The healthcare sector has long been one of the favourite targets for cyber criminals thanks to the large amounts of private data held by organisations. Patient records are a useful source of personally identifiable information (PII), such as names, addresses and birth dates, which can be used to launch more effective targeted cyber-attacks on individuals.
Deceptive emails are the weapon of choice for criminals angling for this data, with attackers most often impersonating a trusted contact to trick the victim into sharing confidential information. The most recent example of this highly successful tactic came in early January, when a healthcare organisation in Florida had more than 30,000 patient records stolen when a fraudster tricked an employee out of their database password. Our research has found that the healthcare sector is targeted by more deceptive email than any other sector, with 92 percent of all email domains used by healthcare organisations carrying fraudulent emails.
Why deceptive emails slip past defences
While the deceptive email strategy has been around for years, the threat has become more visible in recent months as attackers have both refined their targeting and increased the number of attempts. One of the reasons these deceptive emails have continued to be so effective is that they are designed to evade the email security systems most organisations have in place, and few of these solutions have adapted to catch them.
Traditional email solutions work by signature-based detection, looking for malicious attachments or blacklisted keywords that indicate a suspicious email. This does not work for these attacks, nor does the traditional anti-spam approach of looking for anomalous spikes in volume from a given sender, or spikes of a particular email subject line. A well-crafted deceptive email will contain nothing to alert a standard email scan, and will be effectively indistinguishable from a legitimate message. After fooling the machine, fraudsters have a number of tricks for deceiving the human eye as well, such as setting the display name to match that of a trusted contact.
While tricking a healthcare organisation into giving access to its database may be the ultimate win for a fraudster, many also attack individual patients by impersonating the organisation itself using the same tactics. Of the 875m emails appearing to come from monitored healthcare organisations over the last six months, we found 56 per cent were actually malicious emails spoofing the domain. Criminals generally use this approach to trick targets into giving up personal information which can be used to fuel more targeted social engineering attacks, or simply sold on to other criminal groups.
The difficulty in distinguishing a well-made fake from the real thing, combined with the steady number of deceptive emails reaching the inboxes of employees and patients alike, means that it is impossible to rely on individuals to successfully spot the difference. In other words, technology must address this threat.
Keeping patient data safe
Healthcare organisations need to work to prevent malicious emails from reaching their employees’ inboxes in the first place. One of the most effective ways of preventing email spoofing is the free-to-use Domain-based Message Authentication, Report & Conformance (DMARC) email authentication standard.
DMARC uses two email authentication techniques, Domain Keys Identified Message (DKIM) and Sender Policy Framework (SPF), to verify if a message genuinely has permission to use the email domain. Domain owners can apply policies to block emails that fail to pass outright, or quarantine them. Organisations using DMARC can also receive updates when emails using their domain fail to pass authentication, alerting them to ongoing attempts to impersonate them.
The NHS mandated the use of DMARC among other email security solutions in January 2017, with a review in July asserting that organisations needed to meet the secure standard as soon as possible. However, after examining 5,000 NHS email domains in November 2017, we found that just 1 per cent were currently using DMARC, and only five per cent of UK healthcare organisations had any DMARC policy in place.
However, although DMARC is a powerful tool for dealing with untargeted attacks such as large-scale phishing attacks, it only addresses around six per cent of targeted email attacks. Targeted email attacks are not only different from large-scale phishing attacks in terms of the impersonation technologies the criminals use, but also in terms of the content of the messages, and the goals of the attackers. Targeted attacks are most commonly aimed at key employees, with the goal of having them share massive amounts of sensitive data. By being more convincing, they are also associated with significantly higher success rates for the criminals. While the number of targeted attacks is much smaller, each one can have a huge impact as they are far more effective. Since email spoofing is commonly not the impersonation approach of choice, DMARC is also not the most suitable countermeasure. Instead, organisations will need to take on an email security solution that is capable of detecting signs of deception such as a mismatch between the sender name and the actual sender identity in order to address this threat.
Healthcare organisations must begin their email security journey now if they are to keep the private medical data they are entrusted with safe from criminals. While attackers are still able to freely impersonate healthcare domains with minimal effort, patients and employees alike are under threat from deceptive attacks that abuse their trust. This problem is urgent to address, as data that is leaked can never be unleaked, and healthcare providers have access to some of the most sensitive data there is.
By Markus Jakobsson, Chief Scientist at Agari