HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Prevention Tips for Healthcare Organizations

Phishing attacks continue to be a problem for the healthcare industry and are a leading cause of data breaches. Phishing is commonly used to deliver malware, and many ransomware attacks start with phishing. Phishing prevention requires a combination of technical solutions, policies, procedures, and training. In this post, we share some phishing prevention tips and cybersecurity best practices that are effective at improving organizational resilience to phishing attacks.

What is Phishing?

Phishing is a form of social engineering where individuals are tricked into taking actions that benefit the attacker. The aim could be to convince an employee to disclose sensitive information via email, such as employees’ W-2 forms. Phishing attacks are commonly conducted to obtain login credentials, usually by tricking individuals into visiting a malicious URL. Phishing is also used for malware distribution through email attachments containing malicious scripts or links to URLs where malicious file downloads occur.

A huge range of lures are used in phishing to trick people into taking the requested actions, and trusted individuals and companies are often spoofed to make the campaigns believable. Many phishing lures mimic genuine communications sent by companies and they can be hard to distinguish from legitimate communications.

The Different Types of Phishing

Phishing is a broad term with many different subtypes. While phishing is most commonly associated with email, in recent years there has been an increase in other forms of phishing. A phishing prevention strategy should therefore be developed for tackling all forms of phishing.

  • Email Phishing – The most common type of phishing. Emails are sent in large, untargeted campaigns. These campaigns use large email lists obtained from data breaches or from scraping websites. Business-themed emails are used that mimic genuine business communications.
  • Spear Phishing – A targeted form of phishing where communications are personalized and tailored for an individual or a small group of individuals. Targets are often researched to increase the likelihood of getting a response.
  • Whaling – A highly targeted form of speak phishing that goes after the big fish in a company – the CEO, CFO, or other board members.
  • SMS Phishing (Smishing) – Phishing messages are sent via SMS, most commonly including links to malicious websites for gathering sensitive information such as credit card numbers, Social Security numbers, and credentials for email and online banking accounts. URL shortening services are often used to mask the destination URL. These attacks have increased as awareness of email-based phishing has improved.
  • Instant Messaging Phishing – Phishing attacks are conducted via instant messaging services such as WhatsApp, Skype, and Facebook Messenger.
  • Social Media Phishing – Phishing attacks are conducted via social media networks, often through posts offering discounted purchases or competitions. These scams gather sensitive information that can be used to gain access to a user’s social media account, allow an attacker to craft a convincing spear phishing attack or trick people into parting with credit card details or other sensitive information.
  • Voice Phishing (Vishing) – Phishing attacks that take place over the telephone, where the targeted individual is convinced to disclose sensitive information or download a malicious file. Vishing attacks are often combined with email lures to trick people into calling the scammers (callback phishing).

Phishing Prevention

Phishing prevention requires more than just a spam filter and antivirus software, although these are important elements of a phishing prevention strategy. Phishing attacks have become highly sophisticated and phishing emails often bypass email security gateways, and novel malware variants are not detected by standard email security solutions. The key to phishing prevention is to implement multiple layers of security to ensure that if one element of your defenses fails, other safeguards will be in place to ensure protection.

Email Security Software

A secure email gateway or spam filter is essential for identifying and blocking phishing emails and preventing them from reaching inboxes where they can be opened by employees. Advanced email security solutions feature machine learning/AI-based detection that can predict new types of phishing attacks, along with blacklists, email header checks, and antivirus scans of email attachments. Look for an email security solution with sandboxing, which allows the behavior of attachments to be analyzed for malicious actions.

Web Filters

A web filter tackles phishing from a different angle by blocking access to malicious websites where credentials are harvested, or malware is downloaded. Web filters are fed threat intelligence on malicious URLs and any attempt to visit those URLs is blocked, regardless of how a URL is encountered – smishing, vishing, email, social media, web browsing, or instant messaging. Web filters can also be configured to block access to risky websites, where the chance of a malware download is more likely and certain types of file downloads can be blocked.

Antivirus Software

Antivirus software should be deployed on all endpoints and should be set to update automatically. Standard antivirus software provides signature-based detection, which means malicious code can only be identified if the signature for that code is present in the definition lists of the software. For greater protection against zero-day threats, choose a more comprehensive endpoint security solution that also includes behavior-based detection mechanisms.

Multifactor Authentication

Multifactor authentication protects against the use of stolen credentials. If credentials are stolen in a phishing attack or are otherwise obtained (e.g., a brute force attack), those credentials will not grant access to resources unless a second form of authentication is provided. According to Microsoft, multifactor authentication will block 99% of automated attacks on accounts.

Security Awareness Training

Technical defenses against phishing are important but don’t neglect security awareness training. The purpose of security awareness training is to teach employees how to practice good cyber hygiene, to make them aware of threats they are likely to encounter, to eradicate bad security practices, and to teach employees how to recognize and avoid phishing attacks. Security awareness training should be provided regularly, and employees should be made aware of the latest threats.

Install an Email Client for Easy Reporting of Suspicious Emails

One of the goals of security awareness training is to get employees to stop and think before taking any action requested in emails or other communications; however, employees cannot be expected to be able to correctly identify every threat. You should therefore encourage employees to report any suspicious communication to the security team and make this as easy as possible by installing an email client that allows one-click reporting of suspicious emails.

Phishing Simulations

Employees may be able to correctly identify phishing emails in a training setting, but will they be able to identify phishing emails when they are busy at work? If you conduct phishing simulations, you can test whether training is being applied and can identify individuals who are susceptible to phishing. When a phishing simulation is failed, the employee can be provided with targeted training in real-time. Phishing simulations can also identify weaknesses in the training program which can then be proactively addressed. Phishing simulations are an often-underutilized phishing prevention measure, but they are a key part of reducing the susceptibility of employees to phishing attacks.

Set a Robust DMARC Policy

DMARC is a protocol for authenticating emails to ensure that the person sending an email is authorized to send emails from that domain. By setting a DMARC record you can tell others how to handle unauthorized use of your email domains. You can set three different policies – none, quarantine, or reject. By setting reject, you will ensure that unauthorized emails are not delivered. This phishing prevention measure will prevent abuse of your company domain(s).

Keep Software Updated

You should ensure that all software is kept up to date and patches are applied promptly to prevent vulnerabilities from being exploited via malicious attachments in emails, malicious websites, or remote attacks on your organization.

Flag Emails from External Sources

Consider adding a banner to all emails that come from external sources to alert employees that there is greater potential for the email to be malicious. Email spoofing is common and phishing campaigns often use messages that appear, at first glance, to have been sent internally. You can do this by enabling the external email tag in Exchange Online or you can add a custom banner to the top of all external emails.

Disable Macros by Default

You should ensure that macros are disabled by default as Office macros are commonly used to install malware. In 2022, Microsoft launched a new phishing prevention feature that blocks macros by default in all Office files delivered via the Internet.

Summary

There is no silver bullet when it comes to phishing prevention. You need to adopt a defense-in-depth approach to security and have multiple layers of protection. With a comprehensive phishing prevention strategy, you will be able to greatly improve organizational resilience to all types of phishing attacks.