Healthcare trails other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one, according to a report released Sept. 17 by Cofense.
The healthcare resiliency rates for the last 12 months was 1.49, compared with an average resiliency score of 1.79 for all industries examined by Cofense (formerly PhishMe).
By comparison, the energy sector had a resiliency rate of 4.01, the insurance industry had a rate of 3.03, and the financial services had a rate of 2.52. The data is based on phishing simulations that Cofense uses to test employees at customer organizations.
“One factor that surely inhibits the industry’s resiliency: high turnover. With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report commented.
The top five phishing scenarios that healthcare workers most frequently clicked on were Requested Invoice, Manager Evaluation, Package Delivery, Halloween eCard Alert, and Beneficiary Change.
“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report noted.
Unfortunately, phishing has become the preferred method for hackers to get access to healthcare organizations to steal valuable medical data.
The 2018 Verizon Data Breach Investigations Report (DBIR) found that phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon, with email being the main entry point (96%).
Phishing is also a way attackers deploy ransomware, which has devastated the healthcare industry over the last couple of years. The Verizon report found that ransomware accounts for 85 percent of the malware in healthcare.
In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine.
It only takes one person to fall for the bait for an entire organization to be infiltrated.
According to an American Medical Association and Accenture survey of 1,300 US physicians, 83 percent of respondents had experienced a cyberattack and more than half of those said the attack came in the form of a phishing email.
Nearly two-thirds of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.
More than half of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or impact patient safety (53%).
Data from Wombat Security’s learning management system revealed that healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.
The Wombat learning management system includes questions about avoiding ransomware attacks and identifying phishing threats, two topics dear to the heart of healthcare CISOs.
Alan Levine, a cybersecurity advisor to Wombat Security, told HealthITSecurity.com: “If an email purports to come from a person who seems to be an authority, then it is very likely that people who receive the email will not look for the specific things that may indicate that there is a potential risk with the email and will instead be more interested in promptly reacting to it.”
The primary purpose of a phishing attack is to gain a foothold inside the organization by infecting a computer or other endpoint.
“Then an attacker will use that individual platform that he now controls to do a variety of things,” Levine said. “He wants to move from PC to PC, within a subnet, and laterally across subnets in order to compromise or control as many other devices as possible. Now he has a base of operations.”
“By collecting information from an individual compromised asset,” he continued, “an attacker learns a great deal about the institution itself in which that compromised machine now operates. Maybe he gets a copy of the GAL, which is the global address list. Now he’s got a lot more email addresses he can send phishes to.”
To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.