Tuesday, October 29, 2019

Healthcare Security Breaches Focusing more on Social Engineering


One of the ways I try to keep up on things is by a voracious reading habit.  I’ve always had a love of gadgets and technology, but keeping up with the constant onslaught of information can be challenging for anyone.  I think this is especially true if the subject happens to be one you don’t have a tremendous interest in.  It’s probably not necessary to say this here, but I take a great responsibility in keeping you abreast of as much tech information as I can.

To help, whenever I hear of a report being released I grab it and try to digest it in a timely manner.  One of the things about technology is that if you don’t stay current, you’re moving backward.  Then trying to get back to a level playing field knowledge wise is even harder.

The thing I love about reports put together by experts is that they summarize things they are seeing and it helps get the message out more succinctly.  So I was excited when I learned that ProofPoint had released a new healthcare industry report on security.

Something that everyone in healthcare needs to be considering is that this is not just something that requires attention because we are trying to be HIPAA compliant.  Don’t get me wrong on that statement. Being in compliance with federal law is *extremely* important.  HIPAA violations can lead to serious fines that could cripple or end the life of a small practice.  However, today it’s not *just* about laws.  Security flaws and the disasters they bring can have as big an impact on the financial well being of a practice as federal fines.  If Ransomware locks you out of your database, your organization begins to hemorrhage money.  Not only are you not generating revenue, you are also paying experts to try to reconstruct your systems from the ground up.

There is also the aspect of the care of the patients.  If a practice goes down, or more importantly a hospital, the well being of patients is immediately at stake.  Lives may hang in the balance and that gets back to the Hippocratic Oath of “First of all, do no harm.”  If a patient cannot be treated appropriately this can have disastrous results.  Security is not a “good idea”, security is now one of the major tenets of healthcare.

What experts like ProofPoint are now discovering is that criminals are not just looking for ways to break into systems by computer hacking techniques.  Recently they have turned to social engineering tactics as well.  Here are 5 things they point out in their report:

  • Targeted healthcare companies received 43 imposter emails in first quarter of 2019, a whopping 300% jump over the same quarter last year. Within affected healthcare companies 65 people were targeted by spoofed email, and 95% of those companies saw emails spoofing their own trusted domains.
  • Subject lines that included “payment”, “request” “urgent” and related terms appeared in 55% of all imposter email attacks.
  • 77% of email attacks on healthcare companies used malicious URLs.
  • Banking Trojans were the biggest threat to healthcare companies over the period of our research.
  • Factors such as access to critical data or systems, having a public facing email, can make anyone a highly targeted person.

The lesson here is to pay close attention to the social engineering aspect of security now more than ever.

To learn more about what ProofPoint has discovered, follow this link.

No comments:

Post a Comment