 2.9 million phishing emails launched over a six-year period from August 2011 through April 2018. In all, employees clicked on 1 out of every 7 phishing emails.
If representative of the industry, the research could help explain the plague of data breaches afflicting this industry. In 2019, more than 40 million patient healthcare records were breached—up 100% in just one year.
According to HIPAA, 60% of healthcare industry data breaches involve phishing or other email attacks. And a recent survey from the Healthcare Information and Management Systems Society finds that it's even worse for hospitals specifically, where phishing plays a role in 69% of all breaches.
The price tag can be steep. According to Ponemon Institute, costs associated with a data breach in the US healthcare sector average more than $13 million per incident—roughly 60% more than the global average across all industries. And that's before any regulatory fines or possible civil or criminal penalties.
So what makes healthcare employees so susceptible to phishing attacks? There are at least three key drivers.
#1 Rapidly Escalating Attack Volumes
Ransomware delivered through phishing emails has grown 109% since 2017, according to industry observers. More than 765 healthcare providers fell victim to these attacks in 2019, with payments averaging more than $41,000.
But the threat landscape is quickly changing. Phishing attempts that successfully bypassed security by foregoing malware or malicious links increased by 25% in the first six months of 2019, according to HealthITSecurity.com.
Their primary targets in these attacks are medical records, which rank among the most prized by identity thieves because they can include names, addresses, birthdates, Social Security numbers, and more. On the dark web, full medical files can command as much as $1,000 each—by far more than any other form of identity information.
To put that in perspective, a Chinese hacker indicted for a phishing attack-enabled data breach at Anthem Blue Cross got away with as many as 80 million patient medical records—a cache that's potentially worth billions.
#2 Increasingly Sophisticated Social Engineering Tactics
By mining contact databases, company websites, LinkedIn profiles, and more, cybercriminal organizations can now produce highly personalized emails designed to induce stress, pique curiosity, or appeal to personal vanity.
The idea: Throw a harried, overworked nurse, a back-office accountant, or a distracted senior health system executive off-kilter just long enough to get them to reveal their login credentials.
Busy employees rushing between patients or meetings may check email on their mobile phones and respond to a malicious message without thinking to verify its legitimacy. According to the Verizon's 2019 Data Breach Investigations Report, 25% of healthcare organizations suffered a mobile-related breach in the past year, with 67% characterized as "major."
#3 An Ever-Expanding Attack Surface
According to the Brigham researchers, one of the biggest factors in all of this is the fact that turnover at hospitals is very high, with a constant influx of new employees. This not only creates a continuous stream of newly susceptible employees, but it further blunts the efficacy of phishing awareness training.
What's more, organizations in this sector rely heavily on a wide range of suppliers to deliver services. Increasingly, hackers are hijacking vendors' email accounts in order to launch phishing attacks against their customers. When those pirated accounts belong to employees within the accounting department, they're often used to launch invoice scams that can cost those customers millions.
Rx for the Ailing Inbox
To combat this growing contagion, healthcare industry organizations will need to take a multi-faceted approach to bolstering their immunity against non-stop email attacks.
Phishing awareness training will need to be reinvented sector-wide, especially for environments with rapid employee turnover. Basic security controls must be recalibrated to better detect ransomware and malicious links. And modern phishing defenses will be needed to ferret out the most dangerous, socially engineered email attacks, including those launched from compromised email accounts.
The faster organizations, and the entire industry, can stomp out costly phishing attacks, the sooner their patients, and the rest of us, can breathe easier.