Cyber Security Series: Business Email Compromise
EHRs are revolutionizing patient care by greatly increasing the ease in which physicians can deliver care to their patients. A major concern that healthcare organizations that have access to an EHR should have, however, is making sure that the sensitive patient data stored on them is secure. These healthcare facilities need to be aware of both external and internal threat, as well as how to be prepared for them.
When it comes to the top healthcare cyber security vulnerabilities, Business Email Compromise is widely considered the number one attack factor that actors ultimately participate in to gain access to a network environment. In the first part of our EHR Cybersecurity Series, we go over what Business Email Compromise is, different ways malicious actors are using Business Email Compromise to access sensitive data, and the methods used to mitigate it.
1) What is Business Email Compromise?
Business Email Compromise (BEC) is a sophisticated scam that targets businesses by compromising their email accounts through social engineering or computer intrusion techniques, in order to conduct unauthorized transfer of funds. BEC targets anyone, ranging from small businesses to large corporations, and can be done in a variety of ways, such as phishing/spearfishing, password guessing, and password resetting.
2) Types of BEC
The most common method of BEC has to deal with phishing or spearphishing attacks. Phishing is more of a broad element – the malicious actors are just attempting to see who might be able to fall for a specific attack. Spearphishing, on the other hand, is much more sophisticated. Actors will take the time to research you, utilizing things such as your social media, or your kid’s social media, and creating a dossier on who you are as an individual. They can then use this information to develop a perfect method of being able to “hook, line, and sink” you with an email.
Say, for example, someone within your organization attends various different healthcare conferences, and there just so happens to be a very large conference coming up. These actors could send that individual an email inviting them to an afterhours event, attach a PDF to it, and build things into the PDF that could potentially compromise that employees machine and network.
Additionally, it is absolutely paramount to have a strong password policy, as malicious actors are known to utilize password guessing or resetting methods as a way to infiltrate your network. Oftentimes, organizations will set up a policy, and write an email to their employees saying that they need to change their password from the stock-generated one to a more unique one. This is good in theory, and can be very successful in helping to prevent BEC – if your employees actually do change their passwords. If they don’t change them, it is not very difficult for malicious actors to guess an employee’s password and gain access to their system.
3) Potential Danger of BEC
One of the main problems with BEC doesn’t have to do with the initial access a malicious actor gains to your network, it has to do with what they do after they have gained that access. Say someone has infiltrated your network, and begins to send emails to other employees. If they have the Company President’s email address, they could send emails asking for information like social security numbers or patient information. Many people won’t think to question an email from their boss, and will provide the information without a second guess as to why they are being asked for it. This can obviously lead to huge negative ramifications.
4) BEC Prevention Methods
Fortunately, there are several ways to cut down on instances of BEC. The most basic, and probably most effective, has to do with establishing a strong password policy. One of the methods that we are encouraging organizations to utilize in order to strengthen passwords is to use phrases for your password. Instead of thinking about a traditional password, think about the name of your favorite movie, for example. Additionally, using spaces in passwords has been shown to be very effective in stopping BEC. For whatever reason, many of the applications that assist in stopping BEC do not use the spacebar, and by forcing spaces in password policy (in addition to forcing special characters, capital letters, etc.), you will greatly increase the complexity of a password.
A more advanced method of stopping BEC is through a mechanism known as Two-Factor Authentication, or, 2FA. 2FA is an extra layer of security that requires not only a password and username, but a second token that only the true user would have access to – things like PIN numbers, ID cards, or fingerprints. Many email providers, like Yahoo! And Gmail, offer 2FA, it simply needs to be turned on. In addition, there are apps that you can download that offer 2FA, and if you are worried that your information or network may have been compromised, they may be worth looking in to. Although there are ways to defeat it, 2FA is a very good, advanced security method that can be used to combat BEC.
Organizations must be aware of what BEC is, as well as the threats that it can pose, if they want to make sure their information remains safe. Being aware that BEC is a prevalent threat, and utilizing mitigation techniques like strong password policy and 2FA can go a long way in making sure that malicious actors don’t gain access to your network and information.
Make sure to subscribe to our blog so you can be informed when the next part of our EHR Cybersecurity Series is released.