Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

August 2015

A Phish Story
By David Yeager
For The Record
Vol. 27 No. 8 P. 12

It's no exaggeration: Sometimes the best way for hackers to corral sensitive health data is the simplest.

The fact that human curiosity can lead to negative consequences is well established—after all, it's documented in the book of Genesis. In a modern twist, Internet scammers have found that they can profit from this trait by perpetrating phishing attacks on unsuspecting computer users. Even worse, if the users happen to work for a large health care system, those attacks can have ripple effects that extend to thousands of people.

In the past year, a couple of phishing attacks were discovered that highlight vulnerabilities in the way that health care data are protected. Both attacks, which occurred in 2014, weren't discovered until months after the fact.

On November 25, 2014, Partners HealthCare in Boston discovered that some employees had received phishing e-mails. The employees were tricked into disclosing information, believing the e-mails to be legitimate. Although its EMR system wasn't compromised, Partners determined that the attack may have created an opportunity for unauthorized access to e-mail accounts and patient demographic information such as names, addresses, dates of birth, telephone numbers, and, in some cases, Social Security numbers. The e-mail accounts also contained clinical information such as diagnoses, treatments received, medical record numbers, medical diagnosis codes, and health insurance information. It's estimated that the breach may have affected as many as 3,300 patients. On April 30, Partners began mailing notices to patients who may have had their data compromised.

On December 4, 2014, Seton Family of Hospitals in Texas, a division of Seton Healthcare Family, experienced a phishing attack that targeted the user names and passwords of Seton employees. When it was determined that e-mail accounts had been compromised, those accounts were shut down and Seton began an investigation. On February 26, Seton determined that varying amounts of personal health information of approximately 39,000 patients were contained in the compromised e-mail accounts. As with the Partners attack, the patient data contained demographic information such as names, addresses, genders, dates of birth, medical record numbers, insurance information, clinical information, and, in some cases, Social Security numbers. Seton says the hackers did not gain access to individual medical or billing records.

The most troubling aspect of compromised health care data is that its repercussions can linger for years. Protected health information (PHI) can be altered or deleted, making a breach extremely difficult to detect. Also, unlike credit card numbers, which are easy for customers to change and must be used quickly by hackers, medical information and Social Security numbers can be of value long after they're acquired. In fact, Brand Barney, CISSP, HCISPP, QSA, a security analyst at SecurityMetrics, says it's the shelf life that makes medical information such a tempting target.

Hook, Line, and …
Barney says phishing attacks generally take two forms. Both types rely on social engineering, in which hackers try to dupe unsuspecting people into divulging user names and passwords. These attacks frequently rely on fear to get their targets to act quickly.

In both cases, the victims receive e-mail or pop-up messages that appear to have been sent from a trusted source. The messages may say that an account has been compromised or that the user has been locked out of a computer system and needs to reenter his or her username and password. Often, the scheme directs users to click on a link directing them to a site where hackers can steal their data. Links of this sort are commonly called clickbait.

The first type of phishing consists of messages that may be sent to thousands or potentially millions of computers. This attack mode is designed to ensnare as many people as possible. Spear phishing, meanwhile, targets specific individuals and entities. This method, which requires more effort from the perpetrators, usually features a bogus website that's been cloned from a legitimate website.

"When they target somebody, they have to set something up so maybe they'll send out an e-mail that says, 'Your PayPal has been compromised' or 'Your e-mail has been compromised.' In the case of Partners and Seton, we know it was their e-mail that was attacked," Barney says. "The hackers may not even say that the victims' e-mail has been compromised. They may just say, 'You've been locked out of your e-mail' or 'There's some maintenance that needs to be done on the e-mail server' or 'Click here for new information.'"

Barney says never click on an unfamiliar link. Often, such links will lead to a site designed to look like a legitimate, trusted site but will have a slightly different Web address. Other times it may take the user to a blank screen. Either way, the hackers' goal is to gather information that will help them steal valuable data.

Chris Apgar, CISSP, CEO and president of Apgar & Associates, says hackers frequently target the human element because it's usually the weakest link, noting that a lack of employee education is the top reason for poor data security at health care organizations. Clear policies that address employee e-mail and Internet use can go a long way toward preventing phishing attacks, he says. New employees must be thoroughly trained on e-mail and Internet procedures, and all employees should receive regular updates.

One way to mitigate the human element is to exercise access control. Too often, Apgar says, the legitimacy of an e-mail is left to an individual employee's discretion rather than that of the IT department. To alleviate this problem, he suggests organizations adopt a policy to prevent spam e-mails from reaching employees.

"Don't send spam filter information to employees' e-mail inboxes; segregate it," Apgar says. "If they ask for a specific e-mail that may have been caught in the spam filter, IT can look for it. That will lower the chance that people will click on suspicious links."

Apgar says hackers are skilled at creating e-mails that appear to come from legitimate sources. To determine whether a link is legitimate, he suggests hovering the cursor over a hyperlink without clicking to view the website's address. If the result isn't the official address of the site that's being mimicked, don't click.

Shark Repellant
Barney says health care organizations must develop a strategy that encompasses every aspect of data security, including explicit policies for handling PHI. Other policies must define who has authorized access to both inbound and outbound data. Policy development begins with a risk analysis, a requirement for meaningful use compliance that helps identify an organization's unique risks, threats, and vulnerabilities.

Protecting the data infrastructure should be a top priority. "There are a lot of complex networks and devices within health care organizations," says Steve Manzuik, director of security research for Duo Security. "There should be a proper malware program in place. That won't stop a good phishing attack, but it will help catch random, easily spotted attempts. A good first line of defense is two-factor authentication, which defends against phishing attacks. With two-factor in place, even if the user does expose their primary credentials, it doesn't lead to a full compromise."

Computer systems and medical devices should be regularly scanned for malware. File integrity monitoring, which immediately alerts the IT department if a file is altered, and firewall rules also should be adopted. Password authentication, which can be done with a biometric marker or through a device that's registered to an authorized user, can provide an additional layer of security. Password authentication also is an effective strategy for securing laptop computers, which may contain more valuable information than a hacker can obtain from a phishing attack. Employing both password protection and authentication dramatically limits the amount of data that can be pulled from a laptop.

Manzuik cautions that organizations must resist the urge to view data security as a strictly technological problem. Part of the reason that phishing attacks are still effective, he says, is that organizations focus on the latest and greatest technologies and overlook other important factors. Technology is only part of a larger effort, he says.

"You shouldn't just go out and buy a whole bunch of security products and think that's going to help you," Manzuik says. "Security needs to be approached a lot more intelligently. Organizations need to do things like risk assessments and threat modeling to fully understand how they're going to be attacked, what technologies they currently have in place that can be used to prevent those attacks, and then identify the right things to do to secure their networks."

Many organizations believe they're doing a good job of securing data, Barney says, but reality indicates otherwise. Accurate monitoring to detect breaches in a timely manner isn't in place at many facilities, he says, noting that in some cases, intrusions have gone undetected for six months or more. To properly protect PHI, Barney says organizations must work closely with their IT staff and conduct extensive employee training.

Prepare for the Big One
Despite an organization's best efforts, it still may be victimized by hackers and data thieves. Should this occur, besides following all data breach response guidelines, conduct a forensic data analysis to determine how much data have been compromised. Apgar says it's important to have a designated incident response team and a plan in place. It's also crucial, he adds, to test the plan.

"What we've found in several plans that we've worked on is that the plan looks great in the IT shop, but once it goes beyond that, when you bring in the communications folks and the attorneys, things tend to fall apart," Apgar says. "If you haven't tested the plan, things can go south rather quickly during an incident."

The goal is to mitigate the risk posed by a data breach. The longer it takes for an organization to manage the situation, the more likely it will have to send out breach notifications, Agpar says.

Risk mitigation is influenced by several factors, including the type of data that were compromised. A name and an address alone carry low risk, but couple those with a birth date and a patient number and the situation becomes more serious.

Determining who accessed the information provides a clue to what repercussions can be expected, Agpar says. For example, if someone's medical information was faxed to the wrong clinic, there is less risk because clinics generally understand how to handle PHI and will usually shred patient files sent in error. If the information was mailed to the wrong personal address, it poses a higher risk for misuse.

Another key factor is determining whether the organization was able to retain information about the breach, which will allow it to more accurately assess the level of risk and determine an appropriate course of action.

Barney recommends hiring a third party to review any data protection plan, noting this will help should the organization be audited by the Office for Civil Rights. If nothing else, HIPAA audits and the meaningful use incentive program have made organizations more aware of the need for data security, he adds.

Risk mitigation isn't prohibitively expensive, especially compared with the cost of a breach, Barney notes. Unfortunately, many organizations aren't keeping up with best practices. Although the methods used by most hackers aren't complicated, they continue to be successful.

"I think it's important to recognize the number of entities that continue to be breached via phishing and a number of other methods," Barney says. "The attacker wants that valuable data, and he will come back, especially if he's successful once. But attackers are usually lazy, and that's why you see things like phishing attacks.
He's just hoping that somebody clicks. And guess what? Somebody usually clicks. The way that hackers are taking data is simple, but entities can protect themselves if they just identify the threat."

— David Yeager is a freelance writer and editor in southeastern Pennsylvania.


Cybersecurity was identified as an increased business priority over the past year, according to 87% of respondents in the 2015 HIMSS Cybersecurity Survey. Two-thirds of those surveyed also indicated that their organizations had recently experienced a significant security incident. Released at the Privacy and Security Forum, recently held in Chicago, this research reflects continued cybersecurity concerns by health care providers regarding the protection of their organizations' data assets.

"The recent breaches in the health care industry have been a wake-up call that patient and other data are valuable targets and health care organizations need a laser focus on cybersecurity threats," says Lisa Gallagher, BSEE, CISM, CPHIMS, vice president of technology solutions for HIMSS. "Health care organizations need to rapidly adjust their strategies to defend against cyber attacks. This means incorporating threat data, and implementing new tools and sophisticated analysis into their security process."

The survey of 297 health care leaders and information security officers across the industry also found that at least one-half of respondents made improvements to network security, endpoint protection, data loss prevention, disaster recovery, and IT continuity. However, despite the protective technologies available, most respondents felt only an average level of confidence in their organizations' ability to protect their IT infrastructure and data.

Key findings from the survey include the following:

• Respondents use an average of 11 different technologies to secure their environment and more than one-half of health care organizations surveyed hired full-time personnel to manage information security.

• Forty-two percent of respondents indicated that there are too many emerging and new threats to track.

• Fifty-one percent of information security threats are identified by internal security teams.

• Fifty-nine percent of survey respondents feel the need for cross-sector cyber threat information sharing.

• Sixty-two percent of security incidents have resulted in limited disruption of IT systems with limited impact on clinical care and IT operations.

• Sixty-four percent of respondents believe a lack of appropriate cybersecurity personnel is a barrier to mitigating cybersecurity events.

• Sixty-nine percent of respondents indicated that phishing attacks are a motivator for improving the information security environment.

• Eighty percent use network monitoring to detect and investigate information security incidents.

• Eighty-seven percent of respondents reported using antivirus/malware tools that were implemented to secure their health care organizations' information security environment.