Look for Complex, Believable Spear Phishing Attacks, More Dangerous Ransomware in 2019

By Jane Anderson

Phishing attacks will continue to become more sophisticated as 2019 gets underway. That means health care IT professionals will need to ramp up their game with increased training and augmented incident response plans, health cyber experts say.

Attacks using the internet of things (IoT) and malware embedded in devices also are expected to increase, experts tell RPP, so covered entities (CEs) and business associates (BAs) should anticipate those threats as well. Roger Shindell, president and CEO of Carosh Compliance Solutions, believes that cyberattacks, including phishing and ransomware, will be more advanced than they were even a year ago, and will involve more complex technology, including some sponsored by foreign states.

“The health care industry will continue to be the top target of cyberattacks,” adds Michelle O’Neill, director of corporate compliance, Summit Health Management in New Jersey. “The cyberthreat environment is becoming more and more dangerous. Although many of the threats may be consistent [with] what we have seen in 2018, the major difference is that these attacks will be sophisticated.”

Rebecca Herold, president of SIMBUS360.com and CEO of The Privacy Professor, says she sees targeted ransomware attacks as a top cyberthreat in 2019. “Ransomware has been making the crooks…millions of dollars year after year,” she says. “The majority of health care organizations are paying the ransoms, so of course the crooks see this as a cash cow revenue path. They will increase their efforts, expand their methods and increase their ransom demands in 2019.”

At least three of the top six protected health information (PHI) breaches reported in 2018 involved either phishing or ransomware:

  • UnityPoint Health in Des Moines, Iowa, began notifying 1.4 million patients in July that a phishing attack had compromised its business email system and may have resulted in unauthorized access to PHI. The phishing emails appeared to come from a trusted executive within the company, UnityPoint Health said in its statement.

  • In a breach that involved more than 502,400 people, Health Management Concepts (also known as HMC Healthworks), based in Jupiter, Florida, paid the ransom to release its data following a ransomware attack in July but, in the process, accidentally provided the attackers with a file containing PHI.

  • Augusta University Health in Georgia reported breaches involving about 417,000 people that resulted from phishing attacks. Those breaches occurred in September 2017, but the university said it didn’t learn that data had been breached until July 2018.

The top attack vector involving health care will continue to be phishing, just as it was in 2018, O’Neill says. However, phishing attacks will be more targeted this year, she says, and mobile phishing is on the rise due to the increasing amount of data that is collected from sites and apps visited on mobile devices. “This leaves individuals open to a very pointed and targeted phishing attack,” she says.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings