Phishing attacks are becoming a greater risk to the health care industry, . These breaches could potentially lead to serious costs—and jeopardize patients' health. Patient data could be stolen, and there could be identity theft and lawsuits against the company that was hacked. In a recent talk with David Holtzman, CynergisTek Vice President of Compliance, the Health IT Security team reported on the most common attacks that IT professionals experience in the health industry, which include phishing attacks.
Phishing Attacks a Major Threat
Holtzman reports that he has seen a major increase in phishing over recent months. Hackers will sent emails or other communications to those inside the IT network in an effort to get victims to download self-executing programs that install malware compromising the entire system. These communications can be disguised in various ways. For example, they can appear to come directly from the IT department. The email address can be modified through hacks to show it comes from IT_Helpdesk @company.com, [email protected] or something similar.
Examples of Recent Attacks
In March, a server operating under contract for DeKalb Health Medical Group in Auburn, Indiana, experienced a cyberattack that eventually led to more than 1,300 patient information records being compromised, . The names, addresses, credit card numbers and Social Security numbers of the patients could have all been stolen.
Several of those patients were then directed to a fraudulent website that looked exactly like the DeKalb Health charity site. Additionally, DeKalb Health's own website was hacked, so that the link to the charity went to the phishing page.
In Plano, Texas, Baylor Regional Medical Center was hacked after doctors affiliated with the medical center responded to phishing emails, . Just responding was evidently enough to cause the inboxes of the doctors involved to be hacked, potentially exposing the patient information contained in their inboxes, including names, addresses, dates of birth and Social Security numbers. The attack was only discovered in February, and affected patients were notified on April 25.
Finally, the Franciscan Health System of Tacoma, Washington, was hacked in a phishing scheme in March that affected potentially 12,000 patients, .
How to Evade the Attacks
Avoiding becoming the victim of a cyberattack like this can be as simple as testing out security by sending fake phishing emails to see how many people click on them. This is what Holtzman has advised his clients to do. He also encouraged companies to raise internal awareness of the threat of phishing attacks to try to prevent problems before they start. Sending out weekly newsletters with tips for cybersecurity can be a major help.