Healthcare News & Insights

Don’t get phished: 3 email security lessons for healthcare companies

Why do healthcare companies continue to get phished? Because it’s profitable.

With a clever email or two, digital thieves can steal protected health information worth up to $1,000 per record on the dark web. Electronic health records are miniature gold mines, containing personal and health details, Social Security numbers and credit card numbers all in one place. In this guest post, Hoala Greevy, the founder and CEO of a company that provides HIPAA-compliant email services, identifies mistakes healthcare facility employees continue to make that leave them vulnerable to phishing emails.


While spam filters and antivirus programs do catch many phishing attacks, they’re nowhere near foolproof. The sheer volume of emails sent and received by most organizations means some slip past these first-line protections. Plus, phishers are constantly trying new tactics, playing a cat-and-mouse game with software defenses.

When phishing attacks do make it into inboxes, unaware users often open the door the rest of the way. Something as simple as a familiar link with the wrong domain can trick busy employees. Earlier this year, MediaPro reported that 78% of healthcare workers lack some degree of data privacy and security preparedness. Believe it or not, the study found doctors are three times worse at identifying phishing attacks than their non-physician peers.

Theft of medical records is so common, if it continues at its current rate, everyone’s healthcare data could be compromised by the year 2024. The problem is employees are rarely as good at spotting phishing attacks as they think they are, and even the best anti-hacking measures can’t overcome human error.

Don’t take the bait

Securing healthcare data has always been a priority, but it’s become much more of one over the past few years. In addition to the infamous WannaCry attack that crippled healthcare services around the world, 2017 also saw a spate of malware attacks aimed at providers.

Despite the increase in the frequency and visibility of attacks, healthcare providers continue to make the following mistakes that leave them vulnerable to phishing emails:

  1. Assuming phishing is obvious – Overconfidence is the biggest reason phishing attacks work. People often think “phishy” emails only come from Nigerian princes and are rife with spelling and grammatical errors. But hackers can make phishing emails look like they legitimately come from recognized authorities. UC Davis’ health data was breached in 2017 by a hacker who impersonated an employee to gain access through an email phishing scheme.
    Fight overconfidence by educating employees on phishing tactics. Legitimate-looking display name spoofs (like the one used in the UC Davis attack) make up about 91% of phishing attacks. To keep tactics top of mind, host in-person or online training sessions for team members, preferably every month or quarter.
  2. Thinking your antivirus will save you – Even employees who know that phishing emails aren’t always obvious might trust their antivirus program to protect them. The truth is no antivirus program is bulletproof. For instance, some of the best solutions can detect ransomware signatures as often as every 60 seconds. Yet some malware can morph every 15 seconds, making it invisible to the software.
    While antivirus programs can provide some protection, they’re no substitute for vigilant team members. Host phishing competitions to determine who needs to pay more attention. In addition to protecting the company, these exercises can be great team-building opportunities. Arthur Ream, chief information security officer at Cambridge Health Alliance, even offers a “steak dinner bounty” to any staff member who can trick him into clicking on a phishing link.
  3. Using macros in emails to save time – Finding a way into a healthcare organization’s patient database doesn’t always mean tricking a team member into downloading an emailed link. Hackers can also gain access through tools employees often use to save time, such as macros. Macros are series of commands that are grouped together into a single command to streamline repetitive tasks, most commonly in Microsoft Office documents. Hackers can hide malicious tasks within those commands that then execute when the recipient opens the attached document.
    While it’s difficult to pinpoint every phishing technique, macro exploits are well-known. PowerWare, which Carbon Black discovered in 2016, mimicked invoice emails and requested users enable macros to view them. Then, in 2017, Barkly discovered a similar macro exploit being used by a variant of Ursnif, one of the most notorious Trojan viruses to hit the banking industry. The simplest and most effective solution is simply to disable macros when sending or accepting email attachments.

Phishing attacks might be the single biggest IT threat facing today’s healthcare industry. Like most human health conditions, however, they can be prevented through a combination of vaccination via antivirus software, a no-macro diet and regular staff phishing exercises. To hackers, team members on the front lines might seem like the most vulnerable targets. But with proper training and awareness, they can become a healthcare organization’s best line of defense against phishing.

Hoala Greevy is the founder and CEO of Paubox, a provider of HIPAA-compliant email services. Paubox’s end-to-end email encryption works on any device without requiring additional apps, plugin, or logins.



Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.