Healthcare data is an attractive cyberattack target. It’s crucial and monetizable—and people, who are often a weak link in the security chain, have access to it. One of the latest healthcare data breaches occurred at UC San Diego Health. From December 2020 through April 2021, attackers had access to names, addresses, birth dates, Social Security numbers, payment account numbers, email addresses, insurance claims information, lab results, medical diagnoses and more. Investigators traced the breach back to unauthorized access to employee email accounts—more mounting evidence that healthcare organizations need email security solutions that include phishing protection.
Chris Crellin, Senior Director, Product Management at Barracuda MSP, provides answers for managed services providers (MSPs) and value-added resellers (VARs) about the need for email security and phishing protection for your healthcare clients and what you can do to make healthcare data more secure.
Is it common for healthcare data breaches to begin with phishing attacks?
Crellin: Yes, phishing attacks are very common in healthcare organizations. It is very simple for hackers to send malicious links and attachments that will enable them to obtain an employee’s credentials to perpetrate other phishing attacks or, worse, to unleash a ransomware attack that proliferates their target’s network. And because healthcare organizations generally offer a treasure trove of data in the form of protected healthcare information (PHI) and financial data, they are very attractive to cybercriminals.
How do phishing attacks usually occur and escalate?
Crellin: The hacker will begin by sending the targeted user at the healthcare organization an email that entices them to click on a link or open an attachment. Over the years, cybercriminals have advanced from what used to be a shotgun approach—aiming at targets to see what sticks to what has become a more calculated effort. In fact, hackers will often spend a lot of time researching their targets, scraping social media profiles and other online resources to gather data on the target that will enable them then to determine what will pique their interest and catch them off guard enough to click on a malicious link or open an attachment. Once this happens, it makes it very easy for the hacker to access critical areas within the target’s network. They may target web servers, files servers, and more to either perpetrate ransomware or steal credentials that enable them to do more targeted phishing attacks that even include spoofing the organization’s high-level executives.
What can VARs and MSPs providing solutions and services to healthcare do to help their clients protect PHI and other vital data?
Crellin: Tools MSPs and VARs can leverage include AI-based email inbox protection, such as Barracuda Sentinel, that scans and block phishing and other email-based threats. AI spots anomalies, detects email from fraudulent domains and more to prevent threats from entering the end user’s mailbox. Multifactor authentication is also a good tool for safeguarding access to business applications and data. It requires users to have more than one set of credentials when logging into their devices and accounts. Finally, MSPs and VARs should also consider data protection. A last line of defense, data protection is needed in the event of a ransomware attack so that the client can quickly recover their data to ensure business continuity.
Is technology alone enough to protect data?
Crellin: While technology does go a long way in terms of protecting healthcare organizations from cybercriminals, security awareness training will also help to mitigate the risk of the human element, which is present in every business. MSPs and VARs should offer security awareness training—it’s really is one of the keys to protecting PHI and other vital data. When end users have the opportunity to be trained on what to watch out for and then tested through regular, simulated phishing and other business email compromise (BEC) attacks, it helps to improve the healthcare organization’s overall security posture.
Another important tool is 24×7 monitoring of the healthcare organization’s application and data infrastructure through RMM solutions. This allows MSPs and VARs to flag any issues that arise so that they can be addressed sooner and mitigate damage more quickly.
What other advice can you give VARs and MSPs about email security for their healthcare clients?
Crellin: MSPs and VARs should be working with their healthcare clients by conducting regular reviews of their security postures to ensure that the tools and solutions are in place to mitigate risk. Further, MSPs and VARS should also check to make sure that the security solutions and processes that are leveraged to protect their client’s data and that application infrastructures comply with industry regulations and standards, including HIPAA.