By Jane Ehrhardt
“An entire national hospital network had to go back to operating on paper, and they say it all came back to someone clicking on a link in a phishing email,” said Preston Brown, director of IT services at Simplified Medical Management.
That national group was Ascension Healthcare, the parent organization of Birmingham’s two St. Vincent’s hospitals. On May 8, they were hit with ransom malware. It took over a month to restore access to their electronic health records (EHR) to all of their facilities across 15 states, all because of the old-school hacking method of email phishing.
“It just takes one click and, boom, you get access to 10 million identities,” Brown said. “That’s a good days work.” That outcome is what keeps phishing a viable effort for hackers. Of the 739 data breaches in healthcare reported last year to U.S. Health and Human Services, 18 percent originated from emails, making it the second most utilized route for infiltrating healthcare entities.
Phishing starts with a link or attachment in a valid-looking email. Clicking on that installs the virus that opens a way in for the hackers. “If the phishing link sends you to a login box, what you enter is really going to the hacker, and they start using those credentials to penetrate your network,” Brown said.
At this point, any healthcare entities with multifactor authentication (MFA) are already safer. MFA requires additional pieces of information from the user beyond a password before allowing access, which could include a fingerprint, facial recognition, or a code sent to a different device, such as a fob or a smart phone.
A texted code used to be considered one of the safest options. The code creates a unique token of information to authenticate the user which then allows them entry, and only the user would have access to the texts. But hackers have become more savvy about intercepting texts.
“Microsoft doesn’t even allow text messaging to get that code anymore,” Brown said. “You have to download their authenticator app, and the code comes from that app.”
Instead of a text, the user receives a push notification from the authenticator, generally asking to click “yes” if it’s the user, which allows them entry. Or they may need to scan a QR code. What the app then produces is a time-based, one-time password to allow entry that has a very short time of viability, usually around ten to thirty seconds, making it much harder for hackers to grab that token than the much longer-lived tokens generated via texted codes, which might stay viable for the life of the user’s password.
More and more applications now require the use of their own authenticator apps now as part of their MFA protocol. And MFA itself is becoming mandatory. Microsoft no longer allow users to opt out of multifactor authentication.
Cloud storage, online banking, password managers all utilize authenticators now. “Some EHRs still allow text as part of their MFA, but more than half have swapped over to an authentication app,” Brown said. “The hit on Ascension St. Vincent’s has jolted area healthcare entities to rethink their own security choices. Customers who were on fence about activating their MFA because of the extra steps involved, saw St. Vincent’s come to a screeching halt. Now they’re telling us that they want to get the MFA turned on.”
But thwarting email phishing attacks requires vigilance more than software. Looking for a few signs of deception in the email itself can unveil many malicious attempts, including poor grammar or odd phrasings, especially from a familiar sender.
“If you’re in doubt about a request, a link, or attachment, reach out to them to verify,” Brown said. “But first, look at every email address. It can be blatantly obvious. The display name may be right, may even be someone you know, but the email address is a string of random letters. Verify that the actual email address matches the sender’s name and the sender’s company. Almost all the phishing emails we get are from Gmail addresses.”
Calling the phone number gathered from the company’s name in the email may not confirm authenticity, if the phone number only leads to the hacker who also set up the website. “Google the business and call the main number on that site,” Brown said. “If the first six numbers of the phone number on the website do not match what’s in the email, take note of that.
“Beware of a sense of urgency to any email, as well. Or those using the name of someone in authority within the company as a way to add hesitancy to question their request. And before clicking on any link, even from someone known, hover over the link and the real URL will show up. If it doesn’t make sense or is a shortened URL, send the email to your IT department to review. They will thank you.”