Illinois Clinic Says Nearly 503,000 Affected in Email Breach
Incident Involved a Single User’s Compromised Email Account
… “In some cases, hackers are trying to have an employee’s direct deposit for payroll to be re-directed to an offshore bank,” says Tom Walsh, president of privacy and security consulting firm tw-Security. “For example, if an email account gets compromised, the hacker can send an email from that account – requesting a bank change for their payroll deposit,” he says.
“Most organizations do not have an email retention policy or schedule. Some people like to keep everything, which is not good.”
—Tom Walsh, tw-Security
Hackers are also taking advantage of users’ tendencies to re-use passwords, he notes. “If the email account is hacked, chances are the same password that is used for their email account is also being used for the employee portal. In that case, the hacker can log in directly to the employee portal and change the bank information for payroll deposit themselves,” he says. For most portals, the user ID is the individual’s email address, he says.
Once an email account has been compromised, a malicious actor often has access to a treasure trove of sensitive patient information, Walsh notes. While there is often a large volume of emails in compromised email accounts and attachments, “using a keyword search can often quickly reveal the important business emails from general communications,” he says.
In the case of the Christie Clinic breach, one compromised email account potentially affected the protected health information of more than a half-million individuals. That’s a reminder for other entities of how the volume of sensitive information contained in a single email account can grow quickly if not managed properly, Walsh says.
“The user may want to keep the email as proof of a communication, but do they also need to keep an attachment within the email system? For example, Microsoft allows email users to retain an email while removing the attachment … once the attachment is downloaded and stored in a secure location.”
Enhancing mail Security
In the Christie Clinic incident, Walsh suspects that there were likely some large files – including perhaps spreadsheets – routinely capturing patient data and being sent via email.
“There are more secure ways of electronically transferring large amounts of data rather than using emails. Once the emails were sent and successfully received, these emails should have been deleted or the attachments removed from the emails, if the organization wanted to retain the email itself,” he says.
Additionally, outbound email needs to be monitored for “data leakage,” he says.
To protect data in transit, many healthcare organizations automatically encrypt outbound emails if a message or an attachment contains confidential information, he says.
However, the sent email will usually be retained in an unencrypted email system – readily accessible to the user of the email account once they are authenticated, he adds.
“Most organizations do not have an email retention policy or schedule. Some people like to keep everything, which is not good for several reasons,” he says.
For instance, the more email that is retained, the greater the impact becomes if an email account is compromised. Also, eDiscovery rules require organizations to produce all emails, going as far back as the organization retains the email, based on the organization’s internal policies/schedule, he says.
“Purging old emails reduces the liability and the costs associated with having to examine every email in a user’s account. I suggest purging old emails after two to three years – set a policy and then be consistent in its enforcement.”
Too often, organizations don’t realize the limitations of their email audit logging, Walsh says. “For example, the granularity of the audit logs may not be able to distinguish if/when an email was only viewed or not viewed/opened.”
To avoid email breaches like the one experienced by Christie Clinic, Walsh suggests covered entities and business associates implement several critical security controls and best practices. That includes implementing multifactor authentication for gaining access to email; reminding staff to not reuse or recycle passwords, requiring that passwords are unique; and using secure password managers, when needed.
“Identify which users in the organization may be more likely to be dealing with large volumes of patient data being sent/received via email. Determine if there are more secure ways of transmitting the data instead of using email as the delivery method,” he says.
Walsh also suggests that entities examine the audit capability of user access/audit logs within their email system – and to update their email version/licensing to obtain more robust security controls and features.