The coronavirus has presented hospitals with numerous challenges. And as if COVID-19 isn’t enough to deal with, hackers have stepped up their game with social engineering phishing attacks! In this guest post, Ian Baxter, VP of pre-sales engineering at a company that provides a self-learning email security platform, explains what these new cyberattacks entail, and how hospitals can protect themselves from them.
Data breaches are – to put it mildly – bad for business. And it’s no wonder that companies around the world from enterprises to start-ups have increased their investments in cybersecurity over the past decade. That’s because it’s much less expensive to prevent cyberattacks than it is to repair the damages after they occur. From data theft and extortion to the lingering reputational damages that follow, cyberattacks often costs businesses much more than just numbers on the bottom line.
A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center found that financial services on average spend 10% of their IT budgets on cybersecurity. Yet, it’s been reported that the healthcare industry spends just 5% of their IT budgets on cybersecurity, despite them holding some of the most delicate and regularly sought after information on individuals available.
Combined with the rise in COVID-related phishing attacks, it’s no surprise that we’ve seen a high-profile attack this year that snuck past defenses of a major health insurer. In April, Fortune 500 company Magellan Health discovered it had fallen victim to a ransomware attack. Hackers first gained access to the company’s network through a social engineering phishing scheme that impersonated a Magellan client. The exposed data included names, contact information, employee ID numbers and tax forms, including Social Security numbers or taxpayer identification numbers. The hackers also leveraged malware to steal login credentials and passwords to a number of Magellan employees.
Social engineering phishing attacks on the rise
While healthcare companies are keenly aware of the dangers of traditional phishing attacks and have made investments to protect against them, there’s a new form of phishing exploding: social engineering attacks
Traditional secure email gateways (SEGs) focus on what is in the email, whether a malicious link or attachment, and they generally do a decent job at preventing those types of emails from getting through to intended victims. Because these defenses are generally stalwart, hackers have had to adapt and change their tactics – after all, these folks aren’t the stereotypical “14-year-old kid sitting in the basement,” but rather organized groups that launch sophisticated, targeted attacks and make a considerable profit.
To bypass SEGs, hackers have turned to social engineering attacks, which contain no malicious content that these security systems are built to detect. Instead, these emails are designed to look like they come from someone you know. In the Magellan example, hackers were ingenious in framing themselves as a client. And who doesn’t want to immediately respond to a client or customer request?
Other common variations of these attacks impersonate someone else the recipient knows – a colleague, boss, friend or family member. There are four common variations of these requests: employee availability checks, requests for an unspecific task, requests to purchase a gift card and financial requests, such as to change direct deposit location, bank details or request for payment.
Healthcare companies need an added layer of security
Cybercriminals are opportunistic, and they constantly prey on the only vulnerability that can’t be patched – humans – or so they think.
For companies to protect their data and employees, they need to start thinking differently about email security – that is … security that can determine who the sender of an email is and the language used in the email. As a percentage of overall attacks, malicious content is declining. What is in vogue for attackers right now is phishing emails with malicious intent – also known as social engineering attacks.
A new technology is emerging to prevent these attacks – Natural Language Processing (NLP) which can diagnose an email just like a drive-through COVID-19 test. It works like this: An email is sent and gets through the first stage of security because it has no link and no malicious content. But NLP will analyze the actual language of the email to look for suspicious patterns like the aforementioned availability checks or financial requests. Companies that rely on traditional indications of compromise (IOC), such as malicious links or attachments, won’t identify these attacks in real-time.
To further boost security infrastructure, natural language processing uses machine learning and artificial intelligence to scrape and analyze metadata of email syntax, looking for patterns to watch for and flag. This added layer of authentication also helps to prevent vendor account compromise by picking up the differences in language between internal and external senders. That’s why natural language processing can achieve such great results, compared to traditional software that simply matched keywords and back-end signatures.
As with the Magellan incident, the consequences can be severe. The attackers were able to harvest compromising information from accounts associated with employees at the company. Further, at least six Magellan affiliate companies, including health plans, plus three University of Florida-related entities that offer their employees Magellan health plans are on the breach list, as noted on the Department of Health and Human Services HIPAA Breach Reporting Tool.
So far, the breach reports show the total number of individuals affected by the Magellan incident is more than 355,000. That makes the incident the fourth largest health data breach reported to HHS in 2020, so far.
As noted in the most recent Verizon Data Breach and Incident Response report, the vast majority (67%) of data breaches are caused by social attacks such as phishing. While healthcare companies and others have taken steps to implement traditional SEG security, it’s simply not sufficient to stop today’s modern phishing attacks. It’s essential to invest in new email security tools that deploy NLP and automate both the detection and the analysis of emails to free up IT to focus on the big picture while keeping company data safe.