Just like oil, electricity, and water, healthcare is a vital infrastructure. We still remember the overcrowded hospitals when the Covid pandemic began—overcrowding that cost lives. And when a vital infrastructure is at risk, we tend to pay the ransom, no matter how high.
What makes healthcare attractive to the attacker is that the sheer scale of people involved—patients, doctors, and staff—and the number of attack points available—equipment, phones, mobiles and computers—the opportunities to plant a phishing link are almost unscalable.
The ease of infection
Health care providers in Pennsylvania, Georgia, and Maryland have recently experienced patient health information breaches due to hacking through employee phones. The stolen data has varied by patient but always included sensitive information, such as SSNs, contact details, dates of birth, driver’s licenses, medical data, and credit card details. Thousands of patients were affected and had to be notified by law officers.
Data breaches in the healthcare industry due to hacking or phishing can cost an average of $7.13 million per incident. These are the most expensive attacks across all industries, according to an IBM report.
Doctors attending a recent SXSW Interactive conference described some incidents, illustrating how easy it was to infiltrate a health worker’s mobile phone.
A nurse working at a hospital affiliated with the prestigious Harvard Medical School accessed a website on her phone to download a game. She did not realize, however, that she was actually entering a phishing website located in Bulgaria. Along with the game, she unknowingly downloaded malware through which a screen scraper recorded her email login credentials the next time she checked her mail. The hackers then accessed and used her account to send 1 million spam messages using the “harvard.edu” suffix. Consequently, Verizon blocked the entire university as a spammer.
One of the most effective types of phishing attacks on employees is to use sites that simulate your company’s site and mention a policy or bonus. Even doctors are at peril. One group received an email asking them to log into their payroll portal to authorize a bonus. One eager physician didn’t notice that the URL was ever so slightly different from that of his employer. The hackers had created an identical site to which the doctor entered his credentials. With this information, the hackers entered the real payroll site and replaced the doctors’ direct deposit details with their own. They used the salaries to buy Amazon gift cards and then disappeared. After a painful lesson, the hospital no longer enables remote access to the payroll site using only a password.
Why phish doctors and nurses?
The first reason to target people who are doing no less than God’s work is simply that health data is worth a lot of money to a lot of people – the drugs manufacturing industry not the least among them. Add to that the fact that many people would like to keep their information confidential – losing it constitutes a basis for lawsuits based on GDPR regulation. Unfortunately, and this is a reason in itself, health information must remain open and shareable. A patient in an ambulance in one state cannot afford his data tyo be encrypted by an algorithm only used by his family doctor in another. Clearly, the requirements of confidentiality, on one hand, and shareability, on the other, leave holes in data security.
Second, opportunity is rife! The number of devices used by hospitals and outside them in clinics and even patient homes is overwhelming. With endpoint devices for health workers, patient mobiles, but also lab equipment and other online devices providing easy infiltration, one would think that the latest in security technology would be installed. Unfortunately, the need for the most modern in lifesaving technology usually outrumps the need to secure that technology against break-ins.
Most important, though, is that in the wake of the Covid19 pandemic, the roster of healthcare providers is thinly spread and exhausted from dealing with the sudden increase in patients. Many of the administrative staff are working remotely, accessing patient files on their personal devices. Most of these staff members are neither educated nor inclined to spend any of their non-existent down-time in cybersecurity training.
Another reason is that healthcare is considered a critical infrastructure, and this area has seen a massive increase in attacks from foreign actors.
How to protect yourself from phishing attacks
Because many medical professionals work in different environments—from clinics to hospitals, often from home and many for several employers, mobile devices are often their primary means of communication. It is important to have any data processing/storage device being used protected; and this includes mobile phones. Antivirus software is insufficient and does not protect against simple human behavior upon which phishing relies. You can ensure your phone is protected by using a browser extension that constantly scans the sites you visit.