The danger posed by phishing attacks is constant, especially for the healthcare sector which is often focused on by cybercriminals as a result of the high profit to be earned from selling healthcare data and obtaining access to compromised email accounts.
Phishing attacks are having a massive impact on healthcare suppliers in the United States, which are recording huge record numbers of phishing attacks. The sector industry is also inundated with ransomware attacks, with many of the attacks beginning with a successful phishing attack. One that sends a ransomware installer like the Emotet and TrickBot Trojans, for instance.
A recent survey carried out by HIMSS on U.S. healthcare cybersecurity workers has shown that the extent to which phishing attacks are meeting their intended targets. The survey, which was carried out durinf trhe period from March to September 2020, showed that phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of attacks.
One interesting details discovered is the lack of proper security from phishing and other email attacks. While 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely worrying that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity attacks.
Then there is multi-factor authentication, feature which is highly effective at stopping stolen credentials from being used to remotely log in to email accounts. Microsoft stated in a Summer 2020 blog post that multifactor authentication will prevent 99.9% of attempts to use stolen credential to log into accounts, yet multifactor authentication had only been implemented by 64% of healthcare groups.
That does represent a massive improvement from 2015 when the survey was last carried out, when just 37% had put in place MFA, but it shows there is still room for improvement, especially in a sector that experiences more than its fair share of phishing attacks.
In the data breach reports that are needed for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare groups in the U.S are required to adhere with, it is common for breached groups to state they are putting in place MFA after suffering a breach, when MFA could have stopped that costly breach from occurring in the first place. The HIMSS survey revealed 75% of groups augment security after experiencing a cyberattack.
The amount of phishing attacks that are succeeding cannot be blamed on a single factor, but what is clear is there needs to be larger scale investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be a priority – One that can block phishing emails and malware attacks. Training on cybersecurity must be conducted for staff for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also a crucial anti-phishing tactic.