This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here.

In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats healthcare organizations are facing. Email phishing is an attempt to trick an individual into responding to an email with personal information, commonly account credentials.

Many associate phishing emails with the notorious Nigerian prince scams. But phishing email scams have evolved to mimic legitimate sources – such as a co-worker, friend or a boss – and often include a link to what appears to be a legitimate website. After the phishing victim clicks on the link, they are brought to a website designed to look authentic and are prompted to enter their email credentials. Many spoofed websites and emails will be one letter off from the legitimate source, such as Concast.com or Comcas1.com instead of Comcast.com. Phishing emails may also send a document that, when clicked, downloads malware onto the recipient's workstation. These phishing attacks are known as malware dropper attacks. In either scenario, the objective is largely to gain access to the recipient's email account and wreak additional havoc by downloading the entire content of the mailbox, sending fake invoice payment instructions that result in clients sending funds to the hacker's bank account, and sending additional phishing emails (which are now coming from within the organization from a legitimate email account) to continue the compromise of the organization's information.

There are an increasing number of technological solutions to help block phishing emails, such as those that identify emails that contain links to known spoofed websites, use certain key words or have other identifiable phishing characteristics. For almost no cost, organizations can place a banner on emails originating from outside the organization, alerting the recipient that it is not an internal email and to be cautious when clicking on any links or downloading any documents. However, no solution can guarantee protection. Many users develop "banner blindness" after seeing the banner displayed routinely, becoming numb to its intended affect. Additionally, once an attacker gains access to one employee's email account and begins using the account to send emails, the banners no longer appear.

Larger organizations may choose to avail themselves of additional technological protections, including blocking connections to their network and/or email accounts from specified IP addresses (known as "blacklisting") that are associated with prior phishing or hacking attempts, or those IP addresses that geolocate to countries known for hacking, such as Nigeria. Organizations may consider a commonsense approach to blacklisting by identifying from which country or countries their employees access their network and blocking the remainder. With prior notice, exemptions can be made for employees traveling outside the normal territory if access to the network or email account is necessary during travel. It is important that organizations have a system in place to remove the exemption as soon as it is no longer required.

Smaller healthcare organizations can leverage third-party email providers' configuration components and capabilities to help secure their email infrastructure. For example, small healthcare organizations should ensure that basic spam and antivirus software is installed and, importantly, up to date. Spam and antivirus software companies regularly push updates out to address new and evolving threats.

Whatever the organization's size, there are two easy-to-implement, low- or no-cost solutions that dramatically decrease the risk of a phishing email resulting in a compromised email account: strong password policies and the implementation of multifactor authentication. Strong password policies and requirements – which include setting a minimum length for passwords and requiring the use of specific characters, prohibiting reuse of old passwords, and forcing frequent password resets – also lend themselves to protecting employees' email accounts. The HHS report cites the 2017 Verizon Data Breach Report that stated weak or stolen passwords were responsible for 80 percent of email hacking incidents. Multifactor authentication is currently the gold standard in protecting against unauthorized access to email accounts. Multifactor authentication verifies a user's identity using more than one credential type. For example, in addition to a user's password, the person may need to enter another one-time use security code delivered to a mobile phone each time they sign into their account. Because the hackers do not have access to the user's cellphone, even if they obtain the credentials to the email account they will not be able to sign in.

The best line of defense against phishing for small, medium or large organizations is the human defense: an organization's employees. Educating your workforce with the tools to identify phishing emails, via regular HIPAA compliance education and/or phishing simulations, is vitally important to thwarting phishing attacks and saving an organization from what could be exorbitant expenses for forensic fees, potential regulatory fines, attorneys' fees, and the costs associated with patient or employee turnover due to reputational harm that could result after notifying patients and/or workforce members that their health or personal information may have been accessed by a hacker. At the very least, healthcare organizations of all sizes need to ensure all workforce members are receiving training on phishing emails in their annual training. Additionally, organizations should reinforce good email practices throughout the year. Conducting phishing simulations helps employees recognize phishing emails, while also alerting the organization to individuals who may be more susceptible to phishing emails so that greater education, monitoring or access controls can be put in place for those users. Many vendors provide organizations with tools and programs to help organizations conduct these simulations.

The HHS report provides good content for workforce training materials by recommending that users ask themselves the following questions before clicking on a link within an email or downloading any attachment, whether it is from an outside or inside source:

  • Do you know the sender?
  • Are there any spelling or grammatical errors in the body of the email?
  • Did you hover over a link to see the URL destination, ensuring it does not mask a malicious site?
  • Is the "from" address a legitimate email address, without misspellings?
  • Is this email too good to be true?

Additionally, users should ask themselves if they were expecting to receive a document or link from this user. To confirm, users should call the sender – not email – to confirm whether an email is legitimate, since unauthorized actors often remain in the email box, responding affirmatively to questions of legitimacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.