The healthcare industry has become plagued by phish. According to the U.S. Department of Health and Human Services, in 2018 there were 366 healthcare data breaches, resulting in the exposure of over 13 million records. 2019 looks to be more of the same, with nearly half a million healthcare records breached in January and UConn Health experiencing a healthcare phishing scam in February that exposed more than 320,000 records. So why have phishers decided to target the healthcare industry, and what can be done to stop them?
Why Healthcare Phishing Scams are Common
While organizations of all sizes, across all industries, can be phishing targets, the healthcare industry is particularly vulnerable. Here are three reasons phishers go after the healthcare industry.
- Large amounts of valuable data
- Little to no IT investment or training
- A highly connected infrastructure
When a phisher is able to dupe someone into giving out a credit card number, the average profit is around $2K and the card quickly runs out of money or is cut off by the user. Compare that to a single medical record, which can earn a phisher an average of $20K on the black market. These records are worth a lot because they have multiple uses: billing fraud, medical identity theft, and buying drugs for resale. Criminal activity involving a healthcare record usually takes much longer to be discovered as well.
While healthcare is always interested in the latest technological advancements when it comes to medical devices and patient care, phishing prevention technology and training can fall by the wayside. In fact, the industry as a whole spends less than 3% of its profits on IT. With often-outdated hardware and software and a lack of employee training, phishers are more likely to be able to get their bogus emails into end-users mailboxes and con them out of information.
Healthcare organizations are constantly sharing information across departments utilizing a highly connected system. Medical phishing attacks that result in ransomware being unleashed, for example, can bring the entire organization to its knees because lives are at risk. Without access to patient files, which may include medical history, current medications, allergies, and even surgery directives, it can literally be a matter of life and death. Unlike businesses that may be able to afford being temporarily locked out of their data, most healthcare organizations cannot, and often have to pay up.
How To Protect Yourself from Healthcare Phishing Scams
There are a number of ways healthcare organizations can protect themselves. Healthcare phishing scam education and training is one way, however, this should never be a “one-and-done” session. This is because phishing tactics are always evolving and people need to be reminded frequently to be vigilant—otherwise, they may return to their old habits. Phishing simulations are another method, which boils down to phishing your own employees. If they take the bait, they can be educated as to what they did wrong (and reprimanded if it continues to happen). However, phishing simulations are not foolproof and can lead to resentment from employees.
The best way healthcare organizations can combat phishing is through an anti-phishing platform. A reliable anti-phishing solution uses the concept of a social graph to learn about employee email interactions, identifying which internal and external emails can be trusted—and which are likely to be a phish—over time. Clearedin is one such platform. It operates in the background so users don’t even think about it until they get phished. That’s when the solution red-flags the email. When the recipient of the phish opens it, issues within the email are highlighted to show why the email is suspect (and providing a “teachable moment”). Unless the recipient marks the email as safe, it cannot be replied to or forwarded, putting the phish on ice.
Do Anti-Phishing Solutions Compromise Healthcare Privacy?
One of the biggest problems with most email security solutions is that in order to determine if the email is a phish, it reads the content of the email. While most people won’t mind this if it’s simple spam, it poses a big problem and a HIPAA compliance issue when the email holds an electronic health record (EHR) file, which includes billing data, patient information, medical history, diagnoses, medication, allergies, radiology images, and lab test results.
Clearedin offers both security and privacy using an artificial intelligence-based analysis system that focuses on trust relationships inferred from the email’s metadata. Its phishing prevention techniques include building a trust graph with this information and assessing the patterns and frequency of sender and recipient communication to identify anything outside the norm, such as changes to an email address or URL.
Clearedin is your cure for phishing—and bad medicine for phishers. Contact us today to learn more about Clearnedin anti-phishing solutions for healthcare.
Protect Your Organization From BEC Phishing Attacks
Download our guide to learn everything you need to know about BEC attacks.