Avoid the Phish! How to Recognize a Phishing Attack and Avert It!

Pat Stricker, RN, MEd
Senior Vice President
TCS Healthcare Technologies

Last month’s article, Healthcare Data Breaches: Their Frequency, Impact, and Cost, discussed the overall impact that cybersecurity breeches are having on healthcare. Healthcare continues to lead all industries in the number of beaches with 27% and has the highest cost for data breaches at $408/record, nearly three times the cross-industry average of $148. While the number of data breaches in healthcare remained relatively the same between 2017 and 2018 (359 and 351), the number of healthcare records exposed increased at an alarming rate of over 250% (5,138,179 to 13,020,821). This shows that hackers are getting bolder. They realize each healthcare record is worth $50 on the black market, much more than Social Security and birth date records ($3) or credit card information ($1.50).  That is because healthcare records contain personal, financial, and medical data that can be used for Medicare fraud – the most profitable type of identity theft.

Studies also show that healthcare employees are seven times more often responsible than employees of other industries for causing breaches due to human errors and/or careless actions such as: inappropriate conversations; misuse or careless handling of mail, emails, and other hard copy documents; leaving computer screens or hard copy records unattended and visible to others; and sharing passwords or not logging off a computer when not in use.

However the biggest threat posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information, giving them access to email or cloud accounts that contain patient data. These are usually innocent, unknowing acts by the employees, but they are very consequential to the organization. The links or documents in the phishing emails can expose PHI or embed malware within the computer system or network, resulting in serious network problems or system stoppages. This obviously causes significant issues and costs for the healthcare organization and financial gain for the hackers.

This is exactly what happened in the largest healthcare data breach in 2018. A health system email system exposed 1.4 million records when hackers sent emails to employees from a fake account that appeared to be coming from an executive within the organization. The email asked the users to disclose their email credentials. Once the employees clicked on the link or the attached document, the hackers gained access to internal email accounts and then to patients’ records. This phishing attack was not uncommon. The 2018  Verizon Data Breach report confirmed that phishing attacks are increasing, accounting for 43% of all data breaches. Other research found that over 90% of data breaches are the result of phishing emails and an average of 16 malicious email messages are sent to every email user every month.

That is scary!  That means we have at least 16 chances each month of clicking on a phishing email and creating a data breach or a ransomware attack causing a possible system outage of the entire computer network at our organization. How would you like to be the person responsible for causing the data breach and costing the organization millions of dollars in fines or paying a ransom to get the system up and running again?  Some employees have even been terminated due to this type of error, if it was done against normal company policies. I’m sure none of us would want to be in that situation, so we have to educate ourselves to be aware of possible phishing schemes and know how to avoid them. Let’s start by defining some key concepts.

Phishing is a scam aimed at getting an online user to reveal personal or confidential information for the purpose of identity theft. There are three types of attacks: 

· Phishing – a general email that is sent as spam or as an email addressed to a large, non-specific group of users. The goal is to get users to open embedded links or attached files that, when clicked on, allow the hackers to access to the user’s system. Once in the organization’s system hackers can delve deeper to obtain personal information, credentials, logins, passwords, and other data.

· Spear phishing - a more sophisticated and elaborate targeted phishing attack that focuses on a specific company or individual and combines tactics like personalizing or impersonating users so the spear phishing email is extremely believable and compelling. The goals are to bypass or evade email filters and antivirus software and gain access to a system in order to introduce malware and other attacks. This type of approach was used in the large breach described above.

·  Whaling – a specific attack that targets specific members of an organization’s upper management team by name. The goal is to obtain confidential company information by using a webpage or email that appears to be legitimate (corporate logo, color scheme, address, brand identity). It is usually presented as an urgent matter that needs attention, such as an internal corporate issue, a new or updated policy, significant complaint, or legal issue.

A phishing scam typically starts with a legitimate-appearing email from a person, company, or website asking the user to update personal information, such as a password, credit card, social security number, or bank account number. The message looks authentic and comes from organizations a user may have accounts with. It also may include legitimate-looking company logos and formats that the company uses. In fact, it usually looks so authentic that recipients respond to about 20% of them. In fact, the 2015 HIMSS Cybersecurity Survey of 300 health information professionals indicated that phishing attacks were their biggest future security fear and the “#1 thing that keeps Chief Information Security Officers up at night”. The 2019 HIMSS Cybersecurity Survey of 166 health information security professionals still found phishing to be a major concern, especially for those healthcare systems that are not conducting adequate phishing tests. One reason this is so worrisome is that the threat is directed at all levels of employees in an organization and it is relatively easy to get someone to unknowingly click on a link or document. It is not something Information Systems can control with tools and countermeasures.  

Phishing attacks often introduce ransomware into computer systems by sending emails from legitimate-looking banks or credit card companies requesting the recipient to “update” their personal information (birthdate, social security number, passwords, etc.). When the attachment or link is clicked, malicious malware is introduced into the system, which can spread from one system to another. Ransomware can also be introduced, encrypting documents, music, pictures, and other files and making them inaccessible. The organization can be held hostage until they pay a ransom to unlock the files. If the ransom is not paid within a defined time the ransom is increased. Organizations that have routine back-ups of their system can eliminate having to pay the ransom and restore their system, but it still results in system downtime and a lot of time and effort to get the system operational  again. Organizations that do not have system back-ups have to pay the ransom or risk losing all their data.

Systems that are using older versions of software that are not receiving automated cybersecurity updates are very susceptible to phishing attacks. We cannot get lulled into thinking that the security programs on our system or our Information Technology (IT) department will handle all these threats. While some employees are specifically targeted because of their position or because of the types of information they have access to, all individuals and companies should assume they are or could be targets of phishing attacks. All it takes is for one person to click on a link that contains the malware. And I’m sure you don’t want to be “that person” who takes down the entire system!

Tips for Preventing Phishing Attacks

To make sure you are not a victim of a phishing attack, let’s review some things you can do to prevent getting “hooked”.  These two articles, 8 Ways to Prevent “Phishing Scams” and 10 Tips to Prevent Phishing Attacks, provide the following useful suggestions to help guard against phishing.   

• Learn to recognize potential phishing emails, such as those that:
  • Are sent as a general email without your name included.
  • Come from senders unknown to you.
  • Ask you to confirm or update personal information.
  • Make a request for information look like it is an urgent matter.
  • Threaten you with worrisome consequences, if you do not respond.
  • Look authentic – images in email look like or are similar to a known company.
  • Threaten to terminate your account or offer free gifts or promotional items.
• Be sure to communicate personal information only via phone or secure websites:
  • Do not give personal, financial, or login information to someone who calls or emails you requesting it. A legitimate organization will not ask for this information in this manner. Look up the number of the company or organization and call them directly or go to their secure website to provide such information.
  • For email transactions, make sure the website is secure before giving any information
    
    
    • Look for “https” in the address bar.  The “s” means it’s secure.
    • Look for a padlock in front of the browser address and a “green address bar”, indicating the site has applied for a SSL certificate, is the legitimate owner of the website, and encrypts information to and from the site.
    • Even if the browser address has a padlock or a green address bar, you cannot be guaranteed that it is totally safe, since “phishers” are applying for certificates in names of companies with mis-spellings that are very similar to real websites, e.g. “phypal.com” instead of “paypal.com” or “banskfamerica.com” instead of “bankofamerica.com”. So check the website name carefully.
    • If you are still unsure about the site’s validity, double-click the padlock icon to see the security certificate. In the “Issued To” in the pop-up window you will see the name matching the site you think you are on. If the name differs, you are probably on an unsafe site.
  • If your browser gives you a message about an “untrusted security certificate” for a website, do not proceed to the website, as it is not trustworthy.
• Do not download files or open attachments in emails from unknown senders. Even if emails are from known senders, be certain you know the files or attachments are trustworthy before downloading or opening them.
  • Files or attachments can contain malware that could infect your computer.
  • Be careful of links that offer bargain, low cost products. They could lead to webpages that can gain access to your credit card information.
• Beware of embedded links in emails that ask you to update your personal information or password, even if the email appears to come from someone you know. Phishing emails, in addition to looking legitimate by using company logos, etc., also try to look like a security-conscious organization by notifying you that your account was compromised and asking you to be proactive and re-register or change your password. They may even provide a hyperlink to make it “quick and convenient” for you. However when you click on the link and enter your information, it will steal your data. To prevent being “caught”:
  • Hover over the hyperlink to determine the address of the hyperlink. You should be able to tell if it is the official website address or a copy-cat.  Example: www.banskfamerica.com instead of www.bankofamerica.com.
  • Always enter the company website address yourself or look up the company phone number and call to see if they are requesting the information.  Legitimate businesses usually do not request personal information by email.
  • Never enter personal information through links provided in an email. Only login and enter personal information once you are sure you are on the official site.
• Beware of pop-ups and follow these tips:
  • Never enter personal information in a pop-up screen. Legitimate organizations do not ask you to submit information that way.
  • Do not click on links in a pop-up screen.
  • Do not copy web addresses from pop-ups into your browser.
  • Enable pop-up blockers.
• Use anti-spyware, firewalls, spam filters, and anti-virus software.
  • Anti-spyware and firewalls prevent phishing attacks from gathering data from your computer, e.g. webpages containing personal information, like credit cards.
  • Spam filters identify files that could contain unsolicited commercial email (UCE). Spam is identified based on the content, inaccurate header information, blacklisted files, known spammers or specific senders, or specific wording in the subject line or body of the email.
  • Antivirus software scans every file which comes through the Internet to your computer to prevent viruses from deleting files or directory information.
  • Update the programs regularly to assure they are able to block new viruses and spyware.  
• Consider setting up a free virtual private network (VPN) instead of using free, open, unsecured Wi-Fi networks that can be easily compromised. A Consumer Trust Survey found that 43% of the respondents use free, untrustworthy Wi-Fi networks.
• Password protect all your devices. 61% of the survey’s respondents indicated their tablets were not password protected. Many smartphones are also vulnerable, because they do not have strong, up-to-date anti-virus and malware protection and the operating systems are not routinely updated. Unfortunately many phones are not password protected either, because users say it takes too long to access the content. The use of thumbprints and facial recognition have helped to gain quicker access and make phones safer, but it is essential to have all devices password protected. Isn’t it better to take a little longer to log in than to allow devices to be unprotected and the target of phishing schemes?
• Be sure to use unique, strong passwords for all your websites. One-third of the respondents said they only use one or two passwords for all their websites. This is dangerous!
  • See hints for developing strong passwords in this previous newsletter article, Cybersecurity for Case Managers: Responsibilities of Individual CMs
• Be sure your operating system and browser are updated to the latest version that addresses the most current online risks.
• Whenever possible, do not allow websites to keep your payment information on file.
• Do not share too much information on social media, such as birthdays, anniversaries, children’s names, what you like, what you are doing at work, when you are going on vacation, etc.  All of this can be used to create very targeted and believable phishing attacks.
• Do not connect and share information with people you don’t know.
• Do not use your own personal email while at work or while on your organization’s network. Your Internet Service Provider and computer system may not be as well protected as that of your organization and could be more easily compromised.
• Do not click on ads, as they often contain malware or direct you to a phishing website. If you want to learn more about a product, directly enter the website or product name in the browser address.
• Go to Anti-Phishing Working Group for a list of current phishing attacks, helpful resources, and the latest news in the fight to prevent phishing.
• If you think you have been the victim of a phishing attack, be sure to report it right away to your organization, so it can be dealt with as soon as possible.  

The weakest link in any security system is the human element and that’s particularly true when it comes to phishing attacks. Employees are the biggest threat, since they are the ones who initiate the action that allows the phishing attack to occur.  In addition, hackers have become more creative in manipulating and influencing people, which allows them to gain access to computer systems and obtain sensitive information.

Staff Education, Testing, and Monitoring

The most important aspect in preventing phishing attacks is education. Management staff is responsible for making sure all staff members are routinely provided with phishing training and continuously tested and monitored to assure they can recognize the threats and know how to avoid them. Phishing training sessions are recommended at least every quarter to condition employees to look for and report phishing emails. This type of training and monitoring can reduce the percentage of successful phishing attacks. Some companies also include monthly “phishing tests” in which test emails are sent to all employees to see if they are able to identify and handle them appropriately. Those who get “caught” are reminded and given additional education. Companies that encourage employees to report potential phishing threats rather than reprimand them for failing phishing tests tend to have greater success in curtailing threats. 

The following are resources that include free phishing and cybersecurity quizzes, tests, tools, resources, and staff training programs that can be used by individual case managers to test their knowledge and awareness and by the management and IT staff to assess the organization’s level of potential threats, develop training and testing programs, and track program results. I hope you will find these useful.

Phishing Quizzes, Tests, and Tools

• Phishing Field Guide from Barkly. Good information for managers about how to recognize, avoid, and stop phishing attacks. The Appendix includes: free phishing tests, anti-spam and email filtering tools, examples of real-life phishing emails to use to test yourself or your employees.
• Top 9 (Free) Phishing Simulators from Infosec.  Phishing Training Programs designed to provide educational awareness, resources, and tools that allow you to create and run your own phishing program.
• Find Out What Percentage of Employees are “Phish-prone” from KnowBe4. Access to a free phishing security test for up to 100 employees.
• The Phishing Quiz tests your phishing knowledge to determine how skilled you are at detecting malicious phishing attempts.
• Phishing Your Employees 101 is a simple, open source toolkit and education program designed to help organizations quickly and easily set up phishing websites and lures that can be used to test their employees’ phishing awareness.
• GoPhish. A free, open source, user-interface tool for IT departments to use to develop their own phishing training, testing, and results tracking.
• State of Phishing Defense 2018 Report from Cofense outlines the top 10 phishing threats, with metrics on susceptibility and resiliency rates; shows why users respond to certain phishes and can be used to develop awareness training and phishing simulations.
• The Open DNS Phishing Quiz tests employees to see if they can delineate between legitimate and phishing websites.   

Cybersecurity Quizzes, Tests, and Tools

• Cybersecurity Lab from Khan Academy.  Cybersecurity 101 program, practice quizzes, and glossary.
• Cybersecurity Quizzes and Tests from the Mississippi Department of Information Technology Services. 12 tests to assess knowledge in different areas, e.g. phishing, internet surfing, laptop security, etc.
• End User Security Awareness Quiz.  A 20 question quiz to be taken after attending a training session or reviewing company policies.
• How to Test the Security Savvy of Your Staff from CIO. Provides 4 employee testing approaches to detect potential cybersecurity issues and ways to train employees.
• Protect Yourself Online from Microsoft’s Safety and Security Center.  Tips on creating strong passwords, protecting your information, and avoiding scams and hoaxes.
• Cybersecurity Quiz – Know Your Threats from PC World. 10 questions to help managers assess their awareness of cybersecurity dangers.  

Conclusion

There’s no question that phishing poses a significant danger to healthcare organizations, as it is the preferred method for hackers to gain access to systems in order to capture PHI and/or deploy ransomware for their financial gain. In addition, all system users are potentially able to fall victim to a phishing attack and introduce malware into the system, so that is a daunting challenge for the IT department, who have little control over how email and internet is used by all employees.   

As case managers, we must realize that cybersecurity is not just an IT function. Sure, the IT team does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards. While IT may be responsible for managing the overall cybersecurity of an organization, adopting security best practices, and deploying appropriate technology to lessen the chances that a phishing attack will succeed, each of us has an individual responsibility to be aware of what our roles are in assuring safe security practices. We need to be aware of our vulnerabilities and what we must do to assure the integrity of our computer systems. We need to be “stewards of security”, empowered and accountable to create a culture that raises awareness and reduces security incidents.

Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for “phishy” schemes. I’m sure you don’t want to be the one responsible for allowing a malware, virus, or spyware to gain access to your organization’s computer system, or worse yet, the one responsible for a devastating and costly data breach resulting from your phishing attack.   

Watch out for the “phish”!

NOTE: For more information about what each of us can do, refer to this previous newsletter article “Cybersecurity for Case Managers: Responsibilities of Individual CMs”.

Pat Stricker, RN, MEd, is senior vice president of Clinical Services at TCS Healthcare Technologies. She can be reached at pstricker@tcshealthcare.com.