Electronic Health Reporter

By Usman Choudhary, general manager, VIPRE Security

Email remains a cornerstone communication tool for healthcare entities, yet the communication channel also presents formidable cybersecurity hurdles. The sensitive nature of patient data and the open nature of email renders it susceptible to data exposure and phishing attempts. Thus, as healthcare continues its technology maturation, the imperative to grasp the gravity of email security intensifies. Advanced email security solutions offer a potent means to tackle these challenges head-on.

Why does this matter now? Isn’t email dying? Not based on the numbers. For example:

In a review of just the fourth quarter of 2023, VIPRE reviewed roughly 7.2 billion emails worldwide that were processed through its systems. Of those, more than 950 million malicious or unwanted emails were detected (~13 percent) and blocked. Most of these were detected using classical signature-based detection of bulk email, known malware, and known malicious links, including 20 million emails with malicious attachments and 41 million emails with malicious links. But there were 500,000 malicious emails that were only detected because of advanced, behavioral simulation of a user actually clicking on the link, i.e. detecting true zero-hour malicious sites, which is a feature built into our VIPRE Email Link Isolation. 

It was interesting to note a rise and fall in favored malicious email types each quarter and throughout the year. In 2023, we noticed the following trends:

• 276% increase in emails containing malware between Q1 and Q4
• 23% rise in scam emails between Q1 and Q4, with a 179% spike in Q2
• 6.4% decrease in phishing emails between Q1 and Q4

Regardless of the slight percentage decrease, phishing emails continue to be tied with scam emails in volume, making them a perennial favorite of hackers and a constant threat to inboxes. Healthcare is in the top three targeted industries, representing 14% of the attacks that we observed across all of our customers.

With this data as a reference point, it’s easy to see that healthcare is chronically at risk regarding its vulnerability to cyberattacks driven by phishing and malicious inclusions in email. While writing this piece, one of the nation’s largest healthcare clearinghouses, Change Healthcare, was affected by a massive ransomware attack.

Change Healthcare is a unit of UnitedHealth Group’s Optum subsidiary, and its products are used by a huge variety of healthcare organizations. According to HHS, Change Healthcare “was impacted by a cybersecurity incident in late February. HHS recognizes the impact this attack has had on healthcare operations across the country.” The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.

This specific attack affected healthcare systems, prescription deliveries, and anyone who processes insurance claims. This should raise red flags for all healthcare organizations regardless of size, particularly for smaller organizations with limited budgets. After all, if companies as massive as Change Healthcare—who undoubtedly had advanced cybersecurity measures in place—can be breached, then smaller organizations with fewer resources should take action to protect themselves.

The attack underscores the critical importance of proactive measures to mitigate the risks of sophisticated cyber threats. Although the attack vector in the Change Healthcare breach has not been identified as of this writing, the same group was responsible for the massive MGM Resorts hack in September 2023, which started on LinkedIn with a social engineering-driven exploit. A form of phishing, this foothold was leveraged to gain access within MGM, and this access was then expanded to target many of MGM’s key business systems.

Understanding the Email Security Landscape in Healthcare

Healthcare institutions grapple with distinctive cybersecurity hurdles because of the highly sensitive patient information they handle. Studies indicate the massive impact of data breaches and cyber intrusions within the healthcare sector.

For instance, the IBM “Cost of a Data Breach 2022” report underscores a 42% increase in breach costs for the healthcare industry since 2020. Healthcare consistently bears the highest average data breach costs across sectors. In 2022, the average cost surged to a record $10.1 million, a 9.4% rise from the previous year and a 41.6% increase from 2020.

Phishing poses the most prevalent threat, with 81% of organizations falling victim to it in 2022. Healthcare is no exception; facing a barrage of phishing attacks ranging from broad campaigns to targeted schemes like business email compromise (BEC)—termed the “26-billion-dollar scam” by the FBI—can be devastatingly effective in healthcare settings. According to Verizon’s “2021 Data Breach Investigations Report,” 85% of breaches involve human interaction, often through email phishing attacks. Notably, basic human errors, such as misdelivery, also persist as significant vulnerabilities in healthcare. 

Features and Advantages of Advanced Email Security Solutions

Advanced email security solutions offer various features tailored to fortify protection and mitigate risks effectively. These solutions leverage cutting-edge technologies like machine learning and artificial intelligence for robust email filtering and attachment scanning, enabling the identification and interception of malicious content even when the threats have never been previously seen (“zero-day” or “zero-hour” threats).

Additionally, advanced anti-phishing measures and URL protection features are pivotal in detecting and thwarting phishing attempts and shielding healthcare organizations from fraud. Data loss prevention (DLP) capabilities ensure compliance by identifying and safeguarding sensitive patient data within emails. Furthermore, user awareness initiatives bolster overall cybersecurity posture by educating employees on email security best practices.

Taken together, solutions such as those above can significantly reduce risk and promote adherence to regulations such as HIPAA. Perhaps predictably, healthcare organizations are projected to invest $125 billion USD in cybersecurity between 2020 and 2025 to attempt to solve these problems.

Seamless Integration and User-Friendly Experience

A key insight related to the deployment of technology investments, particularly in high-stress environments such as healthcare, is that any solution that impedes the flow of business (or the provision of care) will be circumvented or ignored. This includes issues ranging from end users skipping training sessions and ignoring rules about how patient data should be handled, to IT security admins failing to notice when breaches occur because of the complexity of solution deployment, configuration, or simply the presentation of threat information.

In addition to core security efficacy, therefore, health care organizations must evaluate the ease with which solutions can be deployed, configured, and managed, and the possible impacts on the workflow of employees, both health care professionals and IT security staff. Email security solutions in particular should seamlessly integrate with existing systems, present low-friction cautions or prompts to end users, and provide intelligent, accurate, and useful threat indications to security teams.

Automated updates and continuous threat intelligence ensure solutions remain up-to-date, while centralized management consoles enable efficient policy enforcement across the organization.

In addition to integration and user-friendliness, advanced solutions offer reporting and analytics capabilities, enabling IT teams to assess security effectiveness and guide future enhancements.

Conclusion

In light of escalating cybersecurity threats, prioritizing email security is imperative for healthcare institutions. Advanced email security solutions comprehensively safeguard patient data, mitigate vulnerabilities, and ensure regulatory compliance.

By leveraging robust features like AI-based detection and blocking, anti-phishing measures, DLP, encryption, and user education, healthcare organizations can fortify their email security posture effectively. In doing so, they create a resilient environment that protects sensitive data, minimizes disruption, and confronts evolving email threats head-on.