All it took was a fake email from the "CFO" to gain access to a hospital's personnel records. Now, one CEO is spreading the word on so-called "spear phishing" and how to prevent it, Joseph Conn reports for Modern Healthcare.
On Feb. 16, an employee at Pennsylvania-based Main Line Health received an email that appeared to be from the hospital's CFO, requesting detailed payroll information. "The employee put together the information for what the employee thought was a legitimate request and forwarded the information back," says Jack Lynch, CEO of the four-hospital system.
The attacker struck again the next day, emailing another employee—this time posing as Lynch. But there was a problem; the email was signed John Lynch. "I go by Jack," Lynch explains. The employee deleted the email but didn't report it to anyone.
Then, the hospital caught a lucky break. The first employee, who had been targeted on the 16th, saw a bulletin from IRS about so-called spear phishing campaigns that target human resources personnel.
The employee realized what had happened and alerted management. The hospital then contacted FBI and IRS, which began investigations into the "voluntary" data breach.
Learning hard lessons
Lynch says it's likely the attackers were looking for information to file fraudulent income tax returns. The hospital has offered employees credit counseling and monitoring services to protect their identity, and no patient information was compromised.
Email worries: Providers name their top health data security risks
But Lynch says Main Line is also educating its employees about email security, investing more in security infrastructure, and sharing its story to help others avoid falling victim to the same tactics.
"What I'm saying, we need to take it to another level," Lynch explains. For instance, Main Line has made technology improvements that make it clear when an email originated outside of the health system's network. "You've always got to outsmart the technology of bad people," he says (Conn, Modern Healthcare, 3/17)
Prepare for the inevitable data breach with cyber-specific insurance
As more health care organizations fall victim to data breaches, it's clear that providers should prepare for the worst by purchasing cyber-specific insurance. Here are our tips on how to make sure you're properly covered.
Get the insight
Next in the Daily Briefing
Weekly review: How a 14-minute meeting transformed this hospital