Many cyber attacks that are attributed to “hacking” or “malware” first enter the organization through an old, reliable channel: email.
Email is a door into the network. With a cleverly crafted message, hackers can convince employees to install malware, share access credentials, or perform any number of actions to open an entry point for a larger attack. In this way, staff members become unwitting supporters of the attacks and help them to succeed. The mistake takes only a few seconds of oversight and can spark a data breach that harms the organization for years. In certain environments, only one employee has to make a single mistake to give attackers a foothold.
When we talk about email as a vessel for hacking or malware, we are referring to an attack called “phishing.” This is when an attacker will disguise as a trustworthy individual or institution in an attempt to acquire sensitive information. Email-based cyber attacks are very common and are growing more sophisticated. Broad- scale phishing emails, which are often easier to spot, are giving way to targeted, spear phishing emails – which are more closely tailored to the recipient and far more convincing.
More than two-thirds (69%) of health IT professionals surveyed said their organizations experienced a spear phishing attack in the last 12 months, according to the Ponemon report. This happens almost exclusively through email, though in rare cases it occurs over the phone. When asked to consider their organization’s most recent major security incident, 62% of healthcare information security professionals said email was the initial point of compromise, according to the HIMSS report. This was far beyond any other channel mentioned (“other” was second at 13% and “don’t know” was third at 12%).
Most often, malicious emails attempt to trick recipients into opening a malware attachment, clicking to visit a malicious website, or clicking to open a phony web form. However, the channel can also be used to leak or steal sensitive data directly. An attacker may convince an employee to reply to an email with access credentials or other sensitive information. Also, employees can accidentally email patient data to the wrong person (a.k.a. “misdelivery”).
Email is the top location for data breaches reported to OCR from Jan. 1 to May 15, 2018, accounting for 25% of the total during the period.
Email is also the top location for data breaches reported to OCR in 2017, accounting for 23% of the total and impacting 11% of all affected individuals.
What Can You Do About It?
You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.