Saint Agnes Health Care, Inc. announced that an attacker successfully phished an employee and obtained personally identifiable information of approximately 25,000 patients. The information included names, dates of birth, gender, medical record number, insurance information, and limited clinical information. In addition, Social Security numbers were obtained for 4 of the patients. Based on their news release, all of the data was obtained from the mailbox of the phished employee. Some of the standout items from this attack include:
- The data that was stolen was “contained in an employee email account”. That means that the data was in the mailbox. That means that the data was sent or received via email. One good security practice is not sending or receiving sensitive or confidential information by using email (especially email that isn’t protected via encryption – see more on these later in this post).
- Saint Agnes Health Care, Inc. said that they reported this incident to their email service provider. Protecting against phishing requires employee awareness training and ongoing, internal social engineering campaigns to maintain employee vigilance. While email security software at the server level can stop some phishing campaigns, a sophisticated campaign is likely to pass right through. Saint Agnes also said that “We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future”. So let’s hope that employee awareness training is one of them.
- The information included medical record numbers and others identifiers. Much of the information is classified as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). Health care providers must protect PHI to be in compliance with HIPAA. This includes Saint Agnes Health Care, Inc. All organizations that want to be HIPAA compliant must follow the following rules:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
In a phishing campaign, a bogus email is crafted and sent in bulk to an organization’s employees. These type of campaigns are often lower quality campaigns that few recipients fall for. The email messages often contain typos, grammatical errors, and suspicious links. However, because they are targeted at a large number of individuals, such as all of an organization’s employees, even a few clicks from thousands of emails can result in big problems for an organization. In the Saint Agnes Health Care, Inc. case, it appears that only a single employee was successfully phished. Even so, a moderate amount of data was obtained. That data can be used for a follow-up spear phishing campaign. With spear phishing, individual employees are targeted and the quality of the bogus email often is higher than a typical phishing campaign. Imagine a scenario where the attacker poses as a Saint Agnes Health Care, Inc. employee. The attacker can include some of the PHI information from the phishing campaign in the bogus email and attempt to gain access to the computer or credentials of the target. The end goal of the attacker is to escalate their access level to the IT administrative level so that access will be unrestricted or mostly unrestricted.
There are always lessons to be learned from these incidents. Here are the standout lessons that I see from this incident:
- Do not rely on email encryption to protect sensitive or confidential data. Using encrypted email may seem like something you should do. And you should. But, not for protecting against phishing campaigns. Here’s why. In many of these phishing campaigns, the target computer or user credentials are compromised. Thus, the attacker may have complete control of the desktop or mailbox while logged on as the employee. Thus, they have access to the decrypted e-mail. Encrypted email is usually not suited to protect the e-mail data at rest. It is suited for protecting email data in transit. So think of it as one layer of a multi-layered approach.
- Do not use email to send or receive sensitive or confidential data. There are a myriad of solutions to help organizations avoid using email for sensitive or confidential data. Many of them store the data on a secure web site and only use email to notify recipients that a message has been received. Recipients go to the secure web site, authenticate, and then can gain access to the data. Often, organizations have these solutions in place but don’t use them for internal employee communications.
- Use content scanning and filtering for email. In addition to offering a solution for using a secure web site for sending sensitive or confidential data, you should automate the solution so that it catches e-mail messages that contain sensitive or confidential data and automatically moves that data to the secure web site. If securing email is optional to employees, only a subset of email that contains sensitive or confidential data will be protected. Many organizations, especially those complying with HIPAA, scan outbound email already. However, scanning inbound email and employee-to-employee email is also critical to minimizing your exposure. And automating all of it is the key.
- Audit and look for anomalies. Many organizations audit various parts of their IT infrastructure. But few actively scan the audit logs looking for anomalies. For most organizations, the only effective way to perform the anomaly scanning is by using a third-party solution. This is due to the enormous amounts of data to work through and the complicated correlations that are needed to raise a red flag. In phishing cases like this one, having somebody log on as the user from a country where the organization doesn’t do business should be a red flag. Or, having a user log on from two different locales at the same time. There are many situations that should raise a red flag and warrant an immediate investigation. But if you aren’t auditing and scanning for anomalies then you won’t find out until it is too late.
As more and more organizations are successfully compromised, it is up to the rest of the organizations that haven’t been in the news to take proactive steps to avoid becoming a victim. If you work for such an organization and are reading this, which steps are you going to take today? Don’t wait until you are compromised to take action. By then, it is too late. In addition to your data, you’ve lost the trust of your customers, your partners, and your employees.