A recent attack on email servers at Microsoft raises questions about the security of protected health information (PHI) on servers that healthcare organizations use.

On April 12, Microsoft sent notification emails to some Outlook account users warning them of a breach that might have compromised their data. Between Jan. 1, 2019, and March 29, 2019, hackers accessed a Microsoft support portal that is used to field customer questions and complaints. The hackers could have accessed and viewed the content of some Outlook accounts, Microsoft said.

“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your email address, folder names, the subject lines of emails, and the names of other email addresses you communicate with), but not the content of any emails or attachments,” according to the notice from Microsoft.

Later, Microsoft said the breach might have been worse than it first appeared and that accounts might have been accessed for months earlier than believed. The hackers might have been able to access email content and addresses, the company said.

Patients who may have shared PHI through these compromised accounts could be at risk, says Mark Bower, general manager and CEO of Egress Software in Boston. The administrative compromise of the Microsoft customer support portal allowed the attackers to gain full access to email content in compromised accounts as well as email addresses and subject lines, Bower explains. This could enable manipulation of the account owners network with well-constructed phishing emails for direct attacks and potentially more damaging access. “The attack illustrates that dependency on cloud email providers to protect data only means one thing for people: Attacks like this are to be expected, and getting ahead of the more serious risk of email data access requires trusted, third-party email encryption for sensitive emails with built-in smarts and monitoring so users are properly secured and warned when threats emerge,” Bower says.

A primary lesson from the Microsoft breach is that anyone can fall victim to an attack, says Matt Fisher, JD, partner with Mirick O’Connell in Worcester, MA. Hosting your data with a massive company like Microsoft does not bring any guarantee of safety, he says.

“It’s only a matter of when, not if, a breach will occur. Unfortunately, the hackers are steps ahead of people trying to protect the data. This incident shows that even a company as sophisticated as Microsoft is not beyond reach,” Fisher says. Healthcare organizations using Microsoft email servers should contact the company to determine if their data were involved in the breach. If it were, then try to determine if any PHI was compromised. If PHI was involved, one most likely will need to proceed with data breach notification, Fisher says.

Avoiding this type of breach in the future will require a review of security settings and optimizing them when possible, Fisher says. Sticking with the default security settings and options usually is insufficient. Generic passwords are especially vulnerable to outside attackers.

“It’s possible sometimes when you look at your setup you will find that not all of the security features have been activated,” Fisher notes. “After taking all the right steps up front, you have to constantly monitor and make sure systems are updated regularly. You also have to recognize when the threat environment is evolving and not remain static.”

Fisher notes that the healthcare industry is known for its lack of vigilance on cybersecurity, although the level of attentiveness can vary greatly from one organization to another.

“It would be beneficial for most healthcare organizations to pay more attention to this and treat it with the utmost seriousness,” Fisher says. “The Microsoft breach is a reminder that these attacks are continuing and can come from areas you hadn’t anticipated.”

For healthcare providers, this Microsoft email data breach brings to mind the healthcare data compromise in Singapore last year that affected 1.5 million patients and originated with an unpatched version Microsoft Outlook, says Sam McLane, chief of the technology services office at Arctic Wolf Networks, a software security company based in Sunnyvale, CA. The hackers in that 2018 case took advantage of a known vulnerability in Outlook, McLane says. The lesson for risk managers involved the need for good security hygiene, including regular vulnerability assessment and patching.

“The most recent Microsoft email episode involves Microsoft-managed email services such as Outlook.com, MSN.com, and Hotmail.com,” McLane says. “It is important to note that this episode appears not to have affected Office365, which healthcare providers probably use for communications involving electronic protected health information.”

For the healthcare community using Office365, a best practice is to monitor your Office365 login data for suspicious activity, McLane says. “Microsoft provides solid Office365 security and can provide tool security telemetry, but the burden lies with the healthcare organization to monitor Office365 telemetry for anomalous activity,” he says. “Monitoring and detecting unauthorized access to Office365 like anomalous sign-in activity from brute-force attacks, concurrent access across multiple geographies, and access from unauthorized geographies are industry best practices that enable you to tighten up security of PHI in the cloud.”

The latest Microsoft breach illustrates an important trend in cyber threats, says Andy Smith, vice president of product marketing at Centrify, a software security company based in Santa Clara, CA. “This breach is yet another example of the fact that cyberattackers don’t hack in anymore. They login using weak, default, or otherwise compromised credentials,” Smith says. “Privileged account access provides cyber adversaries with the keys to the kingdom and a perfect camouflage for their data exfiltration efforts.” A report from FireEye, a security company based in Milpitas, CA, indicates that the global median dwell time that attackers remain undiscovered in your network is 101 days (as of 2017). Healthcare organizations have to assume that bad actors are in their networks already, Smith says. That is why healthcare organizations must move toward a “zero trust” model of cybersecurity. “Zero trust” is a security concept in which organizations do not trust anything inside or outside its perimeters. Anyone and anything must be verified before granting access.

“Simple static passwords are not enough, especially for sensitive company data. Now is the time for healthcare organizations to move to a zero trust approach, powered by additional security measures such as multifactor authentication, to stay ahead of the security curve,” Smith says. “With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the ‘Collection #1’ breach? You cannot. You can’t trust a static password anymore; multifactor authorization is the lowest hanging fruit for protecting against compromised credentials.”

Smith says healthcare organizations must take a stronger stance against hackers because the evidence is clear that they are not letting up on trying to get access to valuable PHI and the associated data of patients.

“Zero trust can help companies avoid becoming the next breach headline, including the damage to brand, customer loss, and value degradation that typically comes with it,” he says.