Brokers can protect themselves, and advise clients
By Chuck Burbank
While ransomware attacks and organized hacking operations may grab headlines, malicious operators often gain access to company networks in mundane ways that don’t earn attention so aren’t talked about as much. While this information may seem basic, it bears repeating. We are seeing a significant increase this year in cybercrime, so though you think you and your clients, employees and colleagues are wise to the multitude of scams out there, there are still scammers succeeding in hooking us in.
Email is an easy mark
Despite the growing number of communications options available to businesses, email remains the number one tool of business communications. The flexibility, reliability and convenience of email means it’s not going away any time soon.
But for all its benefits, email is also the primary target of serious cyberattacks. Social engineering attacks, like phishing, can lead to data breaches, malware and ransomware attacks, and millions of dollars in losses for businesses.
Know what you are up against
Phishing is a social engineering attack that tries to trick the recipient into clicking a link or opening a file that downloads malware or reveals sensitive information, such as user names and passwords. Phishing emails appear to come from trusted senders, such as personal or business contacts. Such emails many times have generic introductions (such as “Dear valued customer”), grammar and spelling errors (although this is harder to detect with grammar and spell check – although it may be obvious that English is a second language in the structure of the communication). Some have email addresses that do not match the website of the sender’s company, or do not actually match the name stated, include unrequested attachments, or requests to click a link and enter a User ID and password in order to confirm information.
Brokers and healthcare info are prized targets
According to the FBI and several data breach-tracking websites, the value of healthcare data can be significantly higher than other types of financial records. According to Experian, a single patient record can sell for upwards of $1,000 on the Dark Web, depending on how complete the record is. That’s nearly 50 times higher than the value of standard credit card records.
In addition to Protected Health Information (PHI), brokers also have access to large amounts of Personally Identifiable Information (PII) — sensitive information that can be used to identify a unique individual, such as Social Security Numbers, full names and financial information.
Why is PII/PHI so valuable?
When credit card information is stolen, it can only be used until the theft is discovered and the card is shut down by the issuing institution. For those of us who work in health insurance, the information we deal with has a potentially unlimited lifespan. For example, Social Security Numbers don’t “expire” and are very rarely reissued — generally only under the most extreme circumstances.
Additionally, fraudulently-obtained PII enables a number of illegal activities, such as identity theft, tax or healthcare insurance fraud, or extortion.
As I said, at BenefitMall, we have seen a continual spike in phishing attempts in the past year. Each month, we block 22,000 attempted phishing emails and our Security Operations teams respond to more than 2,000 user-reported phishing emails. Of those reported emails, half contain malicious attachments.
What’s concerning is that phishing emails often appear to be coming from trusted sources, hoping that recipients will click on links and open files believing that they came from known contacts with legitimate business needs. Sometimes, those emails are coming from broker partners whose email has been compromised, allowing cyber attackers to use those email accounts to send out phishing attacks to other organizations.
What should you do if your email system has been compromised?
There are a number of regulatory and contractual obligations that brokers must comply with in the event that an email network is compromised and a data breach may have occurred. In addition to notifying the applicable State Attorneys General, some states have additional reporting requirements. For example, in New York, the Department of Financial Services must be notified, and in Maryland, the Department of Insurance.
In California, you should report the incident to the California Department of Justice (DOJ) through their Cyber Crime Center and to your local law enforcement agency. If the cybercrime involved a breach of personal information, such as Social Security numbers or financial account numbers, you may also need to notify the affected individuals and relevant government agencies, such as the California Attorney General’s office or the Federal Trade Commission (FTC). You should also report the incident to the Internet Crime Complaint Center (IC3).
If you have entered into any Business Associate Agreements (BAAs) with carriers, they must be notified. Also, the U.S. Department of Health and Human Services Office for Civil Rights must be contacted regarding any HIPAA violations.
There are also steps that employees should take if they are victims of phishing attacks. Employees should immediately change their passwords for all email accounts and critical websites connected to those email addresses. (While it’s not a good practice to reuse passwords, we know that many people do. Remind clients and employees that if they are using the compromised password for other things — such as personal banking or online shopping —they should create unique passwords for those sites as well.)
Anyone who may have received a compromised email from the affected employees should also be notified to prevent additional phishing attacks. This includes not only other employees and contractors within the company, but contacts at other companies.
How to prevent email phishing attacks
Fortunately, there are a number of proactive steps that brokers can take, and recommend to clients to protect the integrity of their email networks.
- Enable Multi-Factor (MFA) or 2 Factor Authentication (2FA). This is an electronic authentication method in which a user is granted access only after presenting two or more pieces of evidence (“factors”) that they are who they claim to be. Factors may be knowledge (something only the user knows, like a password), possession (something only the user has, like a barcode on a badge), or inheritance (something unique to the user, like a fingerprint or iris scan). Your email provider can help you set up MFA.
- Use encryption across all parts of your network. Email encryption should be used when sending PII/PHI via email, but workstations (laptops and desktops) should use full disk encryption as well.
- Select and install an antivirus solution — and keep it up to date. Schedule signature updates and monitor the antivirus status on all equipment. Deploy SPAM/phishing filters in your email settings as well.
- Auto-install all software upgrades and patches for your operating system (Windows or Mac OS).The patches will have up-to-date security protocols and address security flaws as they are discovered. Many malicious software attacks exploit known security issues for which updates have been made available, but were not deployed.
- Educate your employees AND your client! Network security can only do so much. Phishing attacks work not by tricking the network, but by fooling individual users by exploiting their trust. Your employees and contractors need not just a one-time training, but periodic reminders on how to spot a suspicious email and what they should — and more importantly, should not-— do when they receive them. Training doesn’t have to be expensive or created in-house. The security industry has a number of free resources, such as Stop, Think, Connect (stopthinkconnect.org) with videos, as well as downloadable tip sheets, posters, and graphics that can be distributed easily to employees. Your email provider may also have a library of resources for your use.
While we can’t stop bad actors from attempting to breach our email networks, or committing other cybercrime, taking these steps will greatly reduce their ability to target us, our employees and our valued clients.
Chuck Burbank joined BenefitMall in 2019 as chief information security officer. A certified HIPAA professional and HIPAA Security Specialist, Burbank has more than three decades of experience in healthcare and is a recognized Privacy and Security expert and sought-after industry speaker. A Navy veteran, Burbank’s information security experience includes both military support and private industry. He oversees BenefitMall’s overall Information Security Program, which includes cybersecurity and compliance with data security regulations.