Part One: Email Phishing Attack
By. R. Christopher Dix, Esq. and Kayla A. Haines, Esq.
Cyberattacks are a growing threat across all sectors. For the healthcare industry, cyberattacks are particularly troubling because they threaten not only the security of an organization’s systems and information, but also the health and safety of patients. No healthcare organization can escape this reality. Most healthcare organizations try to avert cyberattacks, but even the most hypervigilant healthcare organizations are vulnerable to attackers that are adapting to increased security measures, systems, and processes.
The Department of Health and Human Services recently published a report entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” See https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf.
The Department collaborated with industry partners to develop “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes, ranging from local clinics, regional hospital systems, to large healthcare systems.” These organizations determined it was not feasible to address every cybersecurity threat across the entire U.S. healthcare industry; thus, the report focuses on the five most prevalent threats. This is the first of a five articles that will discuss the report’s findings. The first threat is email phishing attacks.
I. What is email phishing?
Email phishing is an attempt to trick someone into giving out information using email. Usually, an incoming phishing email includes an active link or file attachment and appears to come from a legitimate source, such as a friend, coworker, manager, company, or even the user’s own email address. Clicking to open the link or file takes the user to a website that solicits sensitive information or infects the computer. Accessing the link or file may also cause malicious software to be downloaded, or permit attackers to access information stored on a computer or other networked storage.
II. Vulnerabilities and negative impact of an email phishing attack
An organization’s vulnerabilities to email phishing attacks include (i) a lack of employee awareness training, (ii) lack of IT resources for managing suspicious emails, (iii) lack of software scanning emails for malicious contents or bad links, and (iv) lack of email sender and domain validation tools. An organization affected by an email phishing attack might suffer a loss of reputation in the community, stolen access credentials used for accessing sensitive data, erosion of trust, and a negative impact on the ability of the organization to provide timely and quality patient care.
III. Practices and tips to consider
The report discussed several practices an organization should consider to reduce vulnerability to an email phishing attack:
- Be suspicious of emails from unknown senders, emails that request sensitive information such as protected health information, and emails that include a call to action that stresses urgency or importance.
- Train staff to recognize suspicious emails and to know where to forward them.
- Never open email attachments from unknown senders.
- Tag external emails to make them recognizable to staff.
- Develop and implement an incident response plan to manage and mitigate the damages and impact of successful phishing attacks.
- Implement advanced technologies for detecting and testing email for malicious content or links (before the email is delivered to the recipient).
- Implement multifactor authentication.
- Implement proven and tested response procedures that are followed when employees click on phishing emails.
- Establish cyber threat information sharing with other healthcare organizations.
The report also discussed quick tips for when you believe you have encountered an email phishing attack, including:
What to ask?
- Do you know the sender? Are you suspicious of the email? If in doubt, DO NOT open any email attachments.
- Are there any spelling or grammatical errors, or any other indicators that the tone or style of the email is off?
- Before clicking on a link, did you hover over it to see the URL destination?
- What are my organization’s processes for reporting suspicious emails?
When to ask?
- The best time to familiarize employees with an organization’s policies for reporting suspicious emails is when employment begins.
- When you receive an email that sounds too good to be true or that you were not expecting, ask and verify before opening.
Who to ask?
- Check with colleagues to discover whether they received the same “phishy” email.
- Seek guidance from IT.
- Talk with IT to discover whether your account is protected with the proper security filters to ward off unwanted junk mail.
Email phishing attacks are the most common form of cybersecurity attacks, but also one of the easiest attacks to prevent. With proper training, IT personnel, software and systems, and open communication between employees and IT staff, healthcare organizations can easily protect themselves from this type of attack.
Our next blog will discuss another common cyberattack threatening the healthcare industry: Ransomware.
Follow us on for more content updates