– Hackers are increasingly targeting the healthcare sector through sophisticated malicious emails, rather than just focusing on vulnerable infrastructure, according to a recent Proofpoint report.
What’s more, targeted healthcare organizations received about 43 imposter emails during the first quarter of 2019, which increased 300 percent during the same timeframe in 2018. About 55 percent of imposter emails used subject lines, like payment, request, urgent, or other related terms.
Imposter emails are designed to mimic messages sent from a person the user knows or can trust. These emails don’t typically use malware, malicious attachments, or other phishing techniques. Researchers explained that attackers leverage social engineering attacks to trick the user into doing something the hacker wants, such as transferring money or sending sensitive information.
“These attacks can be hard to detect because they don’t exploit technical vulnerabilities. They target human nature,” researchers explained. “Social engineering is all about exploiting people. That’s why stopping it requires a cyber defense focused on people, not technology.”
“The average impostor attack spoofed (posed as) 15 healthcare staff members on average across multiple messages,” they added. “Nearly half of healthcare organizations were targeted in attacks that spoofed at least five identities; about 40 percent were targeted in attacks that spoofed two to five identities.”
Researchers explained that healthcare organizations need to stop these social engineering attempts from reaching intended targets, in addition to training employees to spot and report any attempts that make it through to the user’s inbox.
For each healthcare organizations targeted by malicious emails, 65 staff members were targeted during the campaign in the first quarter of 2019. The report showed that high-ranking employees were not always the main target. Hackers also sought those with access to the right data, people, or systems.
“In other cases, it’s someone with a public-facing email address,” researchers wrote. “These can include shared accounts and email aliases, which are usually permanent, forward email to several recipients, and hard to secure with multifactor authentication.”
“Users’ vulnerability starts with users’ digital behavior – how they work and what they click,” they continued. “Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics.”
Hackers disproportionately target those employees with the most visible email addresses, including shared email accounts. Researchers explained this was likely amplified by users with public-facing contact information, long-tenured workers, their email addresses was leaked in an earlier data breach, and other profiled information.
Researchers noted these “very attacked people” for healthcare providers included clinicians, research teams, and administrative staff. For insurers, hackers targeted customer support, sales, administrative staff, and IT teams. And for pharmaceuticals, attackers targeted executives, public relations, or supply chain.
To fend off these attacks, healthcare organizations should adopt a people-centered security posture: evaluate the risk each user represents, how they’re targeted, what data they have access to, and how prone they are to falling victim to targeted attacks.
Users should be trained to detect malicious emails and report them to the security team. The researchers recommended training users with simulated attacks that mimic real-world techniques, while looking for solutions that recognize current trends and the latest threat intelligence.
However, it should be assumed that users will eventually open these malicious emails, so organizations also need technology able to detect and block email threats that target employees to keep the threat out of the inbox.
Organizations should also invest in email fraud defense technology, based on custom quarantine and blocking policies. Researchers stressed the tool should analyze both external and internal email, as hackers can use compromised accounts to trick users within the same organizations.
Other recommendations include isolating risky websites and URLs and partnering with a threat intelligence vendor.
“Today’s attacks target people, not just technology,” researchers wrote. “They exploit the human factor: healthcare workers’ natural curiosity, acute time constraints and desire to serve. Protecting against these threats requires a new, people-centered approach to security.”
“Few industries can claim a mission more critical, data more sensitive, or operations more complex than healthcare. Unfortunately, few industries are finding it more challenging to keep it all protected,” they added.