THE CLOUD SERVICES COMPANY TM

EMAIL VULNERABILITY
IN HEALTHCARE

Exposing the common vulnerabilities that

drive ransomware and make off-site disaster
recovery essential

www.evolveip.net info@evolveip.net 610-964-8000

 EMAIL VULNERABILITY IN HEALTHCARE
THE CLOUD SERVICES COMPANY TM

Executive Summary This paper explains the pervasive nature of email compromises
and sheds light on the quantity, variety, sources, and consistent
While it should come as no surprise, security and growing growth of these threats.
regulatory burdens are the top concerns for healthcare CIOs.
The study results are eye opening. Overall, 68% of all analyzed
Ransomware, denial of service, and data theft attacks are in the
covered entities and their business associates have employees
headlines every day. The estimated annual cost of ransomware
with visibly compromised accounts 76% of which include
payments in 2016 was over one billion dollars. In fact, the number
actionable password information.
of ransomware attacks in 2016 was up by more than 4 times.
PHI security, data breaches and data theft remain critical issues. The bottom line: Be prepared
Cybercriminals have learned to follow the path of least resistance.
The survey findings illustrate the need for 100% reliable and
Rather than trying to penetrate network security fortifications,
responsive business continuity solutions and rapid-response
they seek access to systems through the compromise of valid
disaster recovery. How your reactive protection is set up makes
user accounts. Stealing credentials and using them to access a
the difference between a minor glitch and a major catastrophe.
network is easier, less risky, and ultimately more productive than
exploiting a perimeter vulnerability.
What do the results mean?
The most common starting point is e-mail attacks, such a phishing.
According to Verizons 2016 Data Breach Investigations Report : The potential for monetary loss is significant

30% of phishing messages were opened by the target across
all campaigns
About 12% went on to click the malicious attachment or link
and thus enabled the attack to succeed.
Healthcare firms are under attack new data published to
the Dark Web every day provides a window into the volume
of new email and passwords that criminals have accessed.
Controlling human behavior is the underlying challenge

Given these numbers, its no surprise that emails are the number
one contributor to data breaches. In fact, 63% of breaches in the
US are the result of a compromised email credential.
While no industry is safe, the threat to the healthcare industry is
equally astonishing and growing.
Based on findings in the Ponemon Institutes 2016 Study on Privacy
and Security in Healthcare, 90% of healthcare organizations have
had a data breach in the past two years. The study estimates
that the resulting cost of these breaches to the U.S. Healthcare
industry alone is $6.2 billion.
There is a constant need to monitor for vulnerabilities and
train personnel regarding email best practices.
The need for data backups and disaster recovery is clear
Ransomware is a billion dollar program and growing.
Gaps in security have allowed phishing attacks to become
more effective.
A
 s the volume and quality of data elevates, malicious efforts
are experiencing increased success.

Overall, 68% of all analyzed covered entities and

You CAN see in the dark
their business associates have employees with
Historically, organizations have been unable to see the swirling
pool of potential email attacks and to detect specific vulnerabilities visibly compromised accounts
76% of which
until its too late. Only after a breach do they find malicious code
include actionable password information.
on a laptop or identify the need for user training. But the battle for
corporate email information is taking place in plain sight every day
for those that navigate the Dark Web. This is the playground where
stolen email credentials typically including users corporate
email address and passwords are being openly shared and sold
among the multitude of customers in the hacking community.

Thats why Evolve IP and ID Agent collaborated on a healthcare

industry-specific study of Dark Web email vulnerabilities.
We reviewed over 1,000 healthcare related organizations to
determine how prevalent these exploits are and how these
vulnerabilities evolve.

2
 EMAIL VULNERABILITY IN HEALTHCARE
THE CLOUD SERVICES COMPANY TM

Survey Methodology Vulnerability statistics

The Deep Web is a portion of the Internet that is hidden from
conventional search engines and the general public. Search
engines like Google, BING and Yahoo only search the surface
web, also known as the World Wide Web (www). Its estimated
that the Deep Web is 400 to 550 times larger than the surface web
and it is generally used by organizations such as universities to
archive research and things of that nature.
Within the Deep Web there is a portion called the Dark Web.
These are enclaves, sites, and forums within the Deep Web where
users can operate anonymously to avoid law detection. This is the
part of the web that ID Agent analyzed for the benchmark survey.
Using ID Agents proprietary Dark Web ID analysis technology,
ID Agent and Evolve IP analyzed 1,000 healthcare companies
representing a variety of business types and sizes. The industry
segments targeted included both HIPAA covered entities as well
as many business associates who provide services to the covered
entities.
Segments Studied
On average, more than 68% of the firms reviewed have
compromised email credentials visible and available on the
Dark Web. The numbers range from 55.6% to 80.4% depending
on industry segment. The results show it is incredibly common
for compromised email and password combinations to be out
on the Dark Web. Even organizations with one compromise still
face huge risks and the risk is proportional to company size. One
organization in the study had over 300 compromised credentials.
Even if the password has been changed, password patterns
and human tendencies make brute force attacks and social
engineering significantly easier with this information.
Compromise % by Healthcare Industry Segment
90% 80.4%
76.5% 76.0%
80%
72.0% 72.3%
70%
61.9%
60% 55.6%
50%

Healthcare Providers - 53%
IT/Software Providers - 15%
Hospitals - 8%
Healthcare Providers - 61.9% Regional Health Plan - 80.4%
TPAs - 76.5% Medical Billing/Collections -55.6%
Health Centers - 72% Hospitals - 72.3%
IT/Software Providers - 76%

TPAs - 7%
Passwords are easy to steal
Regional Health Plan - 7%
What % Of Stolen Credentials Include Passwords?
Medical Billing/Collections - 7%

Health Centers - 3%
Passwords Available

76%
How do criminals use stolen credentials?
Passwords Not Available
There is a fairly common exploit lifecycle:

1. Gain access to data from emails that have been exploited via
24%
phishing, malware, data breach, social engineering, or some
other form of attack

2. Use the data obtained to study the targeted corporations or

76% of the stolen email records we reviewed on the Dark Web
individuals
had an associated password. Of this 76%, 23% had fully visible
3. Eventually gain system access text passwords. In many cases, these passwords are outdated,
but that does not limit their value. More than three quarters of
4. Establish a foothold
people use the same or similar passwords across all of their online
5. Gain more privileges activities.2 By understanding the types of changes people make
to their passwords over time, hackers can create a user profile
6. Move laterally throughout the organization and through the
and determine a persons new password fairly accurately by using
supply chain to extract data or control system access
simple guessing or sophisticated automated algorithms.

3
 EMAIL VULNERABILITY IN HEALTHCARE
THE CLOUD SERVICES COMPANY TM
The remaining 77% were cryptographically hashed passwords.
Simply hashing the password does not meet todays needs for
security. Hackers can easily use a variety of methods (many of
which are available online) to crack hashes, including dictionary
attacks, brute force attacks, lookup tables, reverse lookup tables
and rainbow tables.
This is why strong, unique passwords are paramount for each
account and why passwords should change over time.
What type of compromise exposed the user
credentials?
The study aimed to dig deeper than just how many names were
compromised per organization. ID Agents analysis evaluated
where the data originated and from where it was stolen. There
are numerous points of attack, each raising a unique degree of
concern. The majority of the data (55%) is the result of known
data breaches where user credentials were stolen in bulk (often in
widely publicized events) and then published by the perpetrators.
However, the most concerning finding is the relatively small
segment of email credentials (6%) directly related to phishing or
keylogging attacks. While the percentage is in single digits, keep
in mind that this represents over 450 individual incidents where
companies in our study had exposures, any one of which could
lead to ransomware, denial of service attacks, or PHI breaches
How are Email Credentials Being Stolen?
Keylogged & Validated
1%
Known Data Breach
55%
Undetermined
38%
Keylogging/Phishing
6%
Evolve IPs comprehensive
security approach
Email vulnerability is a significant contributor to the tremendous
range of threat vectors that are confronting healthcare
organizations. The rest of this paper will look at security best
practices that help organizations avoid costly email-related
breaches and also help establish a systematic and structured
security posture that is consistent with world-class enterprises.
4
The goals can be boiled down into three basic categories that
every organization should embrace.
1. Proactive Threat Intelligence
2. Continuous Security Management
3. Rapid Incident Response and Recovery
1. Proactive Threat Intelligence
The objective is to identify and controlnot just to observethe
technical threats and vulnerabilities by understanding and limiting
the volume of viable environmental threats.
The ability to see vulnerabilities is critical for identifying hidden
Dark Web threats before criminals exploit them. ID Agent
provides this visibility on a regular basis and allows real-time
response to urgent keylogging and phishing related compromises.
With ID Agents information, you can understand when malware
removal, forced password changes, or training of employees
may be required. This data also allows firms to understand user
activity and behavior over time which helps compliance teams see
whether their efforts are making an impact. Are you seeing fewer
credentials on the Dark Web? Is there rapid growth in activity?
Proactive vulnerability reports highlight the answers.
This type of monitoring enables preemptive threat resolution
and cuts off threats at the pass by:
Enabling immediate response to keylogging or phishing
compromises that may be actively bypassing your security
barriers
Providing alerts and ongoing monitoring of corporate emails
and IP addresses that are being traded by hackers
Identifying individual instances of email policy violations as
well as general user training issues
2. Continuous Security Management
The challenge of infrastructure security is driven by the rapid
pace in which the definition at security changes. The nature of
attacks and the creativity of attackers evolves on a daily basis. The
ability to identify and block these threats becomes critical and
overwhelming. Thats why day-to-day, real-time security analysis
and infrastructure management is the second type of protection
that organizations must master.
Evolve IPs approach is designed to quickly incorporate:
New security standards and regulations
Changes to existing authoritative sources
Information about recent data breaches
Industry feedback, best practices, and lessons learned
 EMAIL VULNERABILITY IN HEALTHCARE
THE CLOUD SERVICES COMPANY TM
These characteristics and capabilities are consistent with a
solid security foundation. However, while establishing such an
environment empowers healthcare organizations to stay ahead of
many emerging threat vectors, there is no known way to eliminate
the potential of an attack.
3. Rapid Incident Response and Recovery
In healthcare, both money and lives are on the line. Losing system
or file availability (for instance in the event of a ransomware
attack), or getting shut down by a DDoS attack can have serious,
immediate, and negative implications.
The best practice for ensuring ransomware protection and
business continuity is to proactively create multiple, secure, and
physically separate copies of all servers, applications, and data.
This approach allows rapid restoration of your business operations
in the event that your systems are compromised by an attack. The
FBI agrees, as illustrated by this excerpt from a recent blog post
on their website:
Organizations in particular should focus on prevention efforts
both awareness training and robust technical prevention
controls and solid business continuity planning. As part of that
plan, you should:
1. B
 ack up data regularly and verify the integrity of those
backups regularly.
2. S
 ecure your backups. Make sure they arent connected to
the computers and networks they are backing up.
By following this advice, and arming your organization with the
right backups, you can prevent the attackers from taking away
access to your systems.
Why choose Evolve IP?
The key to maintaining control is to fortify your critical
infrastructure and data with regular, isolated, and recoverable
backups. Many organizations are unaware that with Evolve IPs
technology, preparation and expertise, almost any production
environment can be restored and operational within four hours
(see figure below). With a range of business restoration options,
Evolve IP puts you in control not the attacker.
Recovery Time by Backup Strategy
Offsite Tape
Backups
On-site Tape
or Virual
Backups
On-site Virual
Backups/
Internal Team
4-6 days* 3 days* 24 hours* 4 hours
The proper preparation to create this capability includes:
Creating a reliable backup process. Create rapid, frequent
system backups in a secure, offsite location.
E
 nsuring data recoverability. Backups can also be infected
by the malware virus if not detected immediately after
infection.
Confirming data availability. Ask yourself how quickly can
we access and use the backup that we created?
Evolve IP makes rapid, frequent backups of your systems, and then
moves them securely offsite to an isolated location. Depending
on your existing infrastructure, simple backups can be established
in a matter of hours, with your data securely maintained in an
isolated, private, HIPAA-compliant environment. With Managed
Disaster Recovery as a Service (DRaaS), Evolve IPs team stands
ready to recover any compromised customer data with a 4-hour
or less guaranteed service level.
5
 EMAIL VULNERABILITY IN HEALTHCARE
THE CLOUD SERVICES COMPANY TM

Conclusion About ID Agent/Dark Web ID

The benchmark study revealed the alarming depth and breadth
of an underlying and growing security threat to healthcare
organizations. However, most organizations do not have the time
or the resources to stay properly protected. Another solution is
needed, and there is a fairly simple one.
Increasingly, healthcare providers are recognizing the value
of cloud-based technologies and managed services. This kind
of cloud, that is strengthened by in-depth security policies and
procedures and designed to meet the rigorous HITRUST CSF
certification standard, goes beyond subjective standards such
as SOC II and provides firms with an absolute definition of what
it means to have great security. This robust hosting backbone
is then combined with actively managed security services that
can rapidly respond to daily monitoring requirements, security
updates, emerging threats, and compliance changes. This unique
combination of technology and service liberates organizations
to allocate their IT energies towards key growth and business
development strategies.
ID Agent provides a comprehensive set of threat intelligence
and identity monitoring solutions to private and public sector
organizations and to millions of individuals impacted by cyber
incidents.
From monitoring your organizations domain for compromised
credentials to deploying identity and credit management
programs in order to protect your employees and the customers
you serve we have you covered.
The largest private and public sector organizations globally rely
on Dark Web ID to provide actionable stolen credential data to
make informed decisions.
Dark Web ID combines human intelligence with sophisticated
Dark Web intelligence and search capabilities to identify, analyze
and proactively monitor for your organizations compromised or
stolen employee and customer data.
Visit www.idagent.com for more information.

Sources
1. http://www.csoonline.com/article/3154714/security/
ransomware-took-in-1-billion-in-2016-improved-defenses-may-
not-be-enough-to-stem-the-tide.html

2. http://blog.hubspot.com/marketing/password-statistics#sm.
00001b32716x2f9pva824b1rcdt1n

About Evolve IP
Evolve IP is The Cloud Services Company. Designed from the
beginning to provide organizations with a unified option for cloud
services, Evolve IP enables decision-makers to migrate all or
select IT technologies to its award-winning cloud platform. Evolve
IPs combination of security, stability, scalability and lower total
cost of ownership is fundamentally superior to outdated legacy
systems and other cloud offerings. Today, over 130,000 users
across the globe depend daily on Evolve IP for cloud services
like virtual servers, desktop services, disaster recovery, unified
communications, contact centers and more.

Visit www.evolveip.net for more information.