The data that is most critical for healthcare organizations to provide, track and meaningfully contribute to the wellness of their patients is under constant threat.
From distributed denial of service (DDOS) attacks to spear phishing, the motives behind cyber attacks vary as much as the means. Different adversaries can simultaneously attack you on various fronts.With so many cyber security threats to address, teasing through where you’re at risk, what you’re doing right and what you’re doing wrong is not always clear. Here are four cyber security threats that your healthcare organization can’t ignore and suggestions for managing the risks they pose.
Your healthcare organization itself probably won’t be targeted for socially or politically-motivated hacking because you likely avoid headline-grabbing controversies.
But you could quickly become a target of hacktivism if your organization gets involved in some kind of a social situation. For example, if a celebrity who gained notoriety for doing something bad is admitted to your hospital then hacktivists may try to access to that patient’s information so that they can release it to the public.
Hacktivists commonly use DDOS attacks. They also use social engineering, like calling the receptionist, and techniques such as spear phishing to access your environment.
Cyber criminals don’t strike for attention. They’re in it for the money.
The Dark Overlord Group for one steals EPHI information and sells it to the black market, where it is 50 times more valuable than stolen credit cards. The buyers of that data-rich EPHI then use it to commit crimes such as healthcare, Social Security, or tax-return fraud.
So ultimately the biggest risk towards the healthcare industry is usually from a criminal perspective, including internal and external threats.
An espionage-motivated hacker isn’t going to damage your environment or make it public as criminal adversaries would but this also is a critical threat.
One insurer was compromised to steal information from patients, particularly government employees. If government employees’ healthcare records can be stolen, then perhaps the president’s can be as well—and most likely by a nation-state adversary.
A big focus for security is around stealing data. Well, there’s this other dark side of the equation, which is destructive.
Though it wasn’t in healthcare, you can look at what happened to Sony. Nation-state actors broke into their environment. They encrypted the entire network. They deleted all of the information and they crippled the company for several weeks. That is the coup de grace in cyber terrorism and it’s quite difficult to shake off.
For healthcare, if a major national dignitary has to go into a hospital, then hackers from a rival nation that may not like that VIP may try to penetrate that facility. If they get in and they really want to cause damage, they can become very disruptive and cause problems.
Still, healthcare specifically probably will not be hit by a nation state, except in cyber warfare. If the US were to go to war, critical infrastructure and healthcare capabilities could be two prime targets in cyber warfare activity.
The capability of cyber terrorists to successfully attack is low, but if they find an opportunity to do so, they will exercise that opportunity. Their intent is very high.
You may believe that you can actually prevent an intrusion from happening. But as soon as you have a program built around prevention, you are setting yourself up for failure because you are assuming that the adversary is not going to come in.
You can build firewalls, implement an antivirus program and have next generation AV protecting you but eventually, they’re going to fail. Or, those particular devices in themselves will become the vulnerabilities and will be exploited.
The best strategy is to focus on detection. What you want to look for is anomalous behavior. Identify things that are not supposed to be happening. Build a detection program.
Another common mistake is that organizations put security tools in place but they don’t support them with proper resources. They’ll get the firewall but they won’t assign someone to manage it, for example. If you buy anything, make sure you have allocated resources to properly manage that solution.
Again, cyber security threats pose a comprehensive and pervasive risk in healthcare. So, the cyber-security knowledge and awareness in your organization should be equally comprehensive and pervasive.
People tend to think of the adversaries as being external. They picture hackers as guys who live in their basements. They’re figments of imagination like in movies. The real deal is that employees are the lowest hanging fruits.
Whether they are targeted by an external hacker and open up that email that was a phishing attack or it is the employee themselves—maybe they are angry because they didn’t get the raise or promotion that they wanted—employees are the weakest links. The adversaries know that, and a nefarious employee knows that, and they will take advantage of those opportunities.
So your education program needs to emphasize that the problem is on the inside. It’s not on the outside.
As soon as you turn that around, making a fundamental shift in the understanding of the risk, you can actually start doing everything to create the security in place.
It can be hard to tell even the most valued, knowledgeable and trustworthy employee: “I trust you but I can’t provide you with the accesses that you need to have, or you want to have because you don’t really need them and I have to keep the company protected.” But if they do get compromised and they have root access to all of the networks in their environment, well, it’s game over at that point.
Unfortunately, healthcare organizations often fail to deny access to such individuals because they have a caring environment that is built around improving the lives of human beings. It’s difficult to tell a doctor who is wired for empathy, sympathy and capability, that they shouldn’t trust their emotions.
So, you may have well-intentioned people in your organization who, despite education, may still think they are for whatever reason related to an imaginary prince. Those things are all real and have to be addressed when you look at the risk that comes from inside, which is the most predominant source of risk. You must be vigilant in recognizing that risk.
Ultimately, no matter what you do, when it comes to cyber security threats to healthcare, if adversaries have targeted you they will get into your network. You must be able to manage risk by accepting that you could be targeted, acknowledging that you might be compromised, establishing awareness of the possibilities and addressing threats that do arise.
Once you gain that understanding and find that calmness with it, you’re going to sleep well at night.
For more information on Cyber Security, or to be informed when the next addition to our Cyber Security Series will be published, make sure to subscribe to our blog.