Phishing for PHI

Cyber threats continue to grow and evolve, but most share a similar origin: phishing. Phishing emails, seemingly innocuous or legitimate emails used to infiltrate an organization, are a common source of malware and are used for scams in which a criminal impersonates another individual to obtain sensitive information. A study released in March by PhishMe estimated that up to 93% of phishing emails contain ransomware.

Although the damage phishing emails can do is tremendous, security officers can help their organizations turn the tide by using a combination of technical controls and targeted education.

Gone phishing

The danger and the success of phishing emails lies in their ability to manipulate the individual on the receiving end. Phishing emails may be sent from domains that are a near-identical match for an organization’s and come with what appear to be legitimate and urgent attachments or links. It’s a simple scheme that criminals can use for a variety of purposes.

"They hope to get malware installed so they can control the computers they infect or even the entire network. They hope to get network or application login credentials. They hope to trick people into performing certain actions, i.e., a wire transfer of money," Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, says. "The possibilities are endless."

The dangers are, too. PHI, financial, and business information are all at risk when a staff member falls for a phishing email. "Some of the most elaborate hacking incidents and large-scale data breaches have started with a single phishing email," Beaver says.

The cost and frequency of data breaches have remained high for several years. Data breaches cost the healthcare industry $ 6.2 million, according to Ponemon and ID Experts’ Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. The study also found that, despite the high cost of breaches, many organizations say they lack the budget to invest in managing data breaches.

"I think organizations are trying to do the best they can, but they’re under a barrage from all fronts," Rick Kam, CPP/US, president and CEO of ID Experts, says. "They’re under regulatory scrutiny. The ACA is changing its business tremendously. At the same time, criminals are realizing they’re a soft target. While there’s the recognition that organizations need to do more, I think the bad guys are winning at this point because they have more resources and they’re more creative."

Beaver agrees that organizations must catch up or find themselves paying the price of a data breach. "I don’t think most organizations fully understand what they’re up against," he says. "IT and security staff members might, but they are having a problem communicating that to the stakeholders or getting and keeping the necessary management buy-in."

A big catch

Early phishing emails were relatively unsophisticated scams, Kam says. They often claimed to be sent by a representative of a foreign bank that wished to transfer money the unsuspecting recipient had inherited or won.

Today’s phishing emails are often much more sophisticated. Spear phishing specifically targets highly placed individuals in organizations with the credentials to access and request large amounts of sensitive information. Hackers engage in social profiling, researching a target’s organization, job description, and level of access to sensitive information. Recent breaches of social media sites, such as the LinkedIn breach, may have exposed detailed information about users. But even a quick scan of a social media profile can reveal a high level of detail about an individual’s job and typical style of communication.

Then, either by hacking into the target’s email account or creating an email address at a domain that’s a near match for the organization’s, the attack is launched.

In a recent series of phishing scams, hackers impersonated individual chief executive officers (CEO) and chief financial offers and sent emails to accounting staff requesting W-2 information for all employees, Kam says. Unfortunately, a number of recipients fell for the scam. In this case, the W-2 information was likely used to commit tax fraud whereas phishing emails requesting PHI are often part of medical identity scams, Kam says. (For more information about medical identity theft, see Medical identity theft: Part 1 and Medical identity theft: Part 2 in the July and August 2016 issues of BOH.)

Defense tools

Phishing and other cyberattacks will likely increase and healthcare organizations are a prime target, Beaver says. "With all of the complexities of any given network environment combined with the lack of resources and general overwhelmed nature of many IT and security teams, I can’t imagine that it won’t."

However, the rise of phishing and cyberattacks might have a silver lining, Kam says. "The more cyberattacks an organization sees, the more likely it is that the executive team will approve technologies and educational things to protect their organization."

There are a number of technical controls organizations can put in place to stop phishing emails before they land in a staff member’s inbox, Kam says. Behavior analytics tools can help detect phishing by analyzing a user’s typical behavior, such as when they sign in and out and what systems they access. If a user generally signs in at 8 a.m. from their office and signs out between 4:30?5 p. m., the tool will look for deviations from that routine. If the same user suddenly begins signing in at 2 a.m. from a remote location, it will stop the transaction. However, behavior analytics tools are still not universal, he says.

Browser tools can protect users even when they’re out of the office, Kam says. A staff member may need to sign into his or her email using a browser while working remotely, but accessing email via a browser is typically not secure. An organization’s IT department can install a browser extension on staff members’ laptops and smartphones that will analyze websites and warn the user if the site he or she is attempting to access is suspicious.

Technical defenses can’t take a backseat, Beaver warns. Without the right tools, staff will be left vulnerable.

"It’s incumbent on IT and security teams to set their users up for success with proper technical controls that will detect and stop such behaviors," he says. "These controls, such as strong endpoint security, proper malware protection, and network-based activity monitoring and blocking, are often absent or poorly implemented at best."

But even with the best technical safeguards, some phishing emails will still slip through.

"Many companies have been investing in tools and security systems so they have the ability to defend from hackers, from a technical aspect," Kam says. "But unfortunately people will still always be the weak link."

Getting smart

Protecting PHI from phishing, and other vulnerabilities, requires a three-pronged approached, says Meredith Phillips, CHC, CHPC, HCISPP, ITIL, chief information privacy and security officer at Henry Ford Health System (HFHS) in Detroit. To protect PHI, organizations must invest in technology, develop processes, and train staff. Some organizations may invest heavily in technology but they typically forget about training staff, she says.

"We do put a lot of emphasis on the people part of that triangle, because we feel that no amount of technology or no defined process is going to work if you have a person who has to make a judgment call every day," she says.

HFHS employs 27,000 people, all of whom must go through mandatory annual training. Staff average 98%?99% completion rates for the annual training, which is exceptional for an organization its size, Phillips says.

One of the keys to HFHS’s success is applying proven education techniques. Training should be developed according to the eight-by-eight concept of adult learning, she says. In this model, a concept is addressed eight different times, eight different ways. Typically, after the eighth time, an adult learner will fully understand the material. HFHS takes the concept a little further to what Phillips calls the 25-by-25 rule.

"We’re always talking to people about this stuff," Phillips says. "We really try to saturate our environment with nuggets of information that support our overall strategy from a training standpoint. So by no means am I trying to give you a five-page document every time we train you, but we train you at times you don’t even know you’re being trained."

However, be wary of oversaturating staff, she adds. Spear phishing targets specific staff, and education should as well. Earlier this year when phishing emails began to go out to accounting staff requesting W-2 information, Phillips took strategic action.

"Once we realized that was happening, we pushed out a whole training and education module targeting our financial team, because most staff will never see that particular type of phishing email," she says. "You have to stay ahead of the game and, if you see these happening in your environment, you need to be poised and ready to go and get to that targeted group so they can make a better judgment call."

Information sharing

Privacy and security officers should share information on new phishing and hacking attacks with department managers, she says. Managers can then pass the warning on to staff before specific training is rolled out.

Staff will likely have a number of questions about phishing. They should know who to ask and shouldn’t worry that questions are an unwanted bother.

"If you have training and you’re not telling people how to get to you afterward, you’re defeating the purpose," Phillips says.

This message is especially important when training is online, she says. Many organizations opt for online training modules that staff can complete at their own pace by a given deadline. However, without face-to-face interaction with an instructor, staff can’t ask questions during the training. Open channels of communication between the privacy and information security department and the rest of the organization will ensure any questions are resolved.

When it comes to PHI, it’s better to ask a question than risk a breach, Kam says. Many staff may have questions about how to spot the difference between a legitimate request from a colleague and a carefully crafted phishing email.

"Show them [staff] some examples of the more blatant emails you might get," Kam says.

Staff should know it’s okay to ask for confirmation for an unusual request, even if it comes from someone who appears to be a senior manager or even the CEO. Some may feel reluctant to question a request they believe is coming from someone highly placed in the organization and may feel pressured to comply with the request quickly and without question. That’s exactly what phishing depends on. Managers, including senior managers, should encourage staff to double-check any unusual requests, Kam says.

"If staff feel confirming a request would be frowned upon, the organization is setting itself up for a breach," he says.

Some staff may also have trouble understanding why they can’t simply rely on anti-malware or anti-phishing tools to catch every suspicious email. Remind staff that hackers can work around the clock to create new methods to break technological defenses, but an anti-phishing or anti-malware program’s definition files aren’t updated instantly, Phillips says.

Communication will also help privacy and security officers, she adds.

"We always ask for feedback about what are some of the ways we could present this information," she says. "There are scenarios that they come up with that we might not be aware of, that happen in their business every day. So they educate us on what those things are."

Changing culture

Many organizations acknowledge more could be done to improve information security, according to the Ponemon survey. However, the survey also revealed that covered entities and business associates appear to place the blame for breaches, and the responsibility for preventing them, on each other. That lack of accountability may be a significant part of why cyber criminals see the industry as an easy target, Kam says. Until each organization accepts responsibility, it’s likely some will continue to pass the buck.

But without executive buy-in, privacy and security officers may face an uphill battle for resources and staff engagement with training, Phillips says.

"I don’t think education can be pushed from the bottom up," she says. "Your CEO has to provide you with support to be able to push levels of comprehensive training."

When CEOs and senior leaders set the example, an organization can shift its culture. "When I see my CEO taking training and education personally and actually taking it as a business value for her to be able to do things in a more compliant manner, it makes me want to be more compliant," Phillips says.

Organizations must commit to security and provide staff with tools and training to support that goal. Often, this can be accomplished by enforcing or refreshing existing tools and training.

"I’m of the belief that no new strategies are needed—just the stuff we’ve known about for decades that hasn’t yet been done," Beaver says. "In other words: discipline."

HCPro.com – Briefings on HIPAA