Phishing Attacks on the Healthcare Industry
By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
What is Phishing?
Phishing is the practice of tricking users by imitating reputable companies in order to reveal personal or confidential information which can then be used in a more illicit manner. This is done via a deceptive email or website, and often in a combination of both. Spear phishing takes the manipulation one step further by making it a more customized and targeted attack on the individual. The email is customized to appeal to or target the individual rather than a broad and generalized message. The term ‘phish’, pronounced like fish, is based on the analogy of an angler throwing out the baited hook with the hope of getting a bite from an unsuspecting victim.
How Are Attacks Deployed
Phishing attacks are carried out with deception when the sender is masqueraded as a trusted entity of some sort. This can be done in a variety of ways, but the more common are via modifications to email addresses or websites that appear to be legitimate. For example, changing one letter in a fraudulent email address so that danelle.smith@healthcare.com appears identical to danielle.smith@healthcare.com can lead to compromised credentials, ransomware being deployed, or even wiring funds that you assume are being done on a legitimate directive. Fake websites appear to be identical to legitimate ones and we react without verifying the sender or site. Cybercriminals know that in our hurried daily lives, we are less likely to check and verify, and more likely to react and respond in an effort to move through our work.
Why It Matters – Especially in Healthcare
Healthcare is a target for cybercriminals. We can say this on repeat, but it can’t be emphasized enough. With that industrywide target comes increased risk, the increased value on the content that you protect, and an increase in the variety of ways that the attacks are carried out. As employees in healthcare, you must protect your own information for your own sake, but also for that of your patients and the protected health information (PHI) that your credentials have access to. Gaining entry to one of your social media accounts could potentially lead to access to a work account that contains information that is protected as a covered entity in HIPAA. While the link may not seem direct, there is a Dark Web file with your credentials which is continually growing on a regular basis with additional information on you and your accounts. Reusing passwords, or taking social media quizzes that seem like innocent fun can provide answers to security-related questions that can lead to a breach or more targeted phishing attacks. As an individual, you may feel that “you don’t have anything worth stealing” but as an employee in healthcare, you have a key to a kingdom of riches of patient data in your possession. Your individual actions affect a much bigger group.
How to Protect Your Business and Self from Phishing
It is easy to say slow down and verify what you are doing before you do it, but we know the reality of a busy day doesn’t always make that possible. But pausing to hover over a link to make sure it is legitimate, following up with requests that seem out of the ordinary, or just making sure that you are responding to the correct email address are all ways to fight phishing scams. The SLAM method will help you to remember to check the SENDER closely, hover over LINKS, don’t open ATTACHMENTS without verifying, and check the MESSAGE for misspellings or suspicious language.
Stay aware. Your defense tactics need to stay as up-to-date as those of the cybercriminal world and that’s not always easy.
This article was originally published on HIPAA Secure Now! and is republished here with permission.
