Email Security

    Healthcare phishing attacks are increasing disruption and financial loss for organizations and patients

    74% of healthcare institutions experienced a security incident last year; More than 30 million patient records compromised thus far in 2019. 

    by Miranda Nolan

    Data breaches in the healthcare sector are skyrocketing. According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised from 503 breaches—three times the number of records exposed in 2017.

    Now, in 2019, one American Medical Collections Agency (AMCA) data breach alone has compromised the data of more than 25 million patients. Summer is not even over, but we’ve already surpassed the 30 million mark in total.

    A 2019 survey conducted by Healthcare Information and Management Systems Society (HIMSS) reported that 74% of healthcare organizations experienced a significant cybersecurity incident in the past 12 months. Online scam artists (phishing, spear phishing, business email compromise) were the most common threat actors, comprising nearly 30% of these incidents.

    The HIMSS report confirmed that healthcare phishing attacks remain a pertinent threat; email was the initial point of contact for 59% of security incidents.

    Baystate Health fell victim this past February when it discovered an email phishing attack had left nine employee emails compromised and 12,000 patient records vulnerable. The nonprofit is far from alone and far from the biggest victim. This year, healthcare phishing attacks also successfully penetrated the Oregon Department of Human Services (645,000 patients) and UConn Health (326,629 patients), according to Health IT Security.

    Healthcare Phishing Attacks Lead to Huge Losses for Patients and Organizations.

    Cyber criminals are especially drawn to the healthcare industry for one main reason: money. In an article on the subject, Forbes noted that, on the black market, stolen social security numbers go for around 10 cents and credit card numbers for around 25 cents. A stolen electronic medical health record, though, could go for hundreds if not thousands of dollars.

    Hackers know that sensitive information leads to money, and it’d be difficult to find an industry with more of the public’s sensitive information than healthcare. Medical records are the most comprehensive records about an individual’s identity because they contain demographic information alongside financial information and medical history.

    Data breaches are extremely costly for healthcare organizations. According to the Ponemon Institute’s 2019 Cost of a Data Breach Report, healthcare organizations for the ninth consecutive year had the highest costs associated with data breaches at $6.45 million, 65% more than the global average of all industries. The report also concluded that healthcare has more trouble than other industries retaining customers after a breach. These combined factors can truly incapacitate a business. AMCA’s parent company, for example, has filed bankruptcy since its 25 million patient breach, and its billing services vendors are facing numerous investigations and lawsuits.

    Cost of a Data Breach.jpg

    Graph pulled from Ponemon Institute’s Cost of a Data Breach Report 2019, page 26.

    The dollar sign on the victim’s end is exorbitant as well: the same Ponemon study reports that victims of healthcare identity theft spend $13,500 on average to restore their credit, reimburse their healthcare provider following fraudulent claims and correct inaccuracies added to their healthcare records. Not to mention all the time it takes to fight these claims and try to regain some form of security.

    Any phishing attack can lead to downtime, and the loss of company/personal data and money. With healthcare phishing attacks, the stakes are higher. In these attacks, sensitive patient data, patient care, patient trust and personal financial stability are put on the line.

    In 2016, a cyberattack on Washington DC’s MedStar network left its 10 hospitals offline for nearly two weeks, significantly delaying patient treatment and causing service disruptions.

    At its worst, a compromised health record can be fatal.

    A cybercriminal, having hacked your social security number and health insurance information to gain free medical care, could adjust your health record information to match their own medical profile (allergies to medications, blood type, etc.). These changes, perhaps vastly different than your own, could end up on your permanent file—and the next time you’re in need of immediate medical attention, you could be in serious trouble.

    Research Proves Awareness Training is the Kryptonite of Healthcare Phishing Attacks.

    As health care delivery becomes increasingly reliant on integrated and complex—yet susceptible—information systems, it is now more important than ever to cultivate cyber resilience.

    A recent study conducted by Dr. William Gordon of Brigham and Women’s Hospital and Harvard Medical School confirms the value of training healthcare employees to recognize email-borne phishing attacks.

    Gordon’s team sent simulated phishing campaigns to six geographically dispersed US healthcare institutions between August 2011 and April 2018. In that time, the institutions implemented 95 simulated phishing campaigns which produced 2,971,945 emails. More than 422,000 (14.2%) of those emails were clicked by employees—nearly one in seven.

    When researchers analyzed the data over time, they concluded that phishing campaigns increased employee awareness and therefore led to lower click rates in subsequent simulations.  The more simulations an institution ran, the lower the eventual click rate. Employees improved their ability to identify phishing attempts over time, ultimately improving the organization’s overall cyber resilience.

    The takeaway: awareness training is of paramount importance in preventing healthcare phishing attacks. Healthcare organizations should adopt training that is engaging and fun for employees. It’s clear the boring slide deck and subsequent test doesn’t work; employees need to be engaged to pick up the information and improve their behavior. Furthermore, training should happen at a consistent cadence rather than falling to the wayside after the onboarding process. Human error is involved in at least 90% of cyberattacks, and training is essential in cutting this number down.

    Data breaches in healthcare aren’t going away any time soon. Fortunately, there are methods for the industry to fight back. In order to protect both patients and businesses from healthcare phishing attacks, organizations are going to have to continue to adopt stricter cybersecurity measures and ramp up employee education.


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page