The new mantra for healthcare in the Information Age could easily parallel security in today’s evolving cybercrime era – it’s about people.

Recognizing the modern way people have become accustomed to consuming services, healthcare is evolving to be more patient centric. Similarly, cybersecurity also needs to evolve away from the network perimeter of the past to focus on people and how they work today. So, yes, in healthcare and cybersecurity, it’s about people. 

More control and improved health outcomes for consumers are driving healthcare organizations away from the brick-and-mortar doctor’s office model toward something more expansive: an interconnected technological healthcare ecosystem.

The development of wearable medical devices, the electronic health record (EHR), and an avalanche of mHealth apps have revolutionized diagnosis, treatment and monitoring to benefit health consumers and professionals.

Unfortunately, broadening the technological landscape in healthcare has also expanded the opportunities for cybercrime, including:

• Theft of patient data
• Exploiting medical device vulnerabilities
• Siphoning off institutional data
• Holding patient records for ransom

Despite the rush to embrace technology and flinging open the doors of the network to accommodate everyone with a mobile phone and an online healthcare account, the industry has been slow in expanding its security investments. The HIMSS 2016 Cybersecurity Survey found that 15 percent of acute-care healthcare providers (almost 900 hospitals in the U.S. alone) have not installed antivirus or malware protection tools on endpoints.[1]  

In addition, during a time when ransomware and phishing attacks are plaguing the healthcare community, little attention is being paid to stopping these attacks before they reach employees. For example, security controls in key areas, such as messaging security gateways, are not even deployed in half of the nation’s hospitals, which is another finding from HIMSS Cybersecurity Survey. 

Ransomware made up 40 percent of spam emails sent in 2016, an IBM X-Force report found, merely underlining the point that attackers target people because it’s effective.[2]

So, yes, it’s about the people.

Unfortunately, you can’t educate away the phishing and impostor emails from your organization. All it takes is one well-placed click and all your phishing exercises and awareness efforts are for naught. These assaults are highly sophisticated and in many cases specifically target busy or inexperienced staff who are merely responding per their company’s policies and procedures.

The reality is that many clinicians receive emails from what appear to be “safe” contacts such as a work colleague, though that message may not be from that individual at all.  Highly targeted email attacks are quickly becoming one of the most significant threats facing hospitals today, costing healthcare approximately $550M over the last two years. 

More than 95 percent of those attacks spoof legitimate domains to target healthcare employees.[3] Attackers create fake email addresses using the hospital’s domain to trick recipients into giving up valuable patient data, credentials and funds. As is ever the case with cybercriminal activity, it takes just one click to compromise the environment, but only if that malicious email is able to reach a user’s mailbox.

Conclusion and Recommendations

When it comes to securing the connected healthcare environment, “Prevention is better than cure.” It is not enough to stop an attack once it has reached your network or landed on an endpoint. You need to stop advanced threats and targeted attacks before they ever reach an employee and offered them a chance to click and infect themselves. More than 90 percent of these attacks start with an email.[4] It is now the number one threat vector delivering zero-day threats, ransomware, polymorphic malware, weaponized documents and credential phishing attacks.

Most email systems do a good job of filtering and keeping spam out of your organization. It’s good basic protection to help you manage the volume of email you receive. However, it is not enough to keep advanced threats, including credential phishing, ransomware and socially engineered attacks out of your environment. Healthcare organizations need advanced capabilities in the flow of email to secure their communication and care collaboration with external parties.

Consider solutions with these capabilities:

Cloud-based sandbox in the flow of email that applies multi-stage analysis in combination with static and dynamic techniques to capture advanced threats and record the patterns, behaviors and tradecraft used in each attack. A side-by-side view of this data along with the intended recipients provides security teams with vital forensic information they need to know who is attacking and what they are after. 

On the outbound side, it is always more important to secure the data rather than the device. Healthcare workers collaborate using protected health information (PHI) all the time and sending emails unencrypted happens more often than not. Consider automated capabilities that can help you uncover data that needs to be protected at rest and when emailed. It should automate encryption when protected information is send based on your policies. 

Look for a solution that provides the capability to retract malicious emails that were delivered to users’ inboxes. Email clean-up for malicious messages is often a manual process that starts with an alert or complaint that a malicious email got through. By extending automation to retract the original message and any copies of the message that were forwarded to other users, security teams can automatically quarantine email threats and reduce exposure time. 

Phishing attacks that spoof trusted domain names is preventable. You can nullify an entire class of email fraud including BEC or impostor emails asking for wire transfers or requests for W2 information about employees. Email authentication protects your organization from phishing attacks using trusted domains that belong to you or your business partners and customers. With visibility into who is sending email across your enterprise you can authorize all legitimate senders and block fraudulent emails before they reach your employees, partners and patients.