Increasing Healthcare Industry Advanced Email Attacks and Increasing Insider Security Threat Costs

The healthcare sector has noticed a distinct rise in advanced email attacks this 2023, based on new information from Abnormal Security. From January to August 2023, there was a 167% increase in advanced email attacks from 2022 levels and 279%. increase in business email compromise (BEC) attacks.

Cybercriminals like targeting healthcare companies as they keep substantial amounts of highly sensitive information and they are greatly dependent on accessing that data. Attacks that block access to IT networks and protected health information (PHI) threaten patient safety and downtime results in substantial monetary losses, so the industry is a perfect extortion target.

There was a substantial rise in advanced email attacks at the beginning of 2023, which consisted of malware, BEC, phishing, and social engineering attacks. In January, there was an average of 55.66 attacks per 1,000 mailboxes. In March, the average grew to over 100 attacks per 1,000 mailboxes. Then, there is a drop to a steady average of 61.16 attacks per 1,000 mailboxes. According to last year’s information, attacks are estimated to gradually increase the run-up to the holiday period.

Though there is usually just 1 per 1,000 text-based BEC attacks, it often results in an average of $125,000 in financial losses per attack. These attacks are hard to identify and stop as legitimate domains with good reputations are used to send emails in low volume. The emails do not present the red flags that are common in phishing emails like malicious hyperlinks and attachments, and usually avoid email security applications.

One case is a campaign involving a threat actor that impersonated the President and CEO of a healthcare network having over 200 centers in America. The email asked for a copy of all current aging statements for clients 30/90 days overdue, together with email addresses for the matching account payables department. The attacker is trying to get the invoice and contact details for all health network clients, and would likely craft convincing emails in an attempt to redirect payments to the account of the attacker.

The median of BEC attacks in August 2022 was 0.54 attacks per week, however, in August this year, there was a 54% increase in attacks to a median of 0.83 attacks per week. Attacks from January to August 2023 increased by 279% from the equivalent time period in 2022, and attacks are likely to keep on increasing for the remainder of 2023. To stop advanced email attacks, healthcare organizations need to employ email security services that take advantage of artificial intelligence and machine learning to develop a base of good behaviors versus which emails can be evaluated, together with behavior-based anti-malware functionality to prevent zero-day malware attacks prior to receiving the malicious messages by the employee. Technical protection must be increased by giving employees security awareness training and conducting phishing simulations to evaluate the efficiency of training.

40% Increase in Insider Security Threat Costs in 4 Years

The average yearly expense of insider security threats has grown by 40% in four years to $16.2 million per company, based on the 2023 DTEX Systems Report on Cost of Insider Risks.

For the fifth year, DTEX Systems has carried out its insider threat benchmark research to acquire information about the financial impact of insider risks. This 2023, Ponemon Institute conducted a study on 1,075 IT and IT security specialists from companies having 500-75,000 workers in Africa, North America, the Asia-Pacific region, and the Middle East.

Insider risks are categorized as malicious and non-malicious. Malicious insider risks are done by insiders wanting to inflict harm and may involve espionage, unauthorized disclosures, IP threats, fraud, workplace violence, and sabotage. Non-malicious insider risks are caused by negligent incidents, where harm results from carelessness or inattention like disregarding warnings, non-careless errors, and incidents where an adversary outsmarted non-malicious insiders, for instance, BEC and phishing attacks that were not earlier observed in the wild.

In the past year, the study participants encountered a total of 7,343 insider incidents, compared to 6,803 incidents last year. 309 companies encountered at least one insider incident with organizations having 24 incidents per year on average. The major direct costs from these incidents include containment (an average of $179,209 per incident) and remediation (an average of $125,221 per incident). The time frame to contain insider incidents now is 86 days, from 85 days in 2022. Containment time also increased with equivalent higher expenses. Incidents that require over 91 days to contain have an average cost of $18.33 million.

Non-malicious insiders are the cause of 75% of incidents, 55% of which are due to negligent or mistaken insiders, and 20% were due to employees outsmarted by adversaries. Adversaries use the outsmarting insiders tactic to steal credentials to acquire preliminary access to internal systems and information. The cost of incidents averages $4.2 million annually. 25% of incidents were caused by malicious insiders, and although these incidents are not very common, they are the most expensive to deal with averaging $701,500 per incident.

The increasing trends related to incident expenses, frequency, and time frame to contain show that present solutions to insider risk are just not good enough. The numbers indicate no improvement. One of the major issues is the lack of funding that is given to insider risk management because of insufficient knowledge of insider risks, and how they show up according to early warning actions. DTEX Systems points to the need for a whole-of-industry strategy to educate and discover common ground to specify and go over insider risks with businesses and government organizations.

The good news is organizations are beginning to understand the value of enhancing insider risk management. 77% of surveyed companies stated they have begun or are going to begin an insider risk management plan and many are attempting to acquire executive buy-in to give the required funds. Survey respondents stated top-down support was the most important component of an insider risk management plan, with a committed insider risk management team composed of members from HR, legal, security, and lines of business ranked highly by 51% of survey respondents.

Presently, about 8.2% of IT security funding is given to insider risk management with 88% of companies paying under 10% of their IT security finances on insider threats. 58% of survey respondents acknowledge this isn’t enough to solve an issue that costs $16.2 million per year; nevertheless, organizations are seeing that more investment in insider threat management is required and 46% of companies expect an increase to their insider risk management budgets next year. DTEX Systems is convinced change is on route and companies are more and more recognizing the requirement to focus on the human aspect and concentrate on where it is needed. Be proactive instead of reactive.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone