Iowa’s UnityPoint Health reported that it was the victim of a phishing attack, saying the attack put the sensitive information of 1.4 million patients at risk, according to local news media KCCI.
The public notice regarding the security incident stated that UnityPoint Health received a series of phishing emails that successfully tricked some employees into clicking because the emails appeared to have come from one of the company’s trusted executives. Those who fell victim shared their confidential log-in credentials, giving attackers access to their internal email accounts from 14 March 2018 to 3 April 2018.
“Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients. While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported at this time,” the notice stated.
The healthcare sector has long been a target of attack, which is why healthcare cybersecurity expert Leon Lerman, CEO of Cynerio, warned, “Healthcare organizations need to be on high alert for these types of phishing attacks like the one that targeted employees of UnityPoint Health. Perhaps they think it won’t happen to them and that the cyber-criminals will go after very large organizations, so they don't really take action to protect themselves.”
Regardless of size, healthcare organizations deal with very sensitive data, which is why they are repeatedly targeted. “Hackers also take into account that smaller organizations typically have less protections and are easier to hack,” Lerman said.
Even though security awareness training programs teach users not to click links or download attachments from unknown or suspicious emails, when the email comes from a senior executive, employees continue to fall for the bait. For criminals, this tactic is “low-cost, easily deployed, easily targeted, and preys on the human capacity to suspend criticism in favor of a quick boost to our serotonin,” said Josh Mayfield, director of solutions marketing at Absolute.
To defend against these types of attacks, organizations can implement some sort of framework against which people, processes, and technology align. “In the world of healthcare, this takes the form of HITRUST or its parent, the NIST Cybersecurity Framework,” Mayfield said.
“Placing attention on the resilience of people, processes, and technology can help avoid many of the tragedies that make headlines or awaken alarms at the OCR. A marginal improvement in cyber hygiene will enhance your resilience and lower the probability of malicious attacks. There is no such thing as zero risk. We live in a world of oscillating probabilities. Those probabilities can be affected by human agents conspiring to bring robust cyber defense through persistent cyber hygiene.”