A new study reports that phishing remains the leading cause of data security incidents for the third straight year, and the healthcare industry is the number one target of scammers.
According to the report, issued by BakerHostetler, 34 percent the data security incidents they managed last year involved phishing, and more than a third—35 percent of their clients—were in the healthcare industry. “It definitely is a huge problem,” says Eric Packel, a partner in the firm who specializes in privacy, data security, and technology issues. “There’s not a week, not a day, that goes by that I don’t get another request on a phishing incident for a client. The healthcare industry may be more of a target because healthcare information stays with (people).”
A phishing attack is when someone is tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website or clicking on a link that installs malware.
The cost is quite high: An average forensic investigation into a phishing attack costs more than $84,000, with the largest investigations costing nearly $437,000. The average time between the incident and discovery is 66 days, with three days from discovery to containment, and then another 36 days to complete the forensic investigation and notification process. All 50 states have a data breach notice law, which requires providers to notify patients and vendors whose information may have been compromised, as well as HIPAA rules.
Particularly, Packel says, phishing scammers use information like Social Security numbers and healthcare identification—private details about illnesses, conditions, etc.—to create false identities and fraudulently bill Medicare, Medicaid, and other payers. Sometimes, they’ve even changed the direct deposit for employee compensation to out-of-the-country accounts. “If the employee uses the same credentials in different applications (at work) and these credentials are given up in the phishing attack, then the attacker can go to the benefits system and redirect their paychecks,” Packel says.
According to the report, both sophisticated and unsophisticated hackers use phishing to obtain direct network access, convince employees to wire money, enable remote access with compromised credentials, or deploy malware and ransomware. “If you haven’t been targeted, you will be,” he says. “It’s not a matter of if, but when.”
One of the challenges for physicians and healthcare providers is that any employee, from the CEO down to temporary office workers, can be victimized. “As a matter of fact, when it comes to organizations, it’s the higher-level employees who are more likely to respond to these phishing emails because they’re so busy,” Packel says. “It’s not the lower level employees or the less sophisticated employees. We’ve seen many physicians respond to these emails simply because they’re so busy, and they just want to move stuff along.”