Teach a Man to Phish: Understanding Security Threats in the Era of Cyber Crime
Give a man a fish and feed him for a day, teach a man to phish and he'll likely try to deploy Ransomware to your system and compromise your data.
As the world grows increasingly driven by technology, so too do the dangers looking to capitalize on it.
Healthcare Cyber Attack Trends
Cyber security threats have been rising steadily over the last decade across all industries; specifically within healthcare, breaches have increased >80% since 2010. In 2018 alone, the number of breached records tripled to 15 million compared to 2017. Back in 2015, Anthem health was hit by one of the largest cyber-attacks to date, compromising 78.8 million individual patient records, which cost Anthem alone $260 million to resolve. On average, though, these attacks result in approximately $9.2 million in losses and create a system downtime of 22 days, which can be extremely dangerous for healthcare providers.
So, why has the number of attacks been rising, and how do they work? How can we be vigilant against them in the future?
Data Breaches vs Ransomware Attacks
Firstly, it is important to delineate between the Data Breaches and Ransomware attacks, as they operate slightly differently with distinct goals for the attacking group. UpGuard's article on the subject does a good job forming the distinction, where the intent of Data Breaches is to access and steal sensitive information to sell on the Dark Web (covert parts of the internet that operate on specific software and network configurations) markets, or even simply to publish the data for public view. This differs from Ransomware attacks which generally don't have intent to view or publish the stolen data - instead, the data is specially encrypted and can only be decoded with a decryption key from the hacking group. The goal here being to obtain the data, lock it down, and then sell the decryption key back to the targeted group. However, this has been pivoting recently. Due to the FBI's strong discouragement to paying ransom for these decryption keys (because they do not guarantee any safe return of data) some hacking groups have started threatening slow releases of parts of the data as incentive to pay up.
Cyber Attacks on the Rise
So, why the increase in cyber-crime in recent years? In order to perform sophisticated cybersecurity attacks it used to be a pre-requisite that the person in question was equipped with significant coding and networking skills, but that is no longer the case. We all know about SaaS (Software as a Service), but nowadays the Dark Web is ripe with RaaS products - or, Ransomware as a Service.
Like SaaS, this Ransomware is created and packaged by the experts and then sold in a usable format to whomever pays for it, dramatically reducing the barrier to entry for this extremely profitable "solution". From there, the purchasing group is able to deploy the attacks of their own volition, with the RaaS providers receiving a cut of whatever profit is made. This begs the question, does a ransomware attack count as a data breach?
Data Security and HIPAA
While having data encrypted during a Ransomware attack does not technically breach HIPAA's Breach Notification Rule (45 CFR §§ 164.400-414), any form of exfiltration (i.e., releasing parts of the data as incentive for groups to pay) does breach the rule, and due to the increasing complexity of these attacks, it's probably safest to simply report any breaches that occur in order to avoid penalty under HIPAA.
Phishing for Clicks
Think back to your last employee security training session - maybe it was last year or you haven't had one since your onboarding. How much did you pay attention? Did you take it seriously? How bad can suspicious emails really be?
As it turns out, email phishing attacks are one of the most popular ways to attack an organization, with nearly 60% of healthcare organizations last year in 2020 reporting having experienced some form of phishing attack. These phishing attacks rely on negligent or uneducated employees to fall for their tricks, and all it takes is one person to click a malicious link to install the malware onto your system and compromise your data (fun fact: CISCO's 2021 Cybersecurity Threat Trends report suggests that at least one person clicked a phishing link in ~86% of organizations).
These email phishing attacks utilize social engineering which is simply the process of tricking the employee into clicking into and downloading the malware, usually by instilling fear/alarm or pretending to offer needed information. You can see an example in the image below where the phisher is pretending to be the CDC from what looks like a CDC email, with a link to the CDC's website within the text. However, you can see it highlighted out that this link actually contains the malware that would compromise the system.
Defending your Data
It may sound trite, but one of the most effective ways to protect your organization from phishing, and many other forms of attack, is proper education and training on identifying suspicious material. Whether they're cloning websites, emails, manipulating links, or intercepting your secure messages, these attacks are growing increasingly complex and hard to identify, further imploring the need for effective training on the subject.
At a high level, here are some key items to be on the look-out for:
Links in emails
Hover over them to confirm they're destination
Confirm suspicious emails from colleagues/bosses
Be wary of websites redirecting you to similar looking sites
Emails that create a sense of urgency or fear
At Claim Capital, data security is one of our highest priorities and always on our mind as we work to improve your revenue cycle. To learn more about how we can reduce your claim denials through root cause determination with machine learning, read more about our process and how CARMA, our Claims and ReMittance Analysis system, works to help get you paid what you deserve on your claims.