HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Protect Healthcare Data from Phishing

Protect Healthcare Data from Phishing

The Threat of Phishing Attacks on the Healthcare Industry

One of the key areas of online security that every HIPAA-covered entity should make its priority is to protect healthcare data from phishing. Phishing attacks are becoming a greater threat to the healthcare industry than any other attack vector. Recently almost 25,000 patient records were accessed by hackers as the result of a phishing attack on Saint Agnes Heath Care Inc. in Maryland.

Phishing attacks on the healthcare industry usually have one of two objectives – to obtain access to PHI or to deliver ransomware. PHI is now a valuable commodity on the black market as it can be used to create false identities, obtain free medical treatment, and commit insurance fraud. Once ransomware has been installed on a healthcare organization´s network, hackers can demand significant ransoms for the encrypted files to be unlocked.

The number of phishing attacks on the healthcare industry is increasing, despite organizations providing online security training to employees. Many of the successful attacks are attributable to the increasing number of employees using their mobile devices at work, who fail to translate their online security training to their mobile online activities. With the increased adoption of BYOD policies in the healthcare industry, organizations need to increase their efforts to protect healthcare data from phishing.

How Phishing Attacks on the Healthcare Industry are Deployed

Before illustrating how to protect healthcare data from phishing, it is best to explain how phishing attacks on the healthcare industry are deployed. Most phishing attacks on the healthcare industry are deployed by email – although attacks via social media and malvertising are also known to have occurred. The communications generally look authentic, and instruct employees to follow a link to a web page – where they will be asked complete some action that will trigger a malware download or enter their username and password to continue.

The malware download may not necessarily contain ransomware. Surveillance software such as adware and keystroke loggers can be downloaded to follow an employee´s online activities and record their usernames and passwords. Other types of malicious software can be downloaded to create gateways for hackers to enter an organization´s network remotely. If the phishing attempt has been successful in obtaining a username and password, the hacker will likely be able to access PHI almost immediately.

How to Protect Healthcare Data from Phishing

Because there are so many vehicles through which employees can receive communications instructing them to visit an unsafe website, the best way to protect healthcare data from phishing is to prevent employees from being able to visit the unsafe website. This can be achieved through the use of a web filter that is configured to deny access to fake websites and websites harboring malware, and that will block the downloading of file types most commonly associated with malware.

Web filters protect healthcare data from phishing attacks through the use of blacklists, category filters and keyword filters:

  • Blacklists deny access to websites known to be unsafe or who disguise their true identity behind a proxy server. Blacklists are updated frequently to reflect recently-reported phishing attacks on the healthcare industry and other threats to online security.
  • Category filters deny access to categories of websites that typically harbor malware. System administrators can configure web filters to deny access to many different categories of website, such as those containing pornography, freeware or pharmaceutical products.
  • Keyword filters allow system administrators to fine-tune web filtering parameters to control access to websites containing specific words or file types. Like category filters, keyword filters can be set by individual users, user-groups or universally.

These three mechanisms work in unison to protect healthcare data from phishing and to prevent other web-borne threats. Most web filters to prevent phishing attacks on the healthcare industry now also have SSL inspection to decrypt, read and re-encrypt apparently secure websites to check for the presence of malware. Unfortunately, an SSL certificate is no longer a guarantee of security and many apparently secure sites have been discovered to have security vulnerabilities that could be exploited by a hacker.

How Web Filters Enhance Workplace Productivity

In addition to improving a healthcare organization´s online security posture, the mechanisms used to protect healthcare data from phishing can also be used to enhance workplace productivity. The increased adoption of BYOD policies in the healthcare industry has resulted in a higher potential for employees to engage in “cyberslacking” – the practice of using an organization´s Internet service for non-work related activities.

Although some personal use of the Internet at work is considered by some to be positive for productivity, too much personal use can have negative effects and cause resentment among colleagues. System administrators can configure the parameters of a web filter in order to prevent the abuse of Internet privileges, avoid potential HR issues and enforce acceptable use policies – either by individual users or user-groups as mentioned above, or with time-based controls.

Other Benefits of Web Filtering for the Healthcare Industry

Web filtering for the healthcare industry can have other benefits beyond helping to protect healthcare data from phishing and enhancing workplace productivity. In medical facilities where bandwidth is an issue, web filtering parameters can be configured to restrict how much bandwidth each device is allowed within a certain timeframe, or to restrict access to bandwidth-hogging websites such as video streaming websites during the busiest part of the day.

A web filter can also be used to prevent hospital patients and visitors from being exposed to objectionable material being publicly viewed by another patient or visitor, or a child being exposed to adult content while sitting in a hospital waiting room. Many hospital patients and visitors want to be able to access hospital WiFi networks, and will appreciate a safe browsing environment – free from the threat of malware and exposure to inappropriate content.