Dive Brief:
- The type of malware infecting healthcare organizations through malicious emails is constantly changing, and attackers now target people as much as infrastructure, according to a new study from Proofpoint, a cybersecurity vendor.
- Banking trojans, which allow attackers to view or steal banking credentials, were the biggest threat (41% of malicious payloads) throughout the study period, spanning the second quarter of 2018 through the first quarter of this year. Meanwhile, Emotet, a botnet capable of distributing spam, stealing information and other uses, was the biggest threat (60% of malicious payloads) in the first quarter of 2019. Ransomware attacks, which were common in the second quarter of 2018, were largely nonexistent in subsequent quarters.
- The study, which analyzed "hundreds of millions of malicious emails" from providers, pharmaceutical companies and health insurers, also found that malicious emails most often used URLs (77% of cases) rather than attachments to deliver infected code. Proofpoint attributed much of the prevalence of URLs in malicious emails to Emotet.
Dive Insight:
Data breaches are an ongoing problem for the healthcare sector, which led all industries in cybersecurity occurrences in 2018, according to BakerHostetler's latest Data Security Incident Response Report. It found that more than half of all incidents involved insider error or activity.
The breaches often involve highly sensitive patient information. A study in the Annals of Internal Medicine found that 71% of breaches between October 2009 and July 2019 involved demographic or financial information while 65% compromised patients' clinical information.
Despite the threat of data breaches, providers have been slow to make cybersecurity a top priority, according to Black Book Market Research. In a 2017 study, 54% of respondents said they don't conduct routine risk assessments and eight in 10 of them lacked a C-suite executive to manage enterprise cybersecurity.
The new report found that URLs have become more common in email attacks because users have become more cautious about opening attachments. Attackers often use the URLs to link to malicious files hosted on trusted file-sharing services such as Dropbox or OneDrive.
Proofpoint said the companies targeted with cyberattacks in the first quarter of 2019 had an average of 65 staff members attacked. Most email attacks occurred between 7 a.m. and 1 p.m. on weekdays. The targeted employees weren't always high-ranking company VIPs, attackers also consider factors such as access to the particular systems or having a visible email.
Cyber criminals also use imposter emails that don't have malware attachments or links but trick employees into doing something such as sending money or transmitting sensitive information. For example, they may "spoof an email domain to craft an email that looks like it's from a colleague" or "mention personal details (gleaned from your social media networks) to gain your trust," Proofpoint said.
The study found healthcare organizations targeted by imposter emails in the first quarter of 2019 received an average of 43 of these messages, more than five times the volume in the first quarter of 2017. The emails spoofed an average of 15 employees.