• linkedin
  • Increase Font
  • Sharebar

    Beware of attacks from spear phishers

    Q: Our practice manager told me recently we need to protect patient data against "spear phishing" attacks. What are these, and why are they dangerous?

    A: Spear phishing is an email fraud attempt—a targeted attack on specific individuals or organizations in an effort to collect private information by feigning to be a trusted source. As more patient data become digitized, it has increasingly become a target of spear phishing attacks.

    Such attacks can take many forms. One of the most common is for the criminal to claim to be from the company or organization's information technology (IT) department or Internet service provider (ISP), asking for your password to "check on a problem."

    Phishing attacks usually take the form of an official-looking email featuring a security-related subject line. According to a recent article by researchers at Websense, some of the most popular subject lines for spear phishing emails are:

    • your account has been accessed by a third party;
    • security measures;
    • verify your activity; and
    • account security notification.

    Most organizations and ISPs have email filters and other security systems designed to catch fraudulent emails, but the criminals often are able to find ways around them. One popular method is to send spear phishing emails containing valid links late on a Friday. The attacker then compromises the Web site that the link points to over the weekend. On Monday, the email is waiting in your inbox and ready to do nasty things to your data.

    A spear phishing criminal will go after data in healthcare organizations because these organizations store data on a large number of individuals—data that are useful for identity theft. Because of the large amount of dollars or goods that can be acquired via identity theft, your patients' information has become a high-value target. A recent article on the Web site http://Lawyers.com/ highlights this situation. The method the criminals used was the venerable "IT needs your password" ruse.

    According to the Web site http://CNet.com/, one recent spear phishing attack targeted the White House and was after the "nuclear football" that the president and his team carry. This attack also could be called a "whale phishing" attack because it went after high-ranking officials in search of high-value data. In your practice, high-value data might include patients' bank account, credit card, and social security numbers, or information about sensitive negotiations or lawsuits in which you are involved.

    So how do you protect against these attacks and safeguard your data? Start with educating your employees. They are your first line of defense, and they need to feel as though they're part of the solution. They must be constantly reminded, through annual mandatory training and periodic newsletters and emails, to be very careful about clicking on links in any emails they receive.

    This caution should apply not only to your practice's email account, but also to any personal email accounts and social media that they can access either while at work or connected from home or some other remote site, such as a coffee shop. They must know what your IT team will—and more importantly will not—ask for in the course of performing its duties. Consider using a contest or incentive program that rewards staff for reporting phishing attacks to your IT staff.

    If your practice can afford it, deploy some type of email "sandboxing" —a type of program that examines incoming links and attachments and isolates any viruses they release before they can damage a network or hard drive—or Web-filtering technology that scrutinizes links in real time as your users are interacting with email.

    Your end-user computers also must have good antivirus software installed, and the software should be regularly updated and have the latest viral definitions. This software should be a well-known application that will scan disk and network access in real time, not just during a scheduled run in the middle of the night.

    Unfortunately, no magic bullet will protect your practice from spear phishing attacks. Constant education, vigilance, and teamwork are the keys to protecting your patients' and your practice's sensitive data. For additional information, visit:

    The author is manager of information systems for SS&G Healthcare in Akron, Ohio.

    Latest Tweets Follow