Healthcare is one of the most highly targeted industries for cyberattacks, according to SonicWall's 2022 Cyber Threat Report.
The majority of ransomware attacks begin with email as the entry point. During an April webinar hosted by Becker's Hospital Review and sponsored by HIPAA-compliant email service Paubox, two cybersecurity experts from Paubox — CEO Hoala Greevy and customer success manager Alayna Parker — discussed why the security model "zero-trust email" is a critical component in healthcare cybersecurity strategies.
Four key takeaways:
- Cyberattacks are becoming more frequent, more targeted and more sophisticated. Bad actors know that for privacy reasons, intelligence agencies like the CIA are prohibited from conducting surveillance inside the United States. As a result, many phishing campaigns use American tech companies to send malicious emails. By assembling attacks from inside American borders, hackers can blindside the U.S. government. "Most industry-standard security checks look for attacks originating from suspicious countries like China and Russia," Ms. Parker explained. "If hackers use American tech companies, those emails will look legitimate to security tools and platforms."
- Healthcare organizations need stronger IT security measures to protect data and their bottom line. In addition to increased cyberattacks, the growth of remote and hybrid work due to the pandemic has introduced new security risks. Cloud-based applications like telemedicine and EHR systems also represent new vulnerabilities for cyberattacks. "Criminals know the steep price that organizations pay if there's a data breach, so they are banking on health systems paying their ransom," Ms. Parker said. In addition to fines and ransoms, repairing an organization's reputation is also costly, she added, citing a report from the American Journal of Managed Care that found that in the two years following a data breach, hospitals spent 64 percent more annually on advertising.
- Zero-trust security is effective but requires a mindset shift. According to Mr. Greevy, "A core tenet of zero trust is that everyone is considered a threat until proven otherwise through various methods of verification. This often requires a mindset shift within IT."
The first step is identifying the users and applications that have access to sensitive data. This information is used to identify vulnerability points and prioritize what to tackle first. The next step is implementing zero-trust security measures for each access point. It's a good idea to establish user roles and to grant the least amount of access necessary for each user. Organizations then must continually monitor their defenses.
- Zero-trust email solutions combat phishing attacks and ransomware. Paubox's email service scrutinizes each email that comes in. "Depending on the content and context, zero-trust email requires an additional piece of evidence from the sender before delivering the message to the recipient. That piece of evidence is unique for each customer, and it changes based on time and usage. This makes the system very difficult to spoof," Mr. Greevy said.
If Paubox's automated algorithm doesn't rank the sender as reputable, the system quarantines the message. That eliminates the risk of end users clicking on bad links. While Paubox is highly secure, it removes the extra steps usually associated with HIPAA-compliant email and allows recipients to read messages in their regular inbox.
"With email, attackers only have to find one weak link to access very sensitive data. As you build zero-trust methodologies into your security framework, be sure to safeguard this vulnerability point with a zero-trust email model," Mr. Greevy said.
For more information about Paubox, visit paubox.com.
To register for upcoming webinars, click here.