Phishing Attack in Healthcare Insurance Provider (Sermelles Limited)

Title Page

Abstract

Introduction

Literature Review

Information Security issues/Threats/Vulnerabilities

Security Solutions for Security

Information Security Policy (ISP)

Conclusion

References

Abstract

This article discusses information security included information security issue, information security policies and information security awareness for the phishing email attack in the healthcare insurance provider names Sermelles Limited, which is one of the biggest health providers in New Zealand.  Information Security Program is presented together with a discussion on information security threat being identified by the Information security management, governance and policies. On the other hand, the article also evaluates how Phishing email attack is affecting the information security when doing InfoSec planning. Information Security Policy is created by CISO or Information Security management as a guideline focusing on the actions to do overcome the threat such as phishing attack and other threats and risks.

Introduction

Information security (InfoSec) is the main concern of the healthcare organisation, as InfoSec protecting the confidential, Integrity and Availability of information. Sermelles Limited organisation which is one of the largest health insurance providers in New Zealand. There are some information security issues or threat incurred as the employee failed to report instantly to the information security management and CISO when they received the phishing email sent from the legitimate internal department. To overcome the data breaches of Sermelles Healthcare, information security plays a vital role to protect all information. This report focuses on the how the InfoSec’s of healthcare system overcome threat identifies as phishing email attacked, by structure a strategic plan aligns InfoSec with business strategy to support healthcare organisation mission and vision of the organisation.  Sermelles Limited using different types of approaches to control the security threat, such as firewalls to maintain the confidentiality of works to attain success in the competitive market. The management level of Sermelles Limited uses the InfoSec policy(ISP) to ensure the employees follow the business ethics as to maintain the goodwill of the organisation to attain success and maximise the revenue of the organisation.

Literature Review

Information security means protecting information and information systems from unauthorised access, disclosure, use, modification or destruction in order to provide confidential, integrity, availability, and confidentiality within an organisation. (Whitman & Mattord 2016) It is monitoring information security issues related to information security policy compliance, technologies to use, and immediate actions based on decisions made by information security management level and employees of the organisation. Many organizations agreed that employee’s knowledge can be great assets in the effort to reduce information security threats but also more dangerous than that outsider in information security.  (Bulgurcu, Cavusoglu & Benbasat 2010)  For example, many organizations rely on employees such as system security staff officer to regularly query different databases for new vulnerabilities and apply to their systems to avoid attacks. Therefore, employees who comply with the information security policies of the organization are the key to enhancing information security, understanding compliance behaviour is crucial for all the organizations. All employees of the healthcare organisation should protect all data under their control and perform a periodical review of all information security, confidential data, and acceptable use policies. For Healthcare Information System, information security must be protected according to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This legislation enables electronic data interchange of patient medical records across authorized medical centres and also protect the confidentiality and security of healthcare data as the consumer control of medical information. (Langer 2017) . Sermelles limited healthcare providers must control and restrict the disclosure of confidential information about patients in order to enhance information security.

Information Security is not only a main concern for healthcare organisation but also for all organization, and it is important for employees and computer users in the organization. (Dahbur, Isleem & Ismail 2012) Information Security Policy (ISP) is the most widely used tools for the information security manager allocate to protect information security system from internal and external threat and also and provides better insights into the existing information security issues. (Stahl, Doherty & Shaw 2012) The information security is not only to protect against phishing attacks, but also other information security threats such as malware, viruses, worms, and other information security risks. Not only Sermelles Limited healthcare organisation but all organisation needs to implement information security policies (ISP), establish proper training programs to create information security awareness among employees and to ensure that all physical security controls are well-designed and utilise properly within the organization.

The best practices for information security are the level of understanding the information security awareness. Generally, enterprise employees have various levels of information security awareness. (Abawajy 2014) Conceptual studies (Hentea 2005) have emphasised the importance of information security awareness through education and training. D’Arcy, Hovav & Galletta (2009) recommended that organizations can use three security countermeasures: information security policies (ISP) awareness; information security education, training, and awareness (SETA) programs; and computer monitoring to reduce users IS misuse intention. Also, the result is important for the Information Security management. Information security threats from organised crime are increasing and many organisations are being affected, thus, perform information security awareness training is mandatory for all the organisation to prevent diversify of threats. All organisation that accepts credit cards or process cardholder information for online payment must provide information security awareness training according to The Payment Card Industry Data Security Standard (PCI-DSS). Information security awareness is also a critical aspect of increasing the level of staff awareness and compliance with the information security policies, practices and relevant guidance related to their duties in the organisation. According to Abawajy (2014), the basic goal of information security awareness is to create a change in employees attitudes which will bring overall change the culture of the organisation. The cultural change of information security is critical because any information security threats can have potentially adverse consequences for all organisations that highly dependent on the information system, irrespective of size or form.  Also, information security awareness aims to increase users understanding of how to follow responsible computing practices of information security and why it is necessary. Thus, the probability of data breach is reducing while organisation employees reported the suspicious of information security threats are arising.(Abawajy 2014)

Information Security issues/Threats/Vulnerabilities

According to scenario given for Sermelles Limited, this is a cyber-attack known as phishing attacked.  Base on Jensen et al. (2017) a common phishing attack consists of sending malicious, unrequested emails that imitate trustworthy messages from the organisation. Once the targeted employees click or open the link attached to the phishing email which allows the installation of malware into the system. Thus, the whole company system of Sermelles are being affected and enable the cyber-hacker stolen credentials clients’ information for illegal purposes such as sell to other criminals or use it to as a false identity, commit financial fraud, or steal additional privacy information from the private organisation. (Jensen et al. 2017) The investigators reported that cyber-hacker executed a sophisticated phishing attack and successful stole client details included full name, birth date, addresses (email and physical), insurance IDs, employment information, some details of credit/debit cards, income data and medical IDs.  These phishing attacks are not only causing financial losses and Sermelles Limited may lose all their customer’s trust but also the affected reputation of the organisation.

Security Solutions for Security

Sermelles Limited organisation need to develop an effective information security programmes to prevent phishing threat against information security privacy, healthcare system and staffs.

The information security governance is a process of creating and maintaining the organisation structure that manages the InfoSec function within the organisation. Information security governance objective should be supervised by boards of directors to promote a culture how to handle the confidential information and information security to the Sermelles Limited staffs. For example, every employee shut down their computer before leaving the company. Also, make sure the management’s investment in InfoSec always align with the organisation strategies and risk environment. Thirdly, to ensure a comprehensive InfoSec program is developed and implemented. Lastly, generating reports from different layers of management on the InfoSec program’s effectiveness and adequacy. Business Strategic must always align with InfoSec to support organisation value. Risk management strategy developed to manage and mitigate the threat to information resources. For example, chief information security officer (CISO) and other InfoSec managers can react to an immediate threat by having a contingency plan.  Hentea (2007) suggested that information security management solutions needed to integrate all the threat data from diverse information security issues and network products to prevent false alerts, all related threat issue from many sources are collected and used to identify significant threat issue so as to improve the efficiency of the operational security. (Hentea 2007)

1. CEO should conduct an annual InfoSec evaluation, review with staff and report to the board of directors.
2. Conduct periodic risk assessments of information assets as part of a risk management program.
3. Implement policies and procedures based on risk assessments to secure information assets.
4. Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.

Identify different roles and responsibilities of the Information security personnel:

Figure 1: InfoSec Governance responsibilities (Management of Information Security, 5th Edition © Cengage Learning)

There are other measures prevent data breach by phishing attack in the information security such as employees should maintain regular backups of all the confidential information and make sure the anti-virus software program version is up-to-date. In case of being attacked by a threat such as malware, virus attacked the information system, proper recovery of the data should be implemented for Sermelles organisation.

Information Security Policy (ISP)

Information Security Policy (ISP) is the standard view for the employees to protect the valuable information of the Sermelles organization. ISP includes all policies related to the customer healthcare and information security alignment with the business strategy of the healthcare industry. Implementation of Information Security Policy is important, as management who is the policy maker responsible for developing information security awareness among employees in the organisation. There is three type of ISP need to be defined policy maker which is the Information Security manager to produce a complete information security policy.

1. Enterprise information security program policy (EISP) is that high-level information security policy that sets a business security alignment strategy to prevent contradict with the mission statement of the organization. For example, 2-factor authentication.
2. Issue-specific information security policies (ISSP) is an organizational policy that provides detailed, targeted guidance to instruct and regulate all members of the organization in the use of a resource, such as the use of the internet, company networks should be defined on the policy.
3. Systems-specific Security policies (SysSPs) is a standard or procedures created by management as a guide for configuring or maintaining information systems by applying to any technology that affects the confidentiality, integrity and availability of information security. It can divide into managerial guidance, technical specifications or combined in a single unified SysSP document. There are two methods of implementing:

• Access Control Lists (ACL) is a capability table to control and restrict the rights and privileges that users or department group can access particular file or computer.
• Configuration Rules are instructional codes that guide the execution of the system when information is passing through it such as Firewall Configuration rules.

The Information Security management should develop an effective Information Security Policy by using industry-accepted practices that formally approved by management, distributed to all employees to read, understand, formally agreed to by act and applies and enforce the ISP.

After implementing the Information Security Policy, conducting information security training and information security program to educate employees about information security skills and procedures to be more alert to information security threat, and to new security policies that have been/will be implemented.

Conclusion

In conclusion, Information Security Program can bring significant benefit to an organisation. At the same time, Information Security Policies, risk management and security control are needed as a measure of proper control and reduce the threat. This ISP is a standard that is developed and implements effective by training internal InfoSec staff to monitor and manage the threat attacked for Sermelles healthcare organisation. These benefits will bring success to not only the healthcare industry but all organisation.

References

Abawajy, J 2014, ‘User preference of cyber security awareness delivery methods’, Behaviour & Information Technology, vol. 33, no. 3, pp. 236–247.

Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness’, MIS Quarterly, vol. 34, no. 3, pp. 523-A7.

Dahbur, K, Isleem, MR & Ismail, S 2012, ‘A Study of Information Security Issues and Measures in Jordan’, International Management Review, vol. 8, no. 2, pp. 71–82.

D’Arcy, J, jdarcy1@nded, Hovav, A, anatzh@koreaac k & Galletta, D, galletta@katzpitt ed 2009, ‘User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach’, Information Systems Research, vol. 20, no. 1, pp. 79–98.

Hentea, M, mariana hentea@swosued 2005, ‘A Perspective on Achieving Information Security Awareness’, Issues in Informing Science & Information Technology, vol. 2, pp. 169–178.

Hentea, M, mhentea@excelsiored 2007, ‘Intelligent System for Information Security Management: Architecture and Design Issues’, Issues in Informing Science & Information Technology, vol. 4, pp. 29–43.

Jensen, ML, Dinger, M, Wright, RT & Thatcher, JB 2017, ‘Training to Mitigate Phishing Attacks Using Mindfulness Techniques’, Journal of Management Information Systems, vol. 34, no. 2, pp. 597–626.

Langer, S, langer steve@mayoed 2017, ‘Cyber-Security Issues in Healthcare Information Technology’, Journal of Digital Imaging, vol. 30, no. 1, pp. 117–125.

Stahl, BC, Doherty, NF & Shaw, M 2012, ‘Information security policies in the UK healthcare sector: a critical evaluation’, Information Systems Journal, vol. 22, no. 1, pp. 77–94.

Whitman, ME & Mattord, HJ 2016, Management of Information Security 5 edition., Course Technology, NewYork, NY.