In 2020, 505 reported email breaches resulted in 23.43 million compromised PHIs.
Per the Paubox team’s 2020 Breach Report: A Year in Review, which summarizes public data provided on HHS’ breach portal, last year there were 505 reported HIPAA breaches. In total, 23.34 million Americans had their protected health information (PHI) compromised.
Email breaches were the most common attack vector, with 188 breaches. The largest email breach occurred in December via MEDNAX Services, Inc., where 1,290,670 individuals were affected.
So why is email such a cybersecurity problem, and what can healthcare organizations do about it?
Email phishing is a common way that hackers gain access to a system. Attackers craft a message that looks like it comes from a credible, trusted source. The email will frequently be written to induce panic or quick action, such as describing an imminent account shutdown or a security breach in progress. The goal is to trick people into providing information in order to access and exploit valuable or sensitive systems.
According to Coveware’s most recent Q4 2020 report, email phishing overtook remote desk protocol (RDP) compromises as the dominant attack vector last year. Deloitte’s research also finds that 91% of all cyberattacks begin with a phishing email to an unsuspecting victim.
According to the 2020 HIMSS Cybersecurity Survey, phishing email is the typical initial point of network compromise, by either general phishing or spear phishing. Seventy-seven percent of respondents indicated that their organizations experienced a phishing attack or other social engineering attack in the past twelve months.
This is a big problem, since it takes just one error to infect a network. It serves as a great reminder that inbound email security is just as important as outbound HIPAA compliant email for a healthcare provider.
Display name spoofing is a common method that criminals leverage in phishing emails. It is a targeted attack where an email’s display name is altered to make a message look like it comes from a trusted source.
This is easy for criminals to do by simply signing up for a free email address through providers such as Yahoo! or Google and setting up the display name to be the person they want to impersonate. The forged person is someone the victim is likely to engage with, which a cybercriminal figures out by researching a company’s website or LinkedIn profile to learn the team structure.
Hackers may also employ a lookalike domain when trying to impersonate a known sender. They register new, deceptively similar domains by swapping characters, such as replacing the letter o with the numeral 0, or inserting an additional character such as an s or a hyphen.
Phishing emails began in the mid-90’s, but they are still a huge threat nearly 30 years later.
Cybersecurity training programs require us to always be circumspect about emails we receive. Putting every email under a microscope is a laudable goal, but when our inboxes fill up with hundreds of messages every day, it’s hard to keep up.
Some organizations employ email warning tags as a method to combat malicious emails. This type of alert sits at the top of an email and typically includes the word “External” or “Caution” to remind recipients to verify an email’s source before opening a message.
Unfortunately, specialists worry that such tags only serve to reinforce lazy user awareness.
Furthermore, victims might not even notice the tag.
To protect staff, patients, and business partners from email fraud, consider these tactics:
Despite large investments in security, email fraud continues to rise. Cybercriminals are growing more advanced, and attacks are evading traditional security tools.
Taking a multilayer approach to cybersecurity, and protecting your most attacked employees, will significantly reduce risk and allow your institution to focus on patient care.