Healthcare data is an attractive cyberattack target. It’s crucial and monetizable – and people, who are often a weak link in the security chain, have access to it.
In 2023, the Department of Health and Human Services Office for Civil Rights received reports of 541 data breaches involving 500 or more healthcare records each. Each of the 11 biggest breaches affected a minimum of 3 million individuals.
Chris Crellin, Senior Director of Product Management at Barracuda MSP, provides answers for managed services providers (MSPs) and value-added resellers (VARs) about the need for email security and phishing protection for your healthcare clients and what you can do to make healthcare data more secure.
Is it common for healthcare data breaches to begin with phishing attacks?
Crellin: Yes, phishing attacks are widespread in healthcare organizations. It is simple for hackers to send malicious links and attachments that will enable them to obtain an employee’s credentials to perpetrate other phishing attacks or, worse, to unleash a ransomware attack that proliferates their target’s network. And because healthcare organizations generally offer a treasure trove of protected healthcare information (PHI) and financial data, they are very attractive to cybercriminals.
How do phishing attacks usually occur and escalate?
Crellin: The hacker will begin by sending the targeted user at the healthcare organization an email that entices them to click on a link or open an attachment. Over the years, cybercriminals have advanced from what used to be a shotgun approach – aiming at targets to see what sticks to what has become a more calculated effort. Hackers will often spend a lot of time researching their targets, scraping social media profiles and other online resources to gather data on the target that will enable them to determine what will pique their interest and catch them off guard enough to click on a malicious link or open an attachment. Once this happens, it makes it easy for the hacker to access critical areas within the target’s network. They may target web servers, file servers, and more to perpetrate ransomware or steal credentials that enable them to do more targeted phishing attacks, including spoofing the organization’s high-level executives.
What can VARs and MSPs providing solutions and services to healthcare do to help their clients protect PHI and other vital data?
Crellin: Tools MSPs and VARs can leverage include AI-based email inbox protection, such as Barracuda Sentinel, that scans and blocks phishing and other email-based threats. AI spots anomalies, detects emails from fraudulent domains and more to prevent threats from entering the end user’s mailbox. Multifactor authentication is also helpful in safeguarding business applications and data access. It requires users to have more than one set of credentials when logging into their devices and accounts. Finally, MSPs and VARs should also consider data protection. A last line of defense, data protection, is needed in the event of a ransomware attack so that the client can quickly recover their data to ensure business continuity.
Is technology alone enough to protect data?
Crellin: While technology does go a long way in protecting healthcare organizations from cybercriminals, security awareness training will also help mitigate the risk of the human element, which is present in every business. MSPs and VARs should offer security awareness training – it’s one of the keys to protecting PHI and other vital data. When end users can be trained on what to watch out for and tested through regular, simulated phishing and other business email compromise (BEC) attacks, it helps improve the healthcare organization’s overall security posture.
Another vital tool is 24×7 monitoring of the healthcare organization’s application and data infrastructure through RMM solutions. This allows MSPs and VARs to flag any issues that arise so that they can be addressed sooner and mitigate damage more quickly.
What other advice can you give VARs and MSPs about email security for their healthcare clients?
Crellin: MSPs and VARs should be working with their healthcare clients by regularly reviewing their security postures to ensure the tools and solutions are in place to mitigate risk. Further, MSPs and VARS should also check to ensure that the security solutions and processes leveraged to protect their client’s data and that application infrastructures comply with industry regulations and standards, including HIPAA.