It seems like 2019 has been the Year of the Ransomware attack in healthcare. According to McAfee’s August Threat Report, ransomware attacks grew by 118 percent in the first quarter of 2019, and healthcare was the second most targeted industry. (It “lost out” to the Public Sector.)
In 2019, ransomware attacks have severely disrupted necessary medical services at hospitals such as Campbell County Health in Wyoming. They’ve also driven at least two providers out of business permanently: Wood Ranch Medical in Simi Valley, California, and Brookside ENT and Hearing Center in Battle Creek, Michigan.
But ransomware attacks aren’t the only way hackers target medical providers. Another money-making scheme is on the rise, but it isn’t getting the attention it deserves: the Business Email Compromise (BEC).
What is a BEC attack?
BEC attacks often start out with a simple phishing scheme designed to gain access to account credentials, often those of someone in a position of authority. The hacker then sends fraudulent emails impersonating the owner of the hacked account to achieve their aims.
In practice, a BEC scenario might look something like this:
- Step 1: A phishing email is sent to the CEO. This executive is on the road a lot and is accustomed to doing business over email. The hacker, pretending to be the IT department, sends an email telling the exec they need to reset their credentials by clicking on a link.
- Step 2: Being in the middle of a hectic SE Asian road trip and a little jet-lagged, the exec doesn’t stop to think that the email might not actually be from IT. So, they click on the link, enter their current credentials, and then enter a new password. The new password is irrelevant, of course. It’s just a ruse to get the current credentials.
- Step 3: With the executive’s account credentials in hand, the hacker can now send and receive emails from that account. While the CEO is off negotiating with a potential business partner in Singapore, the hacker sends a message to finance asking them to wire money immediately so they can close the deal.
Of course, the exec doesn’t need to be a traditional road warrior for this scenario to work. We could have used any busy exec with little time on their hands in our example, e.g., the hospital administrator who is busy with physicians all day long and has little time for IT-related tasks.
And, while it doesn’t seem like finance would fall for this, you’d be surprised how often it happens. Some hackers are great at imitating execs. They know just what to say to get the relatively low-level finance person to do their bidding. Add in a prickly or uncommunicative exec who expects people to “do as their told,” and you have a recipe for cybercrime success.
How a BEC Attack Threatens HIPAA Compliance
Across industries, BEC attacks are on the rise, from an average of 500 per month in 2016 to more than 1100 per month in 2018. Manufacturing and construction companies were the hardest hit, with attacks on healthcare remaining relatively consistent between 2017 and 2018, at around 5 percent of the total.
So, while BEC attackers aren’t targeting the healthcare sector as much as they are other industries, the BEC attack has the potential to do real damage in the healthcare industry. A BEC attack could be used to gain access to the systems that house PHI (protected health information), e.g., a compromised email account is used in a phishing scheme to gain access to other systems.
A BEC attack could also be used to send out fraudulent statements to customers. As complex as the healthcare insurance industry has become, it’s likely a certain percentage of people will just pay the bill if it’s in a small enough amount and cleverly enough disguised.
5 Ways to Protect Your Organization Against a BEC Attack
There are at least five things you can do to thwart a BEC attack. Since like many other types of cyberattacks, BEC starts with phishing, following these recommendations will improve your overall resistance to today’s cyberthreats.
- Employee education. This is the starting point for any cyber-defense strategy. Your employees (even your CEO) must know the dangers the business is facing, and their response so second nature that it becomes automatic. This will take comprehensive training along with message repetition.
- Encourage skepticism. There must be some “protection” for employees that don’t respond immediately to emails because they question their legitimacy. If the employee perceives the greater danger to be the angered executive, they’re more likely to respond to phishing emails.
- Anti-phishing applications. Of course, human nature being what it is, you’ll also need a backup line of defense. Anti-phishing applications can analyze incoming emails and quarantine any that look “phishy.” Some anti-phishing applications will even protect other communications platforms such as Dropbox and Microsoft OneDrive.
- A patient portal. Limit your email communications with patients to notifications but require a login to a secured patient portal to access the information. For additional security, you might want to avoid of providing clickable links in your notification emails. Links make it convenient for patients to access the portal, but they also make it easy for hackers to gather PHI through impersonation emails that include bogus links.
- Outsource security. Let’s face it, healthcare providers face a lot of cyber-threats. As soon as you think you’ve got one covered, you’re reminded of another one you need to focus on. (e.g., How good are you at promptly patching your OS and applications?) Outsourcing security to a qualified managed services provider can help you cover all your bases.
Connectria provides HIPAA compliant hosting and other cloud services for the healthcare industry.