E-mail is a pervasive target for hackers to exploit in healthcare and the problem is predicted to get worse. A 2018 HIMMS and Mimecast survey revealed that 87% CIO’s and IT directors surveyed believed that e-mail poses the greatest venerability to exploitation by hackers. E-mail’s sent by nefarious sources can cleverly deceive end users by looking legitimate and can contain links with embedded malware, viruses, and ransomware and all it takes is 1 click for an organization to be compromised.
Healthcare staff over the last decade have reported more frustration’s over increased time spent entering information into EMR systems and have reported burnout. According to a KHN Article, Death by a Thousand Clicks:
“Many doctors say they spend half their day or more clicking pulldown menus and typing rather than interacting with patients. An emergency room doctor can be saddled with making up to 4,000 mouse clicks per shift.”
This burnout effect with technology systems can potentially lead to an end user mistakenly clicking on a malicious link in an e-mail which can infect hospital IT systems without them even knowing.
Hackers will use phishing to exploit e-mails systems which are attempts made by hackers to deceive their targets into sharing sensitive information such as login credentials, financial information, patient health information by disguising the e-mail as coming from a legitimate source such as co-workers or vendors. Links may be provided in these e-mails that could be infected with malware/viruses or redirect you to a page that looks legitimate requesting further information.
Here is a snapshot of an example of a phishing e-mail attack, we received several months ago when a West Texas hospital’s e-mail addresses were being used to send out phishing e-mails.
Bethlyn Rogers <firstname.lastname@example.org>
Subject: Invoice #US-29698548
Inv# 29698548 has been paid by wire on Feb/13/2019. Payment was sent from Danny Cole, pls check.
Have a great day!
Upon inspection of this e-mail there were many things that indicated reg flags. Mr. Cole was in fact a person identified as being employed at this hospital, but the subject line and contents of the e-mail were suspicious, as the context of an invoice from them to us was meaningless. However, let’s say someone was new to our organization and thought this was a client sending payment information, then one can see how easily someone could be enticed to click on the link.
When in doubt, do not click on any links and notify IT department to see if they are seeing an increase in potential malicious e-mails. Many employees may be unaware that even the best e-mail filters are not able to filter a small percentage of phishing e-mails, especially in instances of spoofing, where the e-mail appears to be from a legitimate source and not the threat actors.
77% of healthcare providers surveyed in the HIMMS and Mimecast survey said they use email to send and receive PHI and 93% view email as mission critical to their organization. In fact, nearly half (43%) said their organization can’t afford any email downtime whatsoever.
An ounce of prevention is worth a pound of cure and that’s certainly the case for training and awareness to detect targeted malicious e-mails in the healthcare sector. Mandry Technology provides healthcare entities with phishing simulation and awareness training to help train employees how to spot nefarious e-mails through simulated e-mail attacks. Various sources indicate that entities who perform phishing simulations and security awareness training, can decrease the amount of nefarious e-mail link clicks by up to 90%.