What Exactly Is PHI and Why Is It So Valuable?

The modern world is based on digital data. Virtually everything we do can be broken down into the constituent and digitized versions of itself. This is no less so in healthcare and in fact, healthcare has embraced this idea, becoming an early adopter of many technologies, based on data, to improve patient outcomes. Big data sharing, like Google’s Genomics, is driving medical advances. The Human Genome Project, for example, has allowed the development of pharmacogenomics allowing us to use data to tailor medications. Data sharing in healthcare is fundamental for improving medical care. But medicine is about the individual and all of these data are ultimately tied to a person. In the healthcare industry, we work with a wide dataset of information. This information covers all aspects of a person and their medical interventions. The information includes their individual identity data, such as name, date of birth, address, social security number, telephone numbers and email addresses. It also contains other identifying information such as medical record numbers, health insurance details, medical images, and DNA data. All of this information is wrapped up in the context of Protected Health Information or PHI.

PHI is a digital representation of a patient and as such has value, not just to that patient but also to anyone who wants to commit identity fraud or sell personal identifying information (PII). The healthcare industry was recently identified by IBM’s X-Force 2016 Cyber Security Intelligence Index as the “most frequently attacked industry” by cybercriminals. This resulted in over 100 million healthcare records being breached in a 12 month period. Even without the statistics, we know that the healthcare industry has been a target in the last two years just by watching the news. Breaches like those at Anthem and Premera Blue Cross, which resulted in almost 80 million and 11 million exposed records respectively, bring home the message that healthcare is a prime attraction for cybercrime. Moreover, the cybercrime onslaught against healthcare doesn’t seem to be slowing. If we use the Breach Level Index to view the number of identity theft related breaches in the U.S. healthcare system, for the first 5 months of this year, there have been 119 instances of breached PHI already.

The Cost of PHI

According to research by The Ponemon Institute, PHI records have been shown to be the most valuable data set with prices on the black market of around $398 per U.S. based record. With the mean price of a record being $217 per U.S. based data set, this makes healthcare records a very attractive proposition for a cybercriminal. If you are after data, best to go for the most lucrative source.

The costs of a PHI breach are far reaching. From an individual’s perspective, The Ponemon Institute found in their report on privacy and security of healthcare data that it cost each victim, on average, $13,500 to remedy the breach. As for healthcare providers, HIPAA estimates the average breach of PHI is $200 per victim, which makes breaches of even 1,000 records costly.

Putting a price on the exposure of health records isn’t just about the price of the record on the black market or the cost of mopping up the aftermath of a cyber-attack. It is also a much wider problem, affecting the individual and the company who has been breached. The cost is not just financial; it is also about trust. Verizon in their 2015 ‘Protected Health Information Data Breach Report’ found that because of cybersecurity breaches, patients are now becoming more reticent about revealing certain details to healthcare providers.

PHI: The Gift That Keeps On Giving

One of the reasons for the attractiveness of the healthcare industry for cybercriminal activity is the richness and the lifetime of the data within the healthcare record. PHI has detailed and static information on an individual, i.e., data that rarely or doesn’t change. Theft of financial data is only as valuable as the time it takes to cancel the card. Identifying data such as name, date of birth and social security number, give cybercriminals all the information they need to commit secondary attacks. For example, we now know that the fraudulent tax claims made through the IRS last year were likely carried out using stolen identities from the Anthem or Premera breach.

Identity data is only likely to become more valuable, and secondary attacks based on identity will become more prevalent as governments, including the U.S., are working on digitizing all of their services and part of this push is to create an online identity. Stolen health records contain much of the data required to generate a citizen identity but stolen PHI has an even wider scope; it doesn’t end with an individual’s personal information being compromised. All stakeholders in the healthcare industry are impacted by fraudulent medical claims based on compromised PHI. The FBI estimates that healthcare fraud adds around $80 billion in annual costs. PHI is the data equivalent of “light the touch paper and stand back.”

PHI: The Big Phish

So how is our PHI being exposed? One of the most successful methods of stealing data throughout the history of cybercrime has been the use of social engineering within the context of a technique known as phishing. According to The Ponemon Institute, phishing accounts for 88% of incidents within the healthcare industry – the second biggest security issue after lost or stolen devices.

Phishing is a method of tricking a person into revealing personal details, such as login credentials, which are then used to commit data theft and steal PHI. Alternatively, phishing emails can send a user to sites that contain malware, which once installed exfiltrates data or credentials. Either way, the result is stolen and exposed PHI.

How Phishing Works

The Common Form Of Phishing

The most common form of phishing usually enters our world via our private email account as a mass mailed attempt at fraud. More recent techniques have also used SMS texts in a similar way – this is known as SMiShing. The email (or text message) will typically look very legitimate, often from a well-known company, like PayPal. The message will be written in such a way as to entice you; typically, it will have a financial element to it, with the hope of a knee-jerk, emotional reaction getting you to click the link. Once clicked, you’ll be taken to a spoof site, which looks remarkably like the original. You’ll be requested to enter your actual login credentials to the site to gain access and sort out any issue the email pertained to. This type of phishing scam has been around for many years and we are now becoming more aware of them. Even so, they still have reasonable enough success rates to warrant a cybercriminal’s time.

Spear Phishing of PHI

Spear phishing is like phishing on steroids. The same principles are used, i.e., an attack comes, most often, in the form of an email, but this time the email recipient has been carefully chosen. Spear phishing emails are precisely crafted. They play on our instinct to trust and comply. Using this type of normal human behavior as a weapon against us is the very key to the success of spear phishing. Where common phishing is starting to show reduced success rates, spear phishing is increasing in successful missions. Security firm FireEye looked at the open rates of spear phishing emails and found they were highly successful with a 70% open rate and a 50% click through rate. The links may be to sites that look exactly like a network app access point, the type that a healthcare worker would normally use to access PHI, for example. Once those links are clicked and the credentials are entered, the hacker behind the site has them and has access to the real site.

Sophisticated spear phishing attempts can also be multi-faceted. Sometimes the originating contact is via a professional body messaging system rather than a direct email. These types of campaigns will have several parts to them, building up a relationship with the target until they relinquish their credentials or install malware which results in the same compromised security issue.

Phishing in Healthcare

In a survey by Cloudmark and Vanson Bourne, 84% of the respondents said that a spear phishing attack had breached their security defenses. The 2016 RSA security conference also found that most organizations, including healthcare ones, have seen increases in phishing attempts. The best way to see how phishing is affecting healthcare is by looking at some examples.

Anthem Inc.: The Anthem data breach was one of the biggest in cybersecurity history. It exposed the PHI of almost 80 million patients. This included names, addresses, social security numbers, health insurers and more. Spear phishing and malware were used to co-ordinate the attack which was targeted at five system administrators. Data was exposed over several months as the malware exfiltrated the PHI through a command and control center back to a hacker base. The breach was organized and sophisticated, with the cybercriminal gang creating spoof sites based on Anthem’s corporate domain so that they appeared very similar, even to the point of having very similar domain names.

St. Agnes Healthcare Inc.: Spear phishing affects healthcare organizations of all sizes and exposes small numbers of PHI as well as massive ones as seen at Anthem. St. Agnes Healthcare Inc. was a victim of a phishing campaign which resulted in the PHI of 25,000 patients being exposed.

Main Line Health: A spear phishing attempt against Main Line Health is an example showing it isn’t just patient PHI at risk. This time, it was the personal information of Main Line Health workers that was divulged. A spear phishing email, purporting to be from an executive of the organization and sent to someone in HR with a simple request for the personal details of Main Line Health employees, resulted in 11,000 employees having their data compromised.

Playing Phishing at Its Own Game: Phishing Simulations

What Is a Phishing Simulation?

The theft of PHI from phishing attacks can be prevented through security awareness training. If the recipient of the phishing email can spot some of the telltale signs of a phishing attempt, then they will stop the attack dead in its tracks. This is where phishing simulations for training and employee awareness come in. Phishing simulations allow you to create and manage a controlled environment where fake phishing emails are sent out across an organization. You can configure a phishing campaign and respective phishing templates based on known phishing techniques; this toolset becomes the basis of your teaching exercise. The simulation will have built-in guides and metrics to train users and make them aware of their actions. For example, InfoSec Institute’s SecurityIQ phishing simulator is fully automated and engages users in campaigns, training them as they go. It gives users feedback in the form of interactive security training, building up their knowledge and awareness. These sorts of eLearning systems are highly effective, with 14% better skills based uptake, and 9% increased retention over traditional teaching methods.

How to Setup a Phishing Simulation: The easiest way to setup a phishing simulation is to use a dedicated system. Ease of use is one of the key factors, especially around the configuration of the process, so a Cloud based system will give you more flexibility in this area. Phishing simulators offer the setup and configuration of a simulated phishing campaign, the training of users as they go through the process, and metrics at the end. This feedback and iteration of pathways lets you adjust future campaigns, focusing in on areas of weakness and improving overall security awareness.

The configuration of the campaign: This involves simulating the various types of phishing techniques, and the periphery requirements of the exercise; kicking off the process by sending out notifications to users to begin training. Phishing simulations require phishing email templates to be created. They also need customized landing pages for users who click on the phishing links. These pages double up as training advisories, teaching the user about what would happen to them in a real-world phishing campaign at this point. This type of feedback loop starts the process of awareness, building up an individual’s security knowledge.

Tips to Make Sure Your Simulation is Optimized

  • One issue with simulated phishing campaigns is removing user bias. If you know you’re involved in a phishing campaign you naturally become hyper-aware and your behavior does not represent your normal modus operandi. A successful phishing simulator will be hard to spot in action until the time comes to train the user. This is best achieved by creating realistic templates that are as good as the phishers themselves create. There is an art to creating an effective phishing template. An earlier Infosec Institute blog post on “How to write phishing templates that work” goes into more details about this, the key to effectiveness being credibility.
  • Know your employee and create a baseline. If you already have a general idea of the level of security awareness in your organization, you’ll be able to configure your simulation more precisely and get more out of it.
  • Related to this is mimicking a real-world and ongoing phishing campaign. Much data is available from the security community, including Infosec Institute, about current phishing threats. Setting up your phishing simulator to tie into a current attack profile will improve recognition of an incoming attack.
  • The importance of repetition. Don’t train as a one-off exercise. People forget and fall into old habits quickly. Repeat training and awareness programs regularly. Carrying out simulated phishing campaigns over periods of time gives the best results. Repetition creates sticky knowledge and is a well-known technique for retaining memory – repetition of an action, moving memories from temporary to more permanent storage in the brain. Using repetition across our phishing campaigns also gives us a method of generating data to check if our techniques are working.
  • Use metrics on completed exercises and feed this back into preparing upgraded simulations.

Protecting PHI Using Phishing Simulators

Ultimately, the goal of using a phishing simulator is to ensure that PHI is not compromised. At the time of writing, the healthcare industry is in the sights of cybercriminals and healthcare records are at a premium on the black market. Phishing is the way into those PHI records and the healthcare industry, as a whole, has to up their game in protecting them. The key to phishing success is in lulling us into a false sense of security, by building up trust and using that normal human behavior in the favor of the cybercriminal. To decrease the success rate of phishing, we have to break that pattern by changing that behavior. Phishing simulations do just that, they change the expectation level of trust when an email comes in and train the user to question its legitimacy, to the point it becomes second nature to ‘double check’ the validity of a statement. Only by training and awareness can we hope to stem the tide of PHI exposure and take back control of our healthcare data.

Learn more about Infosec Institute’s security awareness training with SecurityIQ and how it can protect your Protected Health Information (PHI).