According to the U.S. Department of Health and Human Services Office for Civil Rights HIPAA Breach Reporting Tool, to date in 2019 there have been 326 “Hacking/IT Incidents” affecting some 39,050,355 individuals. Of these incidents, 208 of them have been via email phishing attacks. The other 118 incidents that fall outside of email could possibly also be from phishing utilizing other attack vectors.
A recent article featured at DataBreachToday.com, highlighted a Proofpoint Research Report that explored the numerous challenges that healthcare organizations face when thinking about data security and managing HIPAA. Some of the report highlights that bring these challenges to light:
- 77 percent of email attacks on healthcare companies (during the Proofpoint study) used malicious phishing URLs.
- Targeted healthcare companies received about 43 impostor emails in Q1 2019, a 300 percent increase from Q1 2018.
- Subject lines that included “payment,” “request,” and “urgent” (and related terms) appeared in 55 percent of all email attacks. These are tactics that we often refer to as Scareware.
- 95 percent of targeted healthcare companies saw emails spoofing their trusted domain, and all of them had their domains spoofed to patients and business partners.
In a blog we penned earlier this year – Lack of Focus on Security Makes Healthcare Industry a Target for Phishing Attacks – we detailed a Business Insider article and the grim picture it painted for healthcare security given the lack of prioritization and budget for attack prevention. As we shared then, and again here…
- Privacy and security are health firms’ third-highest priority, despite the growing attack threats.
- Health firms are reluctant to make cybersecurity efforts an investment priority, despite the high cost of data breach remediation (think HIPAA penalties).
- Health firms have called for a change to policy that would make HIPAA-compliant health firms exempt from the hefty government breach penalties, arguing that organizations that expect to be penalized regardless of whether their countermeasures are up to snuff may underinvest in security.
- Cybersecurity is underfunded primarily because the sophistication of cyberattacks increases at a faster rate than prevention capabilities, there are too many competing priorities, and the cost of countermeasures is too high.
- If dollars allocated to cybersecurity can’t keep pace with the security threat, we’ll likely see a greater volume of breaches.
The 2019 numbers above drive home both the lack of focus on phishing security and the obvious need for it. What healthcare industry organizations need for protection is a zero-hour, real-time phishing threat prevention solution that enables them to block employee web traffic to phishing sites, stopping the attack near the start of the kill chain, before malware downloads and credentials are stolen.
Our SEERTM technology (Session Emulation and Environment Reconnaissance) runs virtual browsers in a purpose-built cloud to dynamically inspect sites, and perhaps more importantly page contents and server behavior, with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives.
Our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense solutions can see beyond the legitimate website to identify what might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization.
*** This is a Security Bloggers Network syndicated blog from SlashNext authored by sln_admin. Read the original post at: https://www.slashnext.com/blog/healthcare-organizations-continue-to-be-a-soft-target-for-phishing-attacks/