You are here

Focusing on Phishing: Why It’s Important for Your Information Security Program

An issue that every healthcare organization needs to focus on is social engineering. In general, social engineering describes any type of attack in which an organization’s employees – not its systems – are the targets. While social engineering can take many forms, when it comes to targeting healthcare businesses, it most often involves the use of deceitful techniques to manipulate an employee into divulging patient information or performing an action that could lead to the release of secure information.

This method has become a key component of hackers’ strategy for breaking into healthcare entities because it allows them to circumvent the thousands of dollars in information security systems that the entities have in place. Two types of social engineering threats that all healthcare entities should be prepared for are: 

Phishing – Fraudsters spoof an email that appears to come from a legitimate sender. Often the email contains a dangerous file attachment or a link to a site that tricks the reader into entering sensitive information like logon credentials. 

Spear phishing – A more dangerous form of phishing where, instead of mass mailing a generic email, the attacker researches a specific target and tailors the attack against that individual. The more information the attacker is able to gather on the target, the more convincing the attack will appear. 

Phishing email attacks are a problem for businesses in every corporate vertical, yet the problem poses a greater threat to healthcare organizations. Why? Complete medical records on the black market are worth ten times more than what stolen credit card numbers can go for. That means that the size of a security breach doesn’t have to be large to bring a substantial payoff for the criminals involved. 

What makes medical records so valuable? Medicare fraud. Health records can be used to file fraudulent medical claims that can run into tens of thousands of dollars. The information can also be used to open multiple credit card accounts, rather than the use of one stolen credit card number until that account is frozen or cancelled. 

In terms of the potential damage that these types of security breaches can cause, consider how just recently Partners Healthcare announced that hackers may have accessed medical and personal information - including Social Security numbers of about 3,300 of their patients. It appears that the breach happened after some Partners employees responded to phishing emails, which then provided hackers with unauthorized access to the employees’ email accounts. 

We are also now very familiar with reports of the massive Anthem data breach, in which almost 80 million records were compromised. It appears that the Anthem attackers created a bogus domain name, "", (based on WellPoint, the former name of Anthem) that was likely used in phishing attacks. By targeting Anthem employees with phishing emails and luring them to the fake sites, attackers created a brazen opportunity for themselves to collect user logins and passwords, and eventually access the insurer's systems. 

As evident by these two cases, it unfortunately doesn’t matter what technical security controls are in place if employees still fall victim to phishing attacks. To help improve security posture, healthcare organizations of all sizes should have a continuous cycle of internal training and testing in place. Specifically, a “phishing” segment needs to be incorporated into organizations’ HIPAA security training – which should be provided more than once a year – so employees know how to identify and deal with a phishing email when they receive one. 

Additionally, regularly testing employees will reinforce security training, and can be conducted by internal security and audit personnel, or performed by an experienced third party. This kind of testing generally involves sending a mock-phishing email directly to employees to see how they’re likely to respond to a legitimate threat. It’s not out of the norm for the majority of employees to react to the test email by performing an action that would likely lead them to download a virus or provide their user credentials, so healthcare security personnel should consider these results when evaluating their organization’s information security program.

If you have any questions regarding your information security program, please contact Michael E. Kanarellis, Principal, at 617-428-5408 or