Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Phishing in Healthcare: Yet Another Major Incident

'Phishing Continues to Be One of the Primary Breach Vectors in Healthcare'
Phishing in Healthcare: Yet Another Major Incident
Overlake Medical Center & Clinics is among the latest victims of a phishing attack.

Yet another large phishing-related health data breach has been reported to federal regulators. This one potentially exposed the data of 109,000 patients at Bellevue, Washington-based Overlake Medical Center & Clinics.

See Also: Live Webinar | More Data, More Problems: Applying the Right Automation to Propel Security Operations

As of Tuesday, the Overlake incident was the third largest breach added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website of health data breaches affecting 500 or more individuals.

"Phishing continues to be one of the primary breach vectors in the healthcare industry. It is cheap, effective and profitable to the cyber-criminal element," says Rich Curtiss, director of healthcare risk assurance services at security consultancy Coalfire.

"Health records command a hefty price on the 'dark web' and are relatively easy to acquire through phishing attacks. Phishing is an organizational threat and not an IT problem. Addressing the threat must be a strategic imperative and, to be truly effective, must be part of the organizational culture."

Email Accounts Exposed

Within hours of Overlake Medical Center & Clinics discovering the phishing attack on Dec. 9, 2019, the organization secured the affected email accounts and immediately began an investigation, according to a recently released statement.

"The investigation determined that the third parties had access to the initially affected account from Dec. 6 to 9, 2019, and the subsequently affected email accounts for just a few hours on Dec. 9, 2019," Overlake's statement says.

So far, the investigation has not determined whether third parties accessed patient information stored in the email accounts. That includes name, date of birth, phone number, address, name of insurer or insurance ID number as well as diagnosis and treatment information, the statement notes.

"While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported as a result of this incident at this time," according to the statement.

Overlake says it has implemented additional security measures to protect its systems. That includes resetting passwords for all compromised accounts; enhancing mandatory workforce education to help employees better recognize and avoid phishing emails; bolstering the technology in use to identify and block suspicious external emails; and implementing multifactor authentication.

A Persistent Problem

Hacking incidents involving email appear to be the most common type of major health data breach being reported to federal regulators so far in 2020 (see Health Data Breach Tally Update: 2020 Trends).

The largest of those was a phishing incident reported Jan. 10 by PIH Health that affected nearly 200,000 individuals (see Health Data Breach Not Reported for Seven Months).

A phishing attack reported in January by PIH Health affected nearly 200,000 individuals.

Phishing attacks are becoming more effective as fraudsters improve their efforts to adopt the "look and feel" of a legitimate e-mail, Curtiss notes.

"There are always tell-tale signs but they may not be obvious to the casual user," he notes. "Therefore, a combination of security controls are necessary to minimize the opportunities for a phishing email to exploit a user.

Many phishing emails now include hyperlinks to malicious websites in lieu of attachments to avoid anti-malware software that may "sandbox"' the attachment and inspect it before sending it on to the user, Curtiss explains.

"The human response to phishing email is the hardest to protect against, so it is important to minimize the delivery of 'potential' phishing email while balancing 'false positives', which inhibit legitimate email from being delivered," he adds. "Many security vendors have either software or appliances which claim to 'automatically block' phishing emails, but nobody has cracked the nut with a 100 percent effective balance."

Therefore, the best approach to minimizing falling victim to email phishing is a layered defense posture that includes an organization providing workforce cybersecurity training coupled with regular phishing campaigns testing, plus "a robust technical security infrastructure," Curtiss says.

The Role of an EDR Platform

Brock Bell, principal consultant at security services firm The Crypsis Group, notes: "Having an endpoint detection and response platform in place can act as a front-line defense against successful phishing attacks. Even once we know a user has clicked on a link, the EDR platforms can detect and stop successful next steps, such as a weaponized attachment that is designed to give attackers access into the environment.

"While healthcare companies are far from alone in being the victims of phishing attacks, their data is highly monetizable on the black market, and they are often perceived as having restrictive budgets that can't prioritize IT and expert security staffing - making them a presumptive 'good target'."

Healthcare organizations should conduct a risk assessment "so they can target their cybersecurity spend more efficiently and effectively and ensuring they have a tested incident response and remediation plan in place," Bell adds.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.