A recent study from Ponemon Institute that examined the rate of data breaches over the past five years concluded that: “91% of healthcare organizations had experienced one data breach; 39% had experienced two to five breaches; 50% had five or more data breaches over the past two years.”
Breaches of more than 500 individuals are required to be disclosed to media and the Secretary of Health and Human Services, who posts them on a web site colloquially referred to as the “HIPAA wall of shame”. If you take the time to walk backwards through the data, it is easy to see that the rates of the “Hacking/IT Incident” category have been steadily increasingly over time.
There are many ways to hack, but one of the most common and certainly one of the most effective is a technique known as “phishing”, where a criminal entity “masquerades as a trustworthy entity in an electronic communication in an attempt to acquire sensitive information such as usernames, passwords, and credit card details” (wikipedia).
Phishing is a form of so-called “Social Engineering”. Instead of trying to break through layers of hardware and software protection, the criminal simply targets the weakest link — the human operating the machine — and finds a way to trick them into giving them the credentials needed to advance further into the system.
Phishing is frighteningly easy to implement, requires minimal resources, and opens a multitude of attack vectors into an organization. It is incredibly effective with a hit rate estimated at one in ten.
The most effective protection against phishing is education. We need to teach employees to be suspicious of every social contact such as email, phone calls, or even text messages so that they aren’t taken advantage of by criminals.
Education is key because it’s impossible to blacklist every source address. Email links are commonplace and attached files cannot be totally removed from emails when they are often a legitimate part of daily use. The best we can hope for is that the end-user will pay attention to system warnings and look closely before they click.
Unfortunately, it only takes one incident to crack open the doors to a breach.
My HIPAA Security Officer and I are often asked to fill out security assessments before we start services with a new hospital system. Many of these are modeled off well established standards/frameworks such as SOC II, ISO 27001 or HITRUST CSF that require explicit information security controls that are important, but don’t really assess how well we’ve prevented against social engineering attacks such as phishing.
Given the risks in the current healthcare environment I am of the belief that now is the time for the industry to step up its game. Instead of relying simply on education we need to take a more active stance, and must take a much closer look at how to prevent social engineering techniques such as phishing.
It seems logical to start by having our penetration testing companies test our defenses on an unannounced schedule by sending fake phishing emails, or calling in and attempting to obtain credentials from help desk personnel. Metrics could be collected and presented to senior management so we could measure our readiness and apply corrective actions as needed.
This approach would have the advantage of putting employees on their guard, but we’re going to have to be careful to preserve the dignity of any employee who falls for the scam. Our goal is to catch phishers, not embarrass our staff.