Phishing is one of the leading causes of healthcare data breaches. Phishers are able to access healthcare data from email accounts. In many incidents, those email accounts contain considerable volumes of highly sensitive protected health information (PHI).
Augusta University Healthcare System submitted a report involving a phishing attack in August 2018 that affected a number of email accounts. The compromised email accounts contained the PHI of 417,000 patients. The incident became an outstanding case due to the big number of people affected by the breach. However, there are other healthcare organizations that fell victim to phishing attacks in August.
The HHS’ Office for Civil Rights has information showing that email is the most prevalent location of PHI breaches. 14 out of 28 healthcare data breaches in July had something to do with compromised email accounts. In May and June, 9 and 11 email breaches were reported respectively. Just 6 of the breaches in July came about in connection with network servers, which is the next most prevalent location of PHI breaches.
Cofense (known as PhishMe in the past), which is a company providing anti-phishing solutions, recently published in an Industry Brief the results of its study of phishing attacks in the healthcare industry. As per the report ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, the healthcare industry is a favorite targeted of cybercriminals. The healthcare industry accounts for a third of all reported data breaches, which had resulted to the stealing or exposure of more than 175 million healthcare data records.
It is quite expected that hackers prefer to attack the healthcare sector considering the substantial volumes of highly important records that healthcare providers hold. Information including health files, insurance details, Social Security numbers, contact details, birth dates and financial details can be easily sold to identity thieves and fraudsters. Furthermore, the healthcare industry’s budget for cybersecurity is not as much as what other industries like the finance sector invest.
Cofense has data showing the poor status of the healthcare industry in terms of susceptibility and resiliency to phishing attacks compared to other industries. Cofense used a phishing simulation platform to measure the percentage of vulnerable healthcare employees that were deceived by a phishing simulation. Cofense calculated the resiliency rate to phishing attacks by getting the percentage of users that reported a phishing attempt using the Cofense Reporter email add-on versus those that didn’t.
The phishing attack susceptibility rate spanning all industries was 11.9% whereas the resiliency rate was 1.79. The healthcare industry has a susceptibility rate of 12.4% and a resiliency rate of 1.34. The insurance industry and energy sector have resiliency rates 3.03 and 4.01, respectively.
In recent years, organizations have increased their cybersecurity budgets to focus on cyber security and risk management. Implementing anti-phishing solutions has been beneficial but a lot of improvement is still necessary.
Cofense pointed out that the phishing email simulations indicate that healthcare employees are victimized by phishers through a mix of social and business emails. Quite often, healthcare employee are tricked upon receiving emails of invoice requests, package shipping notice, manager evaluation or a Halloween eCard alert. The click through rate of these emails is above 21%.
According to Cofense Intelligence data, invoice requests is typically employed to install ransomware. The email simulation results showed that 32.5% of healthcare personnel are victims and only 7.2% reported the dubious emails. The Cofense Brief also presented data on the phishing emails most often clicked on and some advice to healthcare companies that could reduce their susceptibility to phishing attacks.