Baystate Phishing Attack Serves as Wake-up Call for Companies
Won’t Get Fooled Again?
The trouble with a phishing scam, Brendan Monahan says, is that only one person in an organization has to fall for it to put information at risk.
Or, in Baystate Health’s case, five.
“There is constantly a threat to businesses — including ours; we’re no different — from outside phishing attacks,” said Monahan, manager of Public Affairs, in the wake of a phishing attack in August that exposed the personal data of thousands of patients. “They’re often internationally based and geared toward handing over the keys to the kingdom to a hacker who, from what we understand from most experts, is looking for some financial gain out of it.”
That doesn’t seem to have occurred in this case, Baystate officials say, but the incident, which was made public late last month, is serious enough to trigger a re-examination of the system’s security protocols — and to serve as a warning to other employers in the region, both large and small.
Specifially, on Aug. 22, Baystate learned that a phishing e-mail had been sent to numerous Baystate employees that, if opened, allowed hackers to access those employees’ e-mail accounts.
Phishing is an electronic attempt to obtain sensitive information, such as passwords and credit-card information, by masquerading as a trustworthy source. Phishing e-mails may contain links to a site infected with malware, or directly load a program onto a computer that makes it contents accessible to the scammer. The Baystate scam e-mail was designed to look exactly like an internal memo to employees.
The best defense is to have a written information-security policy in place. Part of that is training in security awareness for employees. That way, employees can’t say, ‘I didn’t know,’ or ‘I don’t understand.’ That’s where the data risk is. It’s not from the outside; it’s from the inside, with mistakes, careless errors made by employees.”
Baystate’s investigation determined that five employees responded to the phishing e-mail, allowing the hackers to gain access to those employees’ e-mail accounts. Some of the e-mails in those accounts included patient information, including names and dates of birth, diagnoses and treatments received, medical record numbers, and, in some instances, health-insurance identification numbers. However, the e-mails did not contain Social Security numbers, credit-card numbers, or other financial information commonly used by scammers and identity thieves to enrich themselves.
“The [phishing] e-mail contained information that would be described as mimicking or mocking an internal Baystate Health HR memo. Five employees clicked on that e-mail, that immediately compromised their Outlook e-mail accounts into the hands of the perpetrator,” Monahan told BusinessWest. “Our computer research firm found exactly what was in the e-mails and what could have been looked at.”
The fact that no financial data was compromised may be small comfort for affected patients, that fact may mean the scammers have no real use for the information, and left it alone when they discovered they couldn’t profit. But that remains to be seen.
“In this case, there was no financial gain to be had from the patient information,” Monahan said. “That’s why we don’t know whether they went through the documents, but they could have.”
Still, he added, “while we have no evidence that any patient information has been taken or misused, we want to assure our patients that we take this incident very seriously.”
Upon discovering the breach, Baystate immediately took steps to secure the e-mail accounts and began an investigation, and also reported the incident to law enforcement.
But finding out what happened and trying to identify the perpetrators is only one step in the process of responding to the incident, Monahan said. Topping that list is ensuring — or at least trying to ensure — that such an incident won’t be repeated, and that begins with employee education and training regarding phishing e-mails and other scams.
“That was already going on beforehand, and I would say it’s being ramped up,” he explained, noting that employees can click a button at the top of any e-mail if they suspect it comes from a suspicious source, and someone from Baystate’s IT staff will come and determine if it’s dangerous or not. “We try and help them, to train them not to click on a suspicious e-mail, what a phishing attack looks like, and how to recognize it when it comes about.”
Unfortunately, they’re always a step ahead, and for those of us in the security industry, to prevent their success, we have to figure out what they’re doing. But if you present a soft, open belly, they’re going to dive right in.”
Frank Vincentelli, chief technology officer at Integrated IT Solutions in Westfield, and Eric Brown, the company’s vice president of Security Services, recently spoke about data security in the business world at the Western Mass. Business Expo, and discussed at length the critical role each employee plays in keeping a company safe.
“The best defense is to have a written information-security policy in place,” Brown said. “Part of that is training in security awareness for employees. That way, employees can’t say, ‘I didn’t know,’ or ‘I don’t understand.’ That’s where the data risk is. It’s not from the outside; it’s from the inside, with mistakes, careless errors made by employees.”
Vincentelli noted that a computer without access to the Internet or e-mail is generally safe, but not particularly useful, so businesses must strike a balance between safety and usability. “The very fact that you have access to these resources is giving the attackers a way into your system and your information.”
The entire security chain, in other words, is only as strong as its weakest link.
“Each individual user is an active part in the overall security strategy of the company,” he went on. “I’m sure all of us can think of a person in we work with who’s not necessarily technologically sophisticated, a person who usually gets a virus or is hit with CryptoLocker three or four times a year. That person is the best level of protection your organization has.”
Training every employee then, is critical, but companies must still maintain a robust firewall infrastructure, complete with early-detection capabilities to identify breaches when they occur. Still, Vincentelli said, “the most important component is the individual user.”
Phishing scams are, unfortunately, more common in the healthcare realm than some might suspect. In recent years alone, according to data-risk consulting firm IDT911, a server operating under contract for DeKalb Health Medical Group in Indiana experienced a cyberattack that compromised more than 1,300 patient-information records; Baylor Regional Medical Center in Texas was hacked after doctors responded to phishing e-mails, exposing the patient information contained in their inboxes, including names, addresses, dates of birth, and even Social Security numbers; and Franciscan Health System in Washington was hacked in a phishing scheme that affected potentially 12,000 patients.
Norton, the developer of Internet security software, recommends several steps to avoid becoming the victim of phishing at work, including being wary of e-mails asking for confidential information; watching out for generic-looking requests for information, as fraudulent phishing e-mails are usually not personalized; and avoiding using links in an e-mail to connect to a website, instead opening a new browser window and typing the URL directly into the address bar.
“This is constantly a threat that we have to be wary of as employees, in part because we have a confidentiality policy and handle health information and other protected information,” Monahan told BusinessWest. “We have to be good stewards of that. There needs to be a sense of vigilance, and we have to enforce it. With almost 13,000 people who work here, there’s no one piece of software that will block this particular type of attack. It comes down to workforce training.”
The attacks can be subtle, and often play on human psychology — including people’s natural curiosity. Brown asked his audience at the Expo what they would do if they found a USB stick on the ground before answering his own question.
“Obviously, if you find a USB stick and don’t know who the owner is, you don’t want to touch it,” he said. “That is one way people get malware infections. If I wanted to infect a company, I’d take 30 USB sticks, put a virus on them, and toss them in a parking lot. I guarantee a half-dozen people would pick them up and stick them in their computers.”
Vincentelli called cybersecurity a cat-and-mouse affair, adding that “I’m not sure who’s who.” But it’s clear that hackers are constantly honing techniques to exploit security weaknesses, and when the target develops a defense, the hackers create a better weapon.
“Unfortunately, they’re always a step ahead, and for those of us in the security industry, to prevent their success, we have to figure out what they’re doing,” he said. “But if you present a soft, open belly, they’re going to dive right in.”
Baystate mailed letters to people who may have been affected on Oct. 21, who were directed to call a phone number staffed by an outside contractor hired by Baystate to walk patients through the process of learning if they had been victimized, Monahan said. In the meantime, the health system vowed to raise their level of awareness of threats that continue to evolve in sophistication.
“There are a million cyberthreats out there in the world, and this is one of them,” he said. “We are constantly working to train our workforce to recognize these threats and stay ahead of them — because the threat is always changing.”
Joseph Bednar can be reached at [email protected]