Over the course of 2018 one industry that has been struck hard with cybersecurity threats and data breaches is healthcare. According to one Business Insider article, the healthcare industry accounted for 25 percent of the overall breaches, a number that was up from 2017. Painting an even grimmer picture for 2019 and beyond, the article shared a lack of prioritization and budget in the industry for attack prevention efforts:
- Privacy and security are health firms’ third-highest priority, despite the growing attack threats
- Health firms are reluctant to make cybersecurity efforts an investment priority, despite the high cost of data breach remediation (think HIPAA penalties)
- Health firms have called for a change to policy that would make HIPAA-compliant health firms exempt from the hefty government breach penalties, arguing that organizations that expect to be penalized regardless of whether their countermeasures are up to snuff may underinvest in security
- Cybersecurity is underfunded primarily because the sophistication of cyberattacks increases at a faster rate than prevention capabilities, there are too many competing priorities, and the cost of countermeasures is too high
- If dollars allocated to cybersecurity can’t keep pace with the security threat, we’ll likely see a greater volume of breaches
Enter 2019, and the healthcare industry may soon regret their lack of prioritizing cybersecurity. According to DataBreaches.net, “…in April, so far, we have 55 incidents, for which we have numbers on 50 incidents. Those 50 incidents affected 2,262,400 people.” They go on to explain that while these monthly numbers do not set a monthly record, they show growth. In fact, they are up over 25 percent from first quarter monthly totals, demonstrating an increase that most believe will continue into 2019 and beyond.
With cyberattacks on the rise, it’s phishing that is their number one attack vector. A recent SSL Store blog pointed to how susceptible the healthcare industry is to phishing attacks. They cited a study that showed one in seven phishing emails is opened by hospital employees, and we all know that while employee training is important, it takes just one infection to trigger a major data breach.
The 2019 Verizon Data Breach Report actually showed that many healthcare cyberattacks come from internal threat actors (59 percent) which take much longer to detect that outside threat actors. But one need only go back a few years to the Anthem breach, which started around February 2014 and went undetected for nine months. It all started with a spear phishing campaign. The attackers sent emails to Wellpoint’s employees (Anthem was called WellPoint back in April 2014) that enticed them to run a “Citrix Gateway Secure Input” setup. The binary was actually a well-known backdoor named Sakula. Once an employee ran the binary (‘SecureInput.exe’), Sakula installed itself and their machine was infected. The next step was to launch a phishing page on the user’s screen that resembled the login page of Anthem’s corporate Citrix web gateway.
This is a classic phishing attack, where the attackers registered a domain (www.we11point.com) that is visually similar to the victim’s corporate web site (www.wellpoint.com). Unsuspecting users did not notice that the phishing domain was we11point.com, where there were two 1’s instead of two L’s.
It is not hard to imagine what happened next. Victims entered their credentials into the fake login page. The hijacked credentials were then sent to the attacker’s command and control servers. Once the attackers acquired valid credentials, it was a simple matter for them to penetrate the entire Anthem/Wellpoint network. The backdoor code was able to slowly move through the network at times taking months to search and gain access to PII and sensitive information. Eventually the hackers hit the mother lode in the form of a data warehouse that contained confidential information for over 78 million people. As soon as they had access to this massive amount of data, the hackers ran queries, encrypted files, put the data in storage, transferred it to other servers in the U.S. and eventually to China all the while trying to cover their tracks by deleting any evidence they might have left behind.
Since the breach became public, Anthem has paid a $115 million to settle a lawsuit along with a $16 million payment to the government who said they “failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Healthcare employees are often tired, overworked, and moving quickly to provide the health services they do. These human factors, combined with a lack of cybersecurity urgency, and you create a recipe for potential disaster.
What healthcare industry organizations need in these cases is a zero-hour, real-time phishing threat prevention solution that enables them to block employee web traffic to phishing sites, stopping the attack near the start of the kill chain, before malware downloads and credentials are stolen. Take the first step to reduce exposure to fast moving phishing sites by using SlashNext Real-Time Phishing Threat Intelligence. It identifies live zero-hour threats in real-time and allows organizations to respond in real-time with automated blocking through integration with their firewall.
A diligent second step would be to use SlashNext Targeted Phishing Defense solution to protect against targeted patient zero attacks. Its automated and uses real-time detection to identify data exfiltration, C2 communications and targeted phishing threats that slower technologies seem to miss. These types of threats could be signs of early infiltration and a breach that might otherwise go undetected.