Healthcare Data from Phishing

I know, I know, here he goes again on the threats of phishing emails. Yea, I get it, starting to probably sound like that overly protective mother always hounding you about protecting your belongings.

This is just something that we really cannot talk enough about. Just this month we have had been called in to help clean up two very large breeches. One caused through the use of personal devices and the other, which by the way brought down an organization consisting of approximately 500 employees. The impact on that large core business; we were called in two weeks after their entire organization was without email and their core business application. That’s right two weeks of a large organization being totally dead in the water.

So, what happened? Real simple, stage one was an employee clicking on an email link that allowed the execution/insertion of the attack, then very poor IT security practices wherein they shared multiple connection paths throughout their network via one primary hub. Meaning, breakdown one door and the hackers had access to their entire business. While we have cleaned this “new” client of their issue, we are still working on the rebuilding of their network and communication services, this will most likely take at least another week to resolve.

As the number of these types of attacks continue to increase, the recommendation for consistent policies, oversight and steps to train medical staff is even more at the forefront of audit reviews and fines associated to HIPPA violations. Know this: all HIPPA audits now have specific reviews related to how your practice trains your staff, manages these risk and what kind of plan you have in place for communication of a breech when it occurs. Get that? Not IF it occurs, but WHEN it occurs.

We have spoken previously around the fact your liability is increased without having policy and procedure to anticipate these breeches. Meaning the courts take a very harsh view on those who have ignored the threats and done nothing to very little to anticipate the threat. The courts as do the auditors, presume this will happen to you at some point, the judgement is rendered on how you tried to protect against it and what you did about it once the breech happens.

Phishing attackers have two basic objectives; first to get your patient Personal Health Information (PHI), that represent big dollars on the black market. Secondly, to insert ransomware into your network in hopes of then gaining significant sums of money for ransom to get your data back.

Two primary fronts for protection, (1) Employee Training and Testing, this is your front line of defense and actually can be fairly economical, particularly in light of the consequences of not having this training in place. (2) Having an adequate backup solution to protect your data, this gives you the ability to ignore the hackers and bring your data back online.

It has been our experience that a significant number of practices that have been impacted are not aware of the breech at all. How is that? Well again, in our experience, most medical practices when hacked, are inserted with various types of spyware, versus any large rather public ransomware situation. The hackers tend to save that fanfare for hospitals, clinics or large healthcare providers.

As for the mid-sized and small practices, their favorite thing to do is “hook you” through a phishing campaign in which there is no visible attack at all. Your user just thinks it was a bad link and nothing happened, never giving it a second thought or reporting anything. The fact is that the hacker has loaded spyware or keystroke loggers. The goal being to sit quietly within the network, scanning for passwords in order to get into that sacred PHI. These hackers draw information out of your network, set up dummy email accounts and track the practices actions internally. Basically, then turning your network into an ATM machine for their use. We find these through penetration testing and network scans which will show us the points of entry. Once those are located, we move to clean your network and change the locks so to speak.

Then through the initiation of employee training, installation of network protective applications and email filtering, we ensure your now secure world stays that way.

Again, even within all these automated tools in place, you still need process and procedure to address these attacks internally. You still also need to have ongoing training of your staff with testing cycles to ensure that training is being utilized.

Venture Pointe, can provide documentation services, network reviews and employee training/testing on an ongoing basis. This will provide you a better sense of mind that your staff knows what to look for and that you have a plan of how to react should a breech occur.

This training is just as important for your new staff as it is with your seasoned staff. Either of course are open and a susceptible to attack through email. Afterall the hackers are really good at what they do, and we have all been guilty of clicking on something we wished we had not at some point in our lives.

Enough of the nightmare talk for now. Happy soon to be spring, we at Venture Pointe want to take a moment to particularly thank our health care providers at all levels. Thank you for being at the forefront on the fight against CoVID and the sacrifices you and your families have made throughout the last year of this battle.

Until next month, take moment to look around, practice a random act of kindness, be kind and take a deep breath of that fresh spring air. We are sure your allergist will appreciate it. 😊