The health sector is under unprecedented pressure. While all healthcare systems are proofed against the Coronavirus pandemic, cybercriminals continue to tirelessly craft new frauds to steal personal information or embezzle funds. In France for example, the Social Ministries alerted at the end of April to an upsurge of phishing attempts which usurp in particular the identity of Santé Publique France (SPF) or the French government in an attempt to scam businesses, communities or establishments of health.
Email fraud, the main threat vector
According to the FBI, cyberattacks cost more than $ 3.5 billion in 2019, and almost half of these attacks went through the email channel (BEC – Business Email Compromise attacks).
Email fraud occurs when cybercriminals send extremely well-designed emails to targeted people within an organization to typically request a transfer of money or strategic information. It is sometimes impossible to dissociate them from a legitimate request, because cybercriminals impersonate a trusted person to deceive their victims.
Every business is a potential target for cybercriminals, and the healthcare industry is no exception, even when it is already particularly under pressure. A recent study showed that healthcare organizations victims of email fraud had received more than 40 fraudulent emails on average in a single quarter, a figure that more than tripled in just one year!
Often decentralized and holding sensitive information, health organizations are particularly privileged targets for cybercriminals. While malware and other cyber threats affect all sectors, email fraud is particularly damaging to the healthcare sector, as cybercriminals attack the most vulnerable segment of the population and those who try to help them .
Disection of the problem
Cybercriminals often use social engineering techniques to deceive their victims. They take on the identity of a trusted organization or employee and craft sophisticated phishing emails, requesting funds or trying to retrieve login credentials. Identity theft is the key to email fraud: on average, the impostor will take the identity of 15 healthcare workers through multiple messages.
Not surprisingly, requests for money transfers are the main subject of email attacks in the healthcare industry. Cybercriminals mainly use email objects with the words “payment”, “request” and “urgent” to trap their victims. Cybercriminals are also choosing the right time to launch the offensive. Most email attacks against health organizations are sent on weekdays between 7:00 a.m. and 1:00 p.m., and are designed to be seen by as many employees as possible during this time to increase the chances of success. Indeed, an external supplier is less likely to request the update of payment information in the evening or during the weekend.
Is the health sector prepared for this threat?
You don’t have to look long to realize that the level of risk exposure of certain health sector websites in France is high. For example, by doing a quick DMARC (Domain Message Authentication Reporting and Conformance) analysis of the websites of Regional Health Agencies (ARS) of the French State, we see that NONE has the authentication levels required to protect users against unscrupulous actors seeking to usurp the identity of official trusted sites.
Cybercriminals therefore have the freedom to send fraudulent e-mails, in the official colors of these organizations: we can easily imagine what happens next… Why don’t public services take more proactive measures to protect users from cyber attack attempts? What approach can health organizations take to protect their staff, patients and stakeholders from this risk?
A human-centered strategy
Email fraud tactics are constantly evolving, but there is one constant: cybercriminals continue to use the human factor, targeting employees at all hierarchical levels. Healthcare companies therefore need to rethink their cybersecurity strategy, taking an individual-centered approach. In this way, health organizations can minimize the impact of the human factor and better protect their entire ecosystem. It is essential to understand who is most at risk and to adapt the strategy accordingly.
The current threat landscape requires a multi-layered defense strategy that encompasses people, process and technology. Strengthening employee resilience is essential through cybersecurity training and awareness programs. Otherwise, someone will always click!
Training and awareness programs are traditionally implemented to teach employees to be alert and to act as the last line of defense against attacks against the business. Phishing attack simulations and fun programs help employees think twice and actively participate in protecting their business from cybercriminals, rather than being the victim.
At the same time, a level of priority must be established in the business processes. Certain processes like transferring funds pose a huge risk to all businesses; others such as engineering and production are company specific. In addition, the processes that depend on people are more vulnerable because they can be the target of social engineering. Businesses must ensure that they are able to authenticate the entities, people, and devices that contribute to business processes. If actions and decisions are taken according to instructions from an entity whose identity has been impersonated, a management process can be easily compromised.
Finally, technologies such as the DMARC system are a real obstacle to ever more daring attacks by cybercriminals. This technology prevents usurping corporate domains and sending emails on their behalf. Organizations should also consider dynamic email scanning to block display name spoofing on portals, and discovering similar domains to search for domains recently registered by third parties, as well as preventing data loss ( DLP) and encryption to protect their essential assets.
By Loïc Guézo, SEMEA Cybersecurity Strategy Director at Proofpoint