Several major health systems have reported an onslaught of phishing, spoofing, and ransomware incidents. While these healthcare cyber attacks use different tactics, they all have the same end goal – to steal sensitive patient information.
Phishing Attack Targets UMass Memorial Health
UMass Memorial Health recently informed patients that their protected health information (PHI) was potentially compromised in a healthcare cyber attack stemming from a phishing incident. UMass Memorial became aware that an employee email account had been breached and contracted a third-party forensic firm to investigate the scope and nature of the incident. While the investigation could not determine whether or not PHI was accessed in the incident, PHI was contained in some of the emails and attachments in the employee’s email account.
PHI potentially exposed in the incident varied by individual, but may have included names, dates of birth, medical record numbers, health insurance information, clinical or treatment information, dates of service, provider names, diagnoses, procedure information, prescription information, subscriber ID numbers, benefits election information, Social Security numbers, and driver’s license numbers. The incident, which occurred from June 2020 to January 2021, impacted the PHI of 3,099 patients.
UMass Memorial Health released a statement in response to the healthcare cyber attack, “We regret any concern or inconvenience this incident may cause, and we remain committed to protecting the confidentiality and security of our patients’ and health plan participants’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multifactor authentication.”
Spoofing Incident Targets Hospital Patients
Spoofing incidents occur when a malactor targets individuals by calling them and posing as a trusted company, often displaying a false caller ID to trick call recipients. While some of these incidents are easily recognizable as a scam, others are more targeted making it difficult for call recipients to detect. One such incident recently reported targeted patients of Henry Ford Health System.
In a statement released on October 17, 2021, Henry Ford warned patients of the spoofing incident in which malactors attempt to trick patients to divulge their sensitive banking information by claiming that the Hospital is issuing them a refund. While the incident is ongoing, the statement claims that Henry Ford operators are receiving up to 200 calls a day regarding the scam.
John Fowler, interim chief information privacy and security officer at Henry Ford, explained, “We don’t believe callers are identifying themselves as a representative of Henry Ford, but we are very concerned that scammers are using our number in a fraudulent way. This is extremely concerning. We want people to trust that when they get a call from Henry Ford, we are reaching out to them with important information about their health. And with hundreds of people calling each day simply because they think we’ve called them, our operators are facing some serious challenges.”
UF Health Cyber Attack Risks PHI of 700K Patients
UF Health Central Florida is subject to a lawsuit after a healthcare cyber attack targeting their EHR platform compromised the PHI of 700,000 patients. The incident led to significant EHR downtime in which employees were forced to rely on pen and paper to keep patient records. It reportedly also affected patient care due to the lack of access to computer systems that employees rely on to do their jobs.
The lawsuit alleges, “Until notified of the breach, Plaintiff and Class Members had no idea their PIT and PHI had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm. The risk will remain for their respective lifetimes.”
How to Prevent Healthcare Cyber Attacks
There are certain measures that can be implemented by healthcare organizations to prevent cyber attacks. Most ransomware and phishing attacks can be prevented by implementing advanced security measures to prevent, detect, and respond to incidents. It is also essential to train employees on how to recognize potential threats and what to do if they suspect a breach has occurred.
Implementing Advanced Security Measures
There are minimum security measures that every healthcare organization should have in place to prevent unauthorized access to PHI and ensure its confidentiality, integrity, and availability.
- Encryption: to prevent unauthorized PHI access from threat actors, it is important to implement encryption, specifically end-to-end encryption (E2EE). E2EE masks sensitive data as it is transmitted from one system to another.
- Multifactor Authentication: any system that has the potential to access PHI should have multifactor authentication (MFA) enabled to ensure that users are who they appear to be. MFA adds an additional layer of security as it requires users to input multiple unique login credentials to access a platform. These credentials may include a username and password in combination with a one-time PIN, security questions, or biometric data. With MFA in place, should an employee’s username and password be compromised, hackers would still be unable to access the platform.
- Access Management: HIPAA requires healthcare organizations to limit employee access to PHI to only the information they need to perform their job functions. While this prevents unauthorized employee access to PHI, it also prevents outsiders from viewing it. This is because, should a hacker gain access to one employee’s account, they would not necessarily be able to access the organization’s entire network. They would only be able to access the particular information that that employee has access to.
- Audit Logs: quick detection of breaches is the key to limiting the damage caused by the breach. This is why it is so important to keep audit logs. Audit logs track access to PHI including which employees access what information. This allows administrators to establish access patterns for each employee enabling them to detect when an employee’s login credentials are being used outside of their normal patterns.
Employee Cybersecurity and HIPAA Training
Employee error is one of the leading causes behind healthcare breaches. As such, one of your best defenses against healthcare cyber attacks is employee training. Under HIPAA, employees must receive training on cybersecurity best practices as well as HIPAA training. To ensure that employees properly use the technology that they have access to, they should also receive training on the proper use of new software platforms prior to being given access to it.