The phishing problem in healthcare

The healthcare sector has been inundated with cyberattacks in 2020 and 2021. Though they come from all different angles, the top one, by far, is email. If email is not protected, breaches will happen. And in healthcare, that leads to the release of sensitive information.

The rise of email-related breaches in healthcare has been staggering. In 2012, according to data from the Department of Health and Human Services, just 4 percent of breaches involved email. In 2020, that number reached 42 percent.

Perhaps it’s no surprise that both COVID-19 and major phishing increases in healthcare hit at the same time. Hackers are particularly skilled at taking advantage of human and systems weaknesses. When the healthcare sector worldwide began struggling with the COVID-19 pandemic, hackers saw an opportunity to leverage years of increasing and earlier attacks on the healthcare sector.

In 2018, 83 percent of healthcare groups reported increases in cyber attacks. Some two-thirds of global healthcare groups have experienced an attack in their firms’ lifetime, of which 53 percent occurred in the last year. That’s because of the value of patient information. Patient medical records can be sold on the black market for as much as 50 times more than personal financial information.

That bonanza continued in 2020. According to the 2020 Verizon Data Breach Investigations Report, the healthcare industry experienced more breaches of any sector, increasing by a whopping 71.38 percent. By far, the top vector for healthcare breaches is web apps, such as cloud email.

A distributed denial of service (DDoS) attack hit HHS in March 2020; meanwhile, the World Health Organization has reported five-times more than the usual amount of attacks it sees in a month. That’s on top of hackers spoofing organizations such as WHO or the registration of phony COVID-related domain names. Google detected 18 million daily phishing and malware messages related to the pandemic. They don’t just fall into the spam folder; their impact is major. For example, a French pharmaceutical company paid $7.25 million to a company purporting to sell masks and sanitizers.

As in so many industries, email is the top and ever-increasing threat facing healthcare companies. According to the Council of Foreign Relations, citing records from the HHS Office for Civil Rights, the last 11 years have seen more than 2,500 breaches. The result? The exposure of more than 175 million patient records.

By law, the Department of Health and Human Services is required to inform the public of breaches involving 500 or more patients. In 2012, HHS reported that just 4 percent of breaches involved email. That was the lowest of any vector. In 2018, that number was 29 percent, the largest vector.

And of the 676 breaches currently under investigation by the department, 284, or 42 percent, involved email.

And in the latter half of 2020, the volume of sophisticated attacks increased even more. One report found that 72 percent of organizations experienced downtime due to email-based cyber-attacks. For example, the graph below shows how a major California hospital in October experienced a 700-percent increase in the number of malicious files that bypass Microsoft 365. Thanks to appropriate protections, the attacks against the hospital were blocked.

Phishing will continue to increase in the healthcare sector because of the absence of large-scale protections. Even when the COVID-19 pandemic is over, hackers (like they always do) will find a way to take advantage of fear and confusion. Without widespread changes, hackers will cash in on providers’ data and money.

Plus, organizations have to comply with HIPAA. Doing so means making sure protected health information doesn’t get into the wrong hands.

Employees are harried. There are more tools than ever to share information. It is not unreasonable to expect that an employee will mistakenly share personal information. Nor is it unreasonable to expect that a bad actor will compromise an account and share personal information.

If you aren’t taking the time to actively seek solutions that prevent accidental and malicious leakage of PHI, if you aren’t taking active steps to secure your email, then not only will you likely be in breach of HIPAA, but you will make it even harder to care properly for your patients.

In order to secure your healthcare organization, from email to collaboration to preventing valuable and sensitive data from leaving, you need an all-encompassing solution. You need a solution that not only keeps you in compliance with HIPAA rules but also prevents phishing and leakage from happening in the first place.

HealthITSecurity