Healthcare Industry Remains Cybersecurity Laggard

Healthcare organizations are still looking for a cybersecurity cure or at the very least an effective security management regimen. As we covered recently, Healthcare continues to be a prime target for cyber attacks. That post was based on a survey conducted by the non-profit global advisory organization HIMSS and found that most healthcare organizations had experienced a significant security incident in the previous year.

Another recent look at healthcare security, the Beazley Breach Insights Report, found that 41 percent of healthcare organizations identified the highest number of data breaches when compared to any other business sector. According to the Beazley findings, the causes of the breach were direct hacks or a malware infection. Some breaches were due to human error, such as falling for a successful phishing attack. Their study also found a decrease in the number of inadvertent data disclosures.

According to the report, the increase in successful hacks and malware infections and the decrease in unintended data disclosure were related directly to a sizable increase in business email compromise incidents.

This report also identified a dramatic increase in so-called sextortion scams. In these attacks, the scammers typically use a bit of information they gleaned from previous attacks, such as an email and old password, to try to trick targets into thinking that they had access to their system and were able to capture video of them watching pornographic material. If the mark doesn't pay a ransom (typically Bitcoin), the attackers claim they will email the evidence to friends and co-workers.

According to Beasley, emails sent to their policyholders often contain a link or zip file that the attackers claim to be evidence of the pornographic webcam activity, or the file provides a website to pay the ransom. If clicked, the link may, in fact, spread malware that can steal information and install ransomware.

Of course, these scams are typically hoaxes. As Filip Truta recently covered, criminals do increasingly attack the human layer when targeting business. In his post, he cited a recent Barracuda Networks survey that pointed to similar conclusions as Beasley’s findings: Cybercriminals are bypassing security controls by targeting people directly.

The social engineering techniques they use rely heavily upon brand impersonation, used in 83 percent of spear-phishing attacks. The two most common brands impersonated were Microsoft and Apple. Then, sextortion attacks like those cited by Beasley were used to target 10 percent of spear-phishing attacks.

The HIMSS survey, cited above, revealed how the healthcare industry continues to take the brunt of the hits. In that survey of 239 healthcare executives and cybersecurity professionals for the year running from December 2017 through January 2018, they found three-quarters of those surveyed experienced a recent and significant security incident.

Of those attacks identified by survey respondents, 96 percent were able to characterize the adversary for the attacks. The top three, in order, being online scam artists such as phishers, negligent insiders, and hackers.

All organizations, and not just those in healthcare, can expect that adversaries will continue to target staff and others near the organization to bypass security controls. Also, the probability is much higher than not that some people will fall for the scams and click on something they shouldn't. There’s no easy way to eliminate this risk, but it can be mitigated by following good security practices and maintain an ongoing cybersecurity awareness program.