The old school hack attacks
tended to be one-offs, measuring sticks for bragging rights as to who had the
best skills. Today there is an entirely different motivation: money. This is especially true when it comes to
healthcare cybersecurity threats, as covered entities are often holding
numerous amounts of sensitive data that third-party attackers find extremely
valuable.
Ransomware is
the current hot button issue, but other threats such as stealing PHI and
siphoning off or secretly redirecting reimbursements in the background, are
also profit-driven. Estimates are that
cybercrime will cost businesses more
than $2 billion globally by 2019; four times what it is today. And
therein lies the problem.
Now that there is money in
it, the heads of cybercriminal organizations can afford to hire armies of
hackers to use technology or social engineering to find a way into healthcare
provider or payer networks. Or they can purchase software on the Dark Web that
does it automatically. There are all
sorts of avenues cybercriminals can take to gain entry. Which means IT can’t
protect the entire enterprise alone.
The battle can essentially
be broken into two fronts: technology and user.
The technology front
Obviously, this front is
primarily IT’s responsibility, although users still have a role to play in it.
At this point, most
organizations have their networks and internal technologies pretty well locked
down. They are largely able to control what happens within their four
walls. The real threats generally come from
outside the core IT infrastructure, beginning with the devices we all carry in
our pockets.
If the business supplies
smartphones or other devices such as tablets to users, IT can dictate whether
(or which) apps can be downloaded, whether PHI can be stored on them and other
critical aspects of use. It can also
dictate to users that if a smartphone is lost its contents will immediately be
wiped.
Increasingly, however, we
are living in a BYOD business atmosphere. While less expensive and
more convenient for the business in some aspects, allowing BYOD creates a
significant loss of control over which devices are used, how they’re set up,
whether they have sufficient security provisions, and how users use them.
Some best practices on the
technology side include:
- Stipulating that if a personal device
with access to the network is lost or stolen, IT will immediately wipe it
clean. While users may worry about losing personal information, wiping the
device will also protect against stolen passwords and credit card information.
- Disable all external ports (USB ports in
particular) that can be used to transfer data onto an external hard drive
or thumb drive or malware from an external drive to the device. IT may
even want to disable data transfer capabilities of charging ports on
mobile devices, at least for users who travel frequently. Fake charging
stations (known as juice-jacking) can quickly download all of
the contents off a device, capturing valuable data, saved passwords and
other information.
- Prevent PHI from being downloaded into a
device’s storage. That may mean changing technologies, which can be
painful but not as painful as a data breach. Look for applications that
enable users to view PHI remotely but do not download it onto the device.
The user front
The technology front is the
easier one to manage. It is rules-based, and for the most part, IT has control
over all the elements within it. Getting
users to become aware of healthcare security requirements and educating them on
how to protect themselves (and the enterprise) is far more challenging. It’s not just a matter of neophytes or
technophobes versus experts.
Recently, a cybersecurity
expert told a story on the radio about finishing a lecture on that topic. As he
walked off the stage he saw a short message asking him to look over a document.
He said he was about to click on the link when his Spidey-sense started
tingling, and he then realized it was an example of spear phishing. If an expert can be nearly fooled, it can
happen to anyone.
The key to preventing these
types of attacks is user education, especially about email and the use of
mobile devices. Tell users:
- Be very careful about opening emails or
texts with messages such as “Hey check this out” or “Can you look this
over” with no other context. Techniques such as spear phishing play on our
natural tendencies to connect or to help others. When in doubt, users
should ask a co-worker to review. They should also forward fake messages
to IT to make them aware of the issue.
- Never connect to an unsecured Wi-Fi
network in a public location. It may be more convenient to connect
directly than to go to the counter and ask for a password, but it’s not
uncommon for cybercriminals to set up a Wi-Fi connection that appears to
be provided by the business. Once users log onto that network,
cybercriminals can see/capture all the data that passes through them and
use key loggers to capture passwords for future intrusions.
- Don’t react or respond to messages
claiming to be from the IRS, FBI or some other government agency –
especially if there is an urgent time factor attached to it. That’s not
how government agencies operate. Again, the proper reaction is to either
delete the email or ask a co-worker to give it a look and forward to IT so
they can address any security holes.
- Never leave downloaded PHI on any
device. Lost or stolen devices with PHI become a cornucopia for
cybercriminals. Users should close all sessions when they are finished,
preferably before they leave the facility. If they are reviewing data
remotely, be sure to close the session and the application.
- Never store passwords on a device. Yes,
it’s inconvenient to have to enter a password each time users want to
access an applications, but better that than leaving a wide open entryway
into the network.
Finally, when it comes to
security, users should be pessimistic in their approach. Assume any unusual
emails or texts are attempts to breach the network, and any unsecured Wi-Fi
networks are being used to steal data.
