HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations

A new report from Proofpoint offers insights into the cyber threats faced by healthcare organizations and the most common attacks that lead to healthcare data breaches.

Proofpoint’s 2019 Healthcare Threat Report highlights the ever-changing threat landscape and how the tactics used by cybercriminals are in a constant state of flux.

The study – conducted between Q2, 2018 and Q1, 2019 – shows how the malware variants used in attacks often change. Ransomware was a popular form of malware in Q2, 2018 and was used in many attacks on healthcare organizations, but ransomware incidents then dwindled rapidly as cybercriminals switched their attention to banking Trojans. For the remaining three quarters of the study period, banking Trojans were the malware variant of choice, although ransomware is now proving popular once again.

Proofpoint’s research shows banking Trojans were the biggest malware threat to healthcare organizations for the period of the study, accounting for 41% of malicious payloads delivered via email between Q2 2018 and Q1 2019. In Q1, 2019, the biggest threat came from the Emotet banking Trojan, which accounted for 60% of all malicious payloads.

While phishing attacks are a constant threat, malware attacks were more numerous over the period of study, although phishing attacks have increased considerably in 2019. Malware is often spread via email attachments, but URLs are also used to deliver malware. The embedded hyperlinks can direct users to phishing websites where credentials are stolen, but they can also send healthcare employees to websites where malware is silently downloaded. 77% of email-based attacks during the period of study used malicious URLs

Malicious emails are more likely to be opened if the sender of the email is known to the recipient. 95% of targeted healthcare companies received emails that spoofed their own trusted domain and 100% of targeted healthcare companies had their domain spoofed in attacks on their patients and business partners.

On average, targeted healthcare organizations received 43 imposter emails in Q1, 2019, an increase of 300% from Q1, 2018. Those attacks saw an average of 65 members of staff attacked at each healthcare organization.

While the subjects of the emails were highly varied, most commonly the subject lines contained the words “urgent”, “payment”, or “request.” Those words were included in 55% of malicious emails. Malicious emails are most commonly sent during business hours when employees are at their desks, usually between 7am and 1pm, Monday to Friday.

While spray and pray tactics are still used by cybercriminals to get their phishing emails and malware out to as many individuals as possible, many healthcare email attacks are much more targeted. Proofpoint analyzed email attacks at several healthcare organizations and found that some individuals are more targeted than others.

These “Very Attacked Persons” or VAPs include doctors/physicians, researchers, and admin staff at healthcare providers, customer support/sales staff, admin staff, and IT teams at health insurers, and executives, marketing employees, and logistics/sourcing and supply chain staff at pharma firms.

Shared email aliases used to request patient information or for patient portals received the most malicious emails. These email addresses have the potential to result in multiple malware infections and several responses to phishing emails.

Blocking these threats requires layered defenses. Anti-phishing and anti-malware solutions should be implemented to protect the email system, filtering controls are required to block web-based threats, anti-malware controls are required on endpoints, and employees must receive regular training to help them identify threats and condition them to take appropriate action when a suspicious email is received.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.