HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information.

Phishing on an Industrial Scale

More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years.

Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’ credentials. Many of those websites also have an SSL certificate, so they appear to users to be secure websites. A website starting with HTTPS is no guarantee that it is not being used for phishing.

Study Provides Insight into Phishing Tactics

While phishers often use their own domains to phish for credentials, a recent report from Duo Security showed legitimate websites are increasingly being compromised and loaded with phishing kits. The study identified more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and sold to accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.

Duo Security notes that persistence is maintained by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to prevent detection. The Webroot report also highlighted an increase in the use of benign domains for phishing.

The phishing kits are typically loaded into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should monitor for file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to improve resilience against brute force attacks.

How to Prevent Phishing Attacks

Unfortunately, there is no single solution that will allow organizations to prevent phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare industry, phishing defenses are a requirement of HIPAA and steps must be taken to reduce risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in financial penalties for noncompliance.

Defenses should include a combination of technological solutions to prevent the delivery of phishing emails and to block access to phishing URLs. Employees must also receive regular training to help them identify phishing emails.

As OCR pointed out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires organizations to provide regular security awareness training to employees to help prevent phishing attacks. OCR explained that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

Due to the increased use of HTTPS, it is no longer sufficient for users to check that the site is secure to avoid phishing scams. While a site starting with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be trusted. Users should also be told to pay particular attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to disclose any login credentials.

Even with security awareness training, employees cannot be expected to recognize all phishing attempts. Phishers are developing increasingly sophisticated phishing emails that are barely distinguishable from genuine emails. Websites are harder to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to fool end users. Technological solutions are therefore required to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.

Anti spam software is essential for reducing the volume of emails that are delivered. Organizations should also consider using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not rely on blacklists and banned IP addresses to block attacks. Blacklists still have their uses and can prevent phishing attacks, but phishing websites are typically only active for a few hours – Before the sites are identified as malicious and added to blacklists. A range of additional detection mechanisms are required to block phishing websites. Due to the increase in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.

Healthcare organizations should also sign up to threat intelligence services to receive alerts about industry-specific attacks. To avoid being swamped with irrelevant threat information, services should be tailored to ensure only treat information relevant to each organization is received.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.