Hackers have been walloping the healthcare industry and hit their stride in 2016. Whether via ransomware, plain old malware, general phishing or targeted spear-phishing attacks, the onslaught has continued into 2017 and, by many accounts, will only get worse before things settle down.

Healthcare executives, IT and information security professionals are ardently striving to bolster their security posture — but what happens when it’s nearly impossible to differentiate between a legitimate email and a phishing scheme?

Here’s the rub: The same sort of services legally available to hospital IT shops can also be found on the dark web, where would-be cybercriminals and other hackers can use them to gain access into a healthcare entity's network to track down protected health information, personally identifiable information and other sensitive, if not potentially lucrative, information.

The white hats

The legitimate version of phishing-as-a-service is a customized offensive measure meant to preemptively find issues within an organization’s network and patch holes before criminals can gain access.

“Phishing-as-a-service aims to teach all users in your organization to take a critical look through the peep-hole before opening it,” according to Troy Gill, Manager of Security Research for AppRiver.

A successful campaign includes key members from various departments — including IT and human resources. HR involvement will ensure emails are written in an acceptable and professional manner.

[Also: FBI agent: Respect infosec fundamentals ... or else]

Working together, the vendor will create multiple levels of phishing templates. The campaigns begin with the most obvious, such as emails from a Nigerian prince, those with noticeable misspellings or a link not on the network. From there, the campaigns increase in difficulty to spot.

The vendor provides a tool to craft these phishing test messages, Gill said. The tracking feature not only tells the administrator who opens the email, but also who complied with the email by clicking the link or entering information.

“For the most part, everyone passes the initial phishing emails,” said John Nye, Senior Penetration Tester for CynergisTek. “Those who fall for it will be brought in for additional training.”

Learn more at the Privacy & Security Forum in San Francisco, May 11-12, 2017. Register here.

As phishes become more elaborate, it moves to spear phishing: highly tailored emails with personalized information and appearing to lead to domains similar to the organization’s. In general, spear phishing targets employees with high levels of access as a way to slip into the network, Nye explained.

Analytics are a crucial aspect to phishing campaigns, which are provided to leadership to dictate controls for future campaigns, said Nye. And Gill said the benchmarking tool can track the progress of how well the organization fairs when recognizing these messages over time.

It’s important to note phishing-as-a-service isn’t meant to be the only means to fully secure a network, explained Gill.

“A common security misnomer that I see all the time is the idea that a good security solution in one area justifies a trade off or being more lax in another,” said Gill. “Email phishing and web threats are not going anywhere any time soon, which is why it’s important to take a comprehensive layered security approach — one that doesn’t ignore your users.”

With many breaches the entry point for a hacker was a cleverly-crafted email or social engineering attack. An email filter with robust security is important, but organizations must also “harden users against these attacks,” said Gill.

“Teaching employees how to identify something suspicious in an email and having them practice this regularly is highly beneficial in today’s world,” he continued. And for the most part employees are on board, although there are always a few who may get upset, Nye added. Employees appreciate that they come out of the campaign with a much better understanding of phishing emails, as opposed to training with a mere PowerPoint slideshow.

It’s also important organizations don’t punish those who fall for the scam, Nye explained. The focus should be on education like things to look for and avoid.

“Phishing-as-a-service is substantially more effective,” said Nye. “It gives people a necessary level of paranoia.”

Indeed, healthcare organizations need to be prepared, if not downright paranoid.

“All the bad guys have to do is ‘knock’ and someone will open the front door for them,” Gill said.

What happens in shadows

The dark web offers a seedy place wherein cybercriminals can pay to gain access to a healthcare provider’s network.

“These services work almost identically to legitimate phishing-as-service,” CynergisTek’s Nye said.

Hacking groups, in fact, boast customer service and metrics to work directly with the dark web client to find the right target.

“It’s the same concept,” he continued. “The customer is the same: The only difference is in the intent.”

A malicious hacker begins the process by gathering email addresses available in the public domain from popular websites like Amazon, Facebook and LinkedIn, ICIT Senior Fellow James Scott explained. The list is curated using a tool called an email harvester, which is easy to obtain and use. The lists are used for phishing campaigns or sold on the dark web.

The massive email lists are put into an analytics platform and analyzed to create surgically-precise targeted campaigns for people based on characteristics like employment, interests or sub groups, among others.

The goal? To infiltrate an organization.

“The objective is to get victims to click, which will give the hackers access to move laterally across the network to gain better credentials — such as those of an administrator,” Scott added. “Once inside, the hacker uses persistent ransomware or other types of malware on vulnerable devices. From there, they log in and exfiltrate data. A lot of times ransomware or Distributed Denial of Service attacks are used just for traction.”

And to make matters worse these services are incredibly common — and they almost always work.

“It’s succeeding because of the volume of people doing it,” Scott explained. “It takes just one guy to send out a million emails in a hour.”

The dark web offers more than just phishing-as-a-service. Hackers (amateur and pro) can also purchase malware-as-service and DDoS-as-service, among others. And with unsophisticated ransomware variants like Philadelphia developing targeted campaigns against the healthcare industry, it would seem hackers are more than just dabbling in increasingly targeted attacks.

Steps hospitals can take today

ICIT’s Scott said phishing attacks are generally easy to detect, but there’s a problem: Most healthcare organizations don’t have the right cybersecurity tools in place.

“Cybercriminals are able to hyper-target people with the highest privileges,” Scott said. “They use social media sites to gather history about the target to generate very specific emails that compel the user to do as instructed. From events attended to alumni records, these emails are incredibly sophisticated.”

An effective anti-phishing arsenal includes layered protection, user analytics and machine learning to detect abnormalities. Organizations should also update spam filtering when new threats become known, improve firewalls and other items along those lines to incorporate phishing causes.

“With so many breaches, we find that the entry point for the attacker was a cleverly crafted email or social engineering attack,” Gill added. “That’s why it is important to not only utilize an email filter with robust security, but also to harden your users against these attacks.”

Nye said that training is crucial because employees should know what they’re up against—and that means emulating tactics that criminals use.

“Like most things with security, you need to look at the whole picture,” Nye explained. “Protection or a fix never comes from a single source. It’s a piece of the puzzle.”

Twitter: @JessieFDavis

Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn