Phishing, Spear Phishing and Malware: How Hackers Gain Access to PHI

Criminals looking to break through the cybersecurity defenses put in place by health insurers and healthcare providers – to safeguard Protected Health Information (PHI) – can choose an easy or hard way to gain access to the data.

Unsurprisingly, many choose the easy route in and exploit one of the largest security vulnerabilities; one that many healthcare providers have failed to address. The end users sitting at a terminal, PC or laptop with access to the network, emails and EHRs.

IT staff can build multi-layered defenses and lock servers in impenetrable vaults, yet the army of healthcare workers who have full access to EHRs are an easy way for hackers to sneak through sophisticated defenses, undetected.

If end users can be convinced to divulge their login credentials, or even easier, click on a malicious link or download and double click a malware affected attachment, the thieves can be in and out of a system almost as quickly as it takes to copy a database full of patient health records. Fortunately, many tech-savvy healthcare workers will be able to spot a phishing campaign, but not all staff.

Phishing for Login Details

Phishing is a term used to describe a technique hackers and criminals use to obtain sensitive information. It is essentially throwing a few baited hooks in the water to see if anything bites. The tactic is simple, yet this method of breaking in to healthcare databases can be highly effective. All it takes is an email requesting login information. Sending out phishing email campaigns is like throwing baited hooks in the water. Sooner or later, something will bite.

When an ethical hacker is employed to test a company’s security defenses, the first place many start is with the staff using the system. The staff can do a lot of the hard work of bypassing healthcare security defenses for the attacker. Links to malicious websites are sent or attachments loaded with malware and when the links/attachments are clicked, the hacker can obtain passwords, security keys, emails and login credentials.

Phishing is often referred to by healthcare providers as being “highly sophisticated” in nature – often after suffering a data breach – but the technique is actually as simple as it can be. Hacking packs can even be bought online allowing phishing campaigns to be sent by people with very little technical skill.

Spear Phishing

There is a more intelligent and sophisticated approach that is used by skilled hackers, which is more likely to lead to data quickly. Instead of many baited hooks, the skilled hacker only needs one; it just needs to be very carefully placed. These phishing campaigns – termed spear phishing – require more work, but they can be highly effective and very convincing.

A hacker will need to have an email address, which can be obtained from a previous data breach or can be guessed from the format of other company emails. A hacker could even send a variety of combinations until they find one that is delivered to a live mailbox. When a suitable target is identified, the hacker then sets up the spear phishing campaign.

In order to maximize the chances of a phishing campaign working, the email, attachment or link must appear to be genuine. To do this, the hacker must learn about the intended victim. Fortunately for hackers, there are Social Media channels such as Twitter and Facebook where a great deal of personal information is available.

A little research can reveal a lot: Friends, acquaintances, likes and dislikes, what that person has done, and in the case of LinkedIn, their professional background.

With an email address, personal information and friends’ names, emails can be created that will have a high chance of fooling the user. They can be masked to appear from friends, encouraging the user to click on a bright blue underlined link, download an attachment and give the hacker full access to their accounts.

How to Identify and Avoid Phishing Campaigns

Unfortunately, with so many users on a healthcare network and highly convincing campaigns, phishing campaigns are a serious problem for IT professionals and HIPAA covered entities. They have been behind some of the largest data breaches, such as those suffered by CareFirst and Anthem. Seton Family of Hospitals suffered a phishing attack in April as did St. Agnes Health Care, while Beacon Health reported being affected by a phishing email this month.

The only effective way of managing the risk of data exposure via phishing, spear phishing and malware is with more robust data security policies and staff training.

It can be hard to spot a phishing campaign, which is why the staff must be specifically trained on how to identify malicious links, attachments and phishing emails, as well being made aware of the procedures to follow when a suspect a link or attachment is received.

Mostly training is about making sure employees think before clicking, even if the email is sent from a friend or colleague. They must also never, under any circumstances, divulge login credentials or security keys in an unsecured email.

End users must also be instructed on creating secure passwords containing alpha-numeric characters that are difficult to guess, and these must be changed regularly. It should not be possible to guess a password with information that can be found in a Facebook account.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.