Healthcare cybersecurity expert, True North ITG Co-Founder and CEO Matt Murren unpacks a common security threat his client’s face: email phishing. In this post, he shares real-world examples of email phishing attempts and what your organization can do to prevent a similar security breach.   

Due to the large amount of valuable data healthcare organizations handle, healthcare was the most-targeted industry for cyber-crime in 2020. Cyber threats place financial and operational burdens on healthcare leaders, and are only increasing in prevalence and financial impact. Since the sheer breadth of potential cyber-attack vulnerabilities healthcare organizations face can be overwhelming, we asked our cybersecurity partner True North ITG’s Co-Founder and CEO Matt Murren to shed light on actual security incidents his clients encounter. In this post, Matt shares how he helps healthcare organizations ranging from large health systems to small clinics prepare for and prevent one of the most common threats he sees in the field: email phishing.

What is Email Phishing?

Email phishing is an email that looks legitimate—but is not—that asks for sensitive information like a credit card number, password, or social security number. Phishing emails have advanced from the typo-laden messages you may be familiar with (think emails from Nigerian princes asking you to wire exorbitant sums). Today, hackers are sophisticated and prey upon your team’s natural desire to please co-workers, patients, and vendors, and their sense of urgency around working efficiently. These faux emails appear to be from a credible source (e.g. a superior or a legitimate company you work with) but actually contain malicious links designed for data extraction.

What is an example of an Email Phishing Attempt? 

This is an actual successful email phishing attempt one of Matt’s clients experienced:

The Email Phishing Attack

The Chief Financial Officer of a healthcare organization received a legitimate looking password reset email from Microsoft Office 365. When the CFO clicked the password reset link, a pop-up appeared with their email pre-entered. Thinking it was legitimate, the CFO entered her current password and the pop up simply disappeared. Nothing happened in the moment, yet behind the scenes, the hackers were able to access her email account.

The Organizational Consequences 

It wasn’t until six weeks later that the consequences of this security breach became apparent. First, the CFO realized that the email volume from their finance team was lower than normal. Upon digging into the reason why, they realized that by using the CFO’s email password—obtained through email phishing—the hackers were able to set up a rule to send all Accounts Receivable discussions to a subfolder they monitored. They were then able to send an email, using copy-and-pasted language from actual past emails the CFO had sent to the company’s controller to manipulate the organizations payment processes.

Through an investigation, they found a malicious email sent by the hackers directly from the actual CFO’s email address to their controller with language that was familiar to the controller. The email contained a copy of a vendor invoice for $850,000 indicating that one of their normal vendors needed to change ACH information. The email said something along the lines of “Please get this ACH information updated and this invoice paid.”

Eager to please the CFO, the controller changed the ACH information and the money was sent to a false account. After further digging, it was discovered that over the past six weeks the hackers had successfully followed the same process to reroute another $25,000 vendor payment and another $100,000 vendor payment.

In this example, the attackers leveraged a sophisticated email phishing scam and the CFO’s actual email account to get to know and exploit the company’s normal processes and payments without raising any red flags.

What precautions can my team put in place to prevent an email phishing attack like this?

It’s true that email phishing attempts are increasingly difficult to discern, but it’s also true that common sense policies and simple technology solutions can go a long way to protect your organization.

People and Policy Prevention Tips

  1. Raise Awareness of Common Email Phishing Scenarios   

One of the simplest email phishing prevention methods is instilling a healthy sense of paranoia among your team. It helps to make your team aware of common email phishing tactics. These are the most common email phishing strategies Matt sees in the field:

  • False Payroll Links: Emails appearing to be from ADP and other reputable payroll companies asking you to update your deposit information and provide personal information to view your paystub.

  • Fake Job Interview Invitations: “LinkedIn” emails with job offers that may begin as harmless recruiting message and lead to a malicious link asking you to share your social security number or pay to apply for a job.

  • Emails from a “Boss” Asking for a Favor: This tactic preys on urgency and people pleasing tendencies. Often these false messages are sent on a Friday afternoon or when hackers have uncovered that the boss is out of town.

Pro Tip: Avoid Executive Auto Responders: To reduce potential email phishing vulnerabilities advise your admin team not to reveal when leaders are out of the office and avoid using automatic email responders for executives that may reveal they are unavailable.

Emails with false requests for favors commonly ask an employee to make a purchase or provide sensitive information. Some attempts leverage information found on social media. For example, one hacker sent a message from a CEO to a CFO saying, “Can you take care of this wire transfer? I would, but I’m running out to take my son to a soccer game.” This attempt was based on information gleaned by the hacker saw on social media. The CEO had posted that she was, in fact, taking her son to soccer.

2. Encourage your Staff to Scrutinize Originating Email Addresses, Links, and Sender Information:

Part of instilling a healthy sense of paranoia is training team members on email phishing indicators. Below are suggestions to notice common email phishing red flags:

  • Look at the sender email and sender name, is it the legitimate sender address? Do you have it saved in your system? If it looks “fishy” it probably is phishing.

  • If the questionable message is an email from LinkedIn, look the “sender” up on LinkedIn first to determine if they are a legitimate person.

  • Hover over links on emails before clicking to determine if the destination URL matches the sender domain. If it does not, advise your staff not to click the link.

3. Adopt a “Zero Trust” Model

It sounds extreme, but questioning and double checking every request for private information or significant financial transaction is a surefire way to protect your organization from fraud. A best practice is to require all ACH information change requests come through on company letterhead and to verify all ACH information changes with the requesting party by phone.

4. Develop an Authority Matrix

Your organization may consider developing a “double-check” verification protocol for all transfers and payments over a certain amount and all ACH information changes. Make it part of your money transfer and payment process to determine specific transfer amounts each team member can approve and assign a backup verifier so that all transfers are approved via a multi-step call-back verification process.

Security and Technology Prevention Tips

In addition to training and educating your staff and putting company policies and processes in place to protect your organization from email phishing, check in with your technology vendors and IT team to ensure they are utilizing these best practices to protect your organization:

1.     Multifactor Authentication

Basic multifactor authentication would have stopped the example of the CFO’s email being used in the fraud scheme example earlier in this post. With multifactor authentication, the CFO would have received a text verifying whether the second login to her account was legitimate. It may have also stopped the hacker from accessing the account at all if it required a verification code that only the CFO received via text message.

2.     Geo-IP Filtering/Geo-Blocking

Matt recommends that all of his clients set up geo-IP filtering software to block access to all IP addresses outside of the US. For example, if the attacker in the example earlier lived in Russia, they would not have been able to get back into the network and email system because their IP address would have been blocked. Geo-IP Filtering can be set up down to the zip code level depending on your organization’s specific security needs.

3.     Data Recovery and Business Continuity Plan

The most important thing you can do to mitigate the impact of a cyber security breach of any kind is to ensure you have a plan to recover your patient data and seamlessly operate your facility in the event of a data breach. Matt suggests taking daily snapshots of the data in your core systems such as your patient portal, web servers, and EHRs and storing data backups offsite. It is crucial to avoid storing your data backups on the same network that could get attacked. The best backup storage solution is one that is not accessible by end users. This prevents your backup data from being encrypted and infected. An off-the-radar data backup enables easy data recovery so patient care and normal operations (and thus revenue flow) is not interrupted.

4.     Endpoint Detection and Response (EDR) + Security Operation Center (SOC) 

Matt recommends implementing a robust EDR/SOC solution to monitor any odd access to any of your organization’s core systems. Think ADT security for your house, but for your data. These solutions employ real people who look into any odd patterns in access to systems like your EMR or Citrix. This involves an actual human reviewing any anomalies in your data patterns that are flagged (e.g. someone accessing data from another country or two IP addresses logging into the same account at the same time). Monitoring solutions like these help prevent, detect, analyze, and respond to security incidents of all kinds.

Bottom Line:

Email phishing is one of the most common cybersecurity threats our cybersecurity partner True North ITG sees in the field. The key to staying ahead of these threats is combining training, education, policy, and technology solutions to protect your organization, prevent cybersecurity incidents, and mitigate the impact of any incidents that occur. A little awareness and a proactive approach can make all the difference to protect patient and employee data and reduce risk for your healthcare organization.

About True North ITG

True North ITG is a Healthcare IT and Cloud Service Provider that helps business stakeholders improve their bottom line. True North’s Consulting, Cloud Hosting, and IT solutions help healthcare businesses navigate technology challenges to reach full IT maturity and gain a competitive advantage through agile, efficient, cost effective, and secure technology solutions. Learn more at: https://www.True