Skip to main content

Phishing a Real Threat to Healthcare, No Fooling

 |  By smace@healthleadersmedia.com  
   April 02, 2013

It was a long holiday weekend several years ago, and I received a message on Facebook from someone I trusted, a longtime acquaintance from a well-known high-tech company. He had posted something to my Facebook wall. I thought it was benign. But his Facebook account had been compromised, and now I had been phished.

I knew about phishing; essentially it's an email fraud scam or online con game. I thought I would be safe if I only opened messages from people I knew, on networks I believed to be safe. I spent the next day, however, profusely apologizing to my Facebook friends, who now had postings to their own Facebook walls, from me, inviting them to click and be sucked into the digital chaos. We all had a good non-laugh changing our passwords and apologizing on down the line.

I was lucky that the only harm I suffered was a little embarrassment. And I now I know I'm in pretty good company. Last week, we learned that Supreme Court Chief Justice John Roberts has been the victim of credit-card fraud. The court did not provide any other details, according to the Associated Press. But if you ask me, the odds are that Justice Roberts had been phished.

As we recover from our annual holiday of pranks, let's take a moment to assess our preparedness for the digital pranks continuing to head our way that are no laughing matter. Healthcare is on particular notice as of last week, when revised Health Insurance Portability and Accountability Act (HIPAA) regulations took effect, and enforcement in September suddenly seems a lot closer.

Much is written about the data breaches that occur when someone's laptop is lost or stolen. The HIPAA wake-up-call no doubt will cause many of those laptops to finally be encrypted and outfitted with data-loss prevention technology.

Unlike some other occurrences of malware, phishing isn't going away. Instead, we can expect to be continually challenged by bad actors trying to hoodwink the healthcare system out of protected health information (PHI).

How can it happen? Let me count the ways: It might be a classic scam, like five years ago this month, when thousands of CEOs fell victim to a fake subpoena. Or the annual phony emails claiming to be from the IRS that pop up every year around this time. Fake package delivery emails with links to who-knows-where remain a popular vehicle. So do emails about current events.

Or it might be one of the newer scams making the rounds these days, like this one described by a security expert I spoke with recently: It comes in the form of a one-line email message from someone you trust. "There's not enough information for me to make a decision, so I'll click on it," the expert says. The attacker may have pulled your name from your social network, or may have even found and spoofed your email address. But don't click on that email link.

Too many of the bad links in emails lead will immediately load rootkits into PCs, and at that point, unless your anti-malware protection is on top of its game, a data breach has occurred. With the new HIPAA regulations, you can't assume a breach hasn't occurred just because nothing else appears to be amiss. You'll soon be up on the public HIPAA breach Web site and headed for some stiff fines.

So, no fooling—it's time to make sure that your organization, and those of your business associates—are practicing "safe email."

Increasingly, we will see insidiously intelligent attacks on healthcare. Bad guys can guess at org charts for most healthcare organizations by searching for companies and job titles on LinkedIn. Other baddies masquerade as a company's IT support department, offering bogus expanded mailboxes or benefits enrollments—anything to get you to click.

Time and again, the technology industry has assured us that communications would be secure one day. Up to this point, the best the industry's been able to do is to direct us to secure Web portals. Meanwhile, the everyday email we use remains unsigned, unauthenticated, unencrypted, and open to the same sorts of phishing attacks effective during the better part of the past 20 years.

So, what can be done? In the past year, the Domain-based Message Authentication, Reporting and Conformance specification has become a force for positive change in the phishing war. DMARC lets senders and recipients exchange email authentication between themselves.

If your healthcare organization sends any email, or contracts with an organization that sends email in your name, and you haven't implemented the DMARC standards yet, there's a free set of training videos available. It's one of the best ways to immediately step up your response to the new HIPAA regulations.

Now let me scare you a little bit. Facebook is in the process of gradually rolling out a new form of search known as Graph Search. While there may be good reasons for Facebook to expand the search capabilities of that system, according to industry experts, Graph Search will be "a phisher's best friend."

That's because Graph Search will allow phishers to even more intensively data-mine people and organizations. Sadly, it seems that every time social networking takes another leap forward, we have to put our guard up a little higher.

As my security industry expert puts it, "if you're in IT and have privileges to systems that store medical records, you are likely a target. They might also research if you participate in industry organizations. They will find your name based on things that you have published, papers you've published or talks you've given."

On its Web site, the HIMSS Privacy and Security Committee goal is stated: "By 2014, all entities who use, send, or store health information meet requirements for confidentiality, integrity, availability and accountability based on sound risk management practices, using recognized standards and protocols."

Let's hope HIMSS and the efforts of other professional organizations are sufficient to keep the spotlight on security as the amount of PHI on servers and in transit from organization to organization escalates. Otherwise, we might face a scenario imagined in the January 2013 issue of the journal Telemedicine and e-Health.

You can't write a check to make the problem go away. PHI is now more valuable on the black market than ordinary consumer data. The onus is on all of us to do our part to keep the data safe and to prevent Internet-triggered medical errors.

Pages

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.