Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months.

Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year.

While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector.

When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations.

59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations.

Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe email-related security attacks will continue to cause problems, and that they are likely to increase or significantly increase in the future.

A recent study conducted by Malwarebytes showed ransomware attacks are already 62% more prevalent that 2016, and have occurred at almost 2,000 times the rate in 2015. The 2017 Verizon Data Breach Report suggests 72% of all malware used to target the healthcare industry is ransomware.

Those findings were backed up by the HIMSS Analytics survey. Ransomware was seen as the most serious threat by 83% of respondents. Malware was rated second, followed by spear phishing attacks and Business Email Compromise (BEC) attacks.

The importance of securing email is clear. Email is used to communicate protected health information by approximately 80% of healthcare organization. Email is also rated as an essential communication tool and is considered critical by 93% of respondents, while 43% said email was mission critical and that their organization could not tolerate email downtime.

It is understandable given the frequency of email-based attacks and the importance of email in healthcare that organizations have a high level of concern about cybersecurity and their ability to repel email-based attacks.

Resilience to ransomware and malware attacks was rated as the top initiative for building a cyber resilience strategy, while training employees to be more security aware is the second highest priority over the following 12 months. Securing email was third.

David Hood, Cyber Resilience Strategist for Healthcare at Mimecast said, “This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices. It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Mimecast provided five suggestions on how healthcare organizations can reduce the risk of email-based threats:

  1. Train employees on the risks associated with email and provide real-time reminders rather than relying on an annual training session.
  2. Analyze all inbound email attachments and scan for malware and malware downloaders
  3. Implement a web filtering solution to check URLs when a user clicks, not just at the point emails enter the organization.
  4. Inspect outbound emails and check that protected health information is not being sent to individuals unauthorized to receive it, and also to check emails to determine whether email accounts may have been compromised.
  5. Finally, it is essential that data backups are regularly performed to ensure that in the event of a ransomware attack, healthcare organizations do not face data loss and are not forced to pay ransoms.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.