By the EHRA Privacy & Security Workgroup

Just as healthcare clinical staff recognize the value of good physical hygiene to prevent infection, good cyber hygiene can prevent malware infections. 

The number one preventative step? Staff vigilance. Everyone must be careful with clicks — whether it be an email, website link, or file attachment. Even as we’re inundated with information in today’s fast-paced digital world, taking the time to think before you click is just as important in preventing digital infections as washing hands between patients is in preventing bacterial infection.

Today’s sophisticated hackers use a variety of tactics to turn targets into victim, including deceptive emails, “phishing,” spoofing legitimate websites, and embedding malware in apps and other downloads. The more aware we are of their tactics, the more effectively we can protect ourselves and our organizations.

Email Deception

Certain key elements of an email play a role in the deception tactics used. When you receive an email you’ll note that it lists a name (“display name”), the email domain (for example, gmail.com and meditech.com are email domains), and the mailbox on that domain.

You may see it this way in an email:

From: John Doe  <jdoe@example.com> 
  Display Name   Mailbox @ Email domain

In order to understand the tactics used, it is important to note that for many email domains today there is nothing in place that prevents someone from changing “display name,” mailbox, and email domain. In other words, it is often possible to change an email so that it appears to come from “John Doe” when in fact it is from someone else entirely.

There are 4 basic tactics used by hackers.

1. Display name deception

The display name for the sender may be forged. While the email may say it is from “John Doe,” that does not mean it actually is from him. When you examine more details in the email, you may find that it is actually from “pat123@yahoo.com” but the criminal changed the display name to be the name of someone you know.

2. Spoofing

Taking it a step farther, when an email domain is not protected, criminals can send emails that appear to come from that email domain. If the meditech.com domain were not protected (don’t worry — it actually is), anyone could send an email from mailboxes on the meditech.com domain. In other words, they would be able to send an email that not only has “John Doe” as the display name, but also states that it came from “jdoe@example.com” (mailbox@domain). This is called “spoofing” — a term that basically means “to masquerade.”

3. Look-alike domains

Perhaps the domain could not be spoofed because it is protected. The attackers may choose to use a similar or look-alike domain, e.g. “exampl.com” instead of “example.com”, or “examp1e.com” where the lowercase “L” is replaced by the number 1.  This tactic is also used in website addresses. When we’re busy we might not notice that the domain name is not quite right.

4. Compromised email

The most dangerous and effective kind of phishing — which is increasingly being used today — is to send emails from a compromised account. If a hacker takes over someone’s email account — perhaps they tricked them into giving up their password via a phishing email — they can send emails from this account and will be able to trick others more easily. When you receive an email from someone you know, you are much more likely to trust it and let your guard down. The hackers may even reply to existing email threads, or read through the emails so that they can write an email that would appear logical and unsuspicious.

Phishing Emails are Getting Better

You may think it won’t happen to you, but it’s no longer true that phishing emails are always easy to spot. Attackers may choose graphics from known companies and create emails that look just like the real thing. The only difference might be that the link where it says “click here” will actually direct you to a malicious website — either a totally different site or a look-alike domain. Depending on the hacker’s goal, this website may be a duplicate of a legitimate website. If it were a duplicate of your bank’s website, for example, you might enter your username and password on this fake website before you realize that anything is off, and now the attacker will have access to your bank account.

Taking the time to think before you click is just as important in preventing digital infections as washing hands between patients is in preventing bacterial infection.

Downloads, Free Games

It’s important to be very careful about what you download from the internet. While there are reputable sources for software, there are also numerous dubious sources of free games and “useful software” which have malicious intent or simply grab private information. 

What About Links?

When there is a link on a website or in an email, be sure to scrutinize it before clicking. If you are on a desktop computer, hover the mouse over the link, which will show where the link actually goes. For example, while the link may say “www.healthit.gov” in the text, hovering over it with your mouse will show that it actually is linked to “www.maliciouswebsite.ru.” 

On an iOS device (iphone or ipad) you cannot hover, but if you hold down your finger on the link, a small window pops up showing where the link actually goes. Sometimes these links are very long and it’s difficult to determine if it is legitimate or not. When in doubt it’s always best to go directly to a bank’s or other website by typing it into the browser (or better yet, have it bookmarked) rather than clicking on the link.

Typo Squatting

Another common strategy is called “typo squatting.” Criminals will create websites which look like a reputable website but whose address is slightly different. They may choose a domain like “facebok.com” or “faceboook.com” with the hope that someone will make a mistake when typing it into the address bar.

Look-alike domains come into play again here. A website may have a name like “examp1e.com” instead of “example.com” and emails or other websites will direct people to this domain. Because it looks so close to the real name, most people won’t notice the difference. 

Best Practices to Reduce Your Risk of Cyber-Infections

1. When in doubt, contact people or organizations via phone, text message, or another means other than email.
2. Navigate straight to the website of a company rather than clicking on a link. Bookmark sites you visit regularly, to avoid typos.
3. Take a few seconds to carefully determine whether or not a website or software is reputable before using it.
4. Remember that email can be spoofed so that it appears to come from a trusted source. A hacker may even have taken over the email account of a trusted friend or associate.

This blog is the third in the Privacy and Security Workgroup’s series for National Cybersecurity Awareness Month. Earlier blog posts told a story of Ransomware: Lessons from the Front Lines, and explained why Strategic Healthcare Leaders Recognize Cybersecurity As A Patient Safety Risk.