BY SEAN SIMS AND KELSEY KNORR
It goes without saying that the past year has forced massive changes in all industries – but perhaps none more so than the healthcare industry. Amidst all of the changes in the industry, cybersecurity in healthcare has been at the forefront of executives’ minds given the growing remote workforce and many recent cyberattacks in the industry. On Wednesday, October 28th, 2020, the FBI, Cybersecurity & Infrastructure Security Agency, and Department of Health & Human Services sent out a warning that they have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” With this threat, the healthcare industry can’t ignore the potential impact hackers might have.
With the almost immediate switch to remote work earlier this year, companies had to focus on enabling employees to work from home while also putting corresponding cybersecurity measures into place. Despite the policies and software used to prevent attacks, between the months of March and October of 2020, there were roughly 344 breaches in U.S. based healthcare systems, according to the Department of Health & Human Services. Hackers have capitalized on lack of preparation and fear as more employees continue to work remotely and cybersecurity measures continue to adjust to the new normal.
So, from a cybersecurity perspective, how much really changed when companies went remote?
With the almost immediate switch to remote work earlier this year, companies had to focus on enabling employees to work from home while also putting corresponding cybersecurity measures into place.
I had the opportunity to pose this exact question to one of our healthcare clients. Here are some of their thoughts:
- The corporate network is much more secure than the security that comes with employees working remotely, and not being connected to the corporate network.
- When COVID-19 unexpectedly forced employees to transition to an almost completely at-home model, companies had to focus their efforts first on enabling remote work, and then shift their focus to ensuring it was a secure environment. Since companies had to move so swiftly to implement “quick-fix” cybersecurity tools, oftentimes these tools were only sufficient on a short-term basis, but not necessarily the optimal solution to integrate with their existing network.
- Ultimately, COVID-19 has forced long-term adaptation in an unprecedented fashion. This reality became a breeding ground for threat actors.
Capitalization of Employee and Human Fear
The basic human need for security and comfort was put in jeopardy in the very spot employees thought they were receiving it during the pandemic – attentively reading HR emails and buying masks. In the interview we conducted with one of our clients, they mentioned that they had seen employees begin searching for masks – an almost nonexistent market prior to the pandemic. They saw that cyber hackers recognized the increase in unfamiliar traffic and began to embed malware in mask searches via fake mask sites and fake plug-ins/applications. The security operations team mentioned that in all technicality, the entry points for hackers remained the same, but the diversification of things hackers can phish for is much higher – thus, higher amounts of hacks. Hackers hone-in on opportunities and areas that are in crisis, such as, COVID-19, the housing market crash in 2008, and September 11th, to extract human fear to the fullest.
Another example mentioned, intended to take advantage of employee fear, was threat actors sending phishing emails from internal groups such as “HR” stating messages like: “you have been furloughed, please click here to receive your benefits packet,” or, “here is a list of all employees who have been furloughed, please contact your manager here.” Our client saw that cyber hackers, aware of the short-term planning and lack of preparation, began to take advantage of these vulnerabilities to gather the data they desired.
Threat Actors – Explained
So, what is a “threat actor” and what is their real motivation? A threat actor is defined as “a person or entity responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity.” Put simply, threat actors put your security at risk. At the onset of the pandemic, they followed news and media closely, just like well-intentioned employees, because they are naturally opportunistic and looking for knee jerk reactions. They look to capitalize on abnormal searches and downloadable applications.
During the chaos, cybercriminals like threat actors are economically motivated to use entry points to target both individuals and companies. Though there are currently a lot of eyes on the healthcare industry given the current climate, the healthcare space has always been a prime target for hackers. Due to the monetary motivation of cyber attackers, 51% of data breaches are due to intentional malicious or criminal attacks. The healthcare industry is targeted because patient information is worth a lot of money given the guidelines healthcare systems have in place to protect that information. Hackers can then hold that information for a high ransom. They can also use ransomware to lock up medical equipment and force hospitals to pay a fee to ensure patient safety. Another reason the healthcare industry is targeted is due to the number of entry points attackers have. All of the medical devices connected to the network, for example infusion pumps or an MRI machine, are designed to monitor patient care, lacking security measures which are then used as entry points for attackers. Unfortunately, cyberattacks are usually remotely controlled, therefore virtually anyone in the world can initiate an attack.
How to Mitigate Cybersecurity Risks
So, what’s next? Let’s discuss the three best practices to enable more reliable cybersecurity practices in a healthcare setting:
Educate Employees on How to Assist
With the workforce scattered across the nation, security cannot fall solely on the shoulders of the security team – it has to become a community effort. Create learning and training sessions for employees to become knowledgeable about how cybercriminals act and how they take advantage of work from home models. Discuss the importance of saving work on the cloud as opposed to saving locally. Talk about healthy skepticism and spotting suspicious links and phishing emails. Discuss good password habits. These training efforts you invest in your employees can be one of the most important cybersecurity practices you put into place.
Empower and Protect Employees with Security Tools
Give employees the tools to succeed and protect the organization’s information. In response to cyberattacks, one of our healthcare clients recently added a Phish Alarm button in Outlook. Previously, staff was told to forward suspicious e-mails to the threat response team as an attachment, but the Phish Alarm button provided them with a more user-friendly option that increases the likelihood that suspicious e-mails will actually be reported.
Similarly, some organizations have programs that send fake phishing emails to see how their employees respond. If the employee clicks on the “suspicious link”, they get notified and the individual must take a quick training course or follow up with the security team to ensure they are prepared to succeed moving forward.
Our client deployed a tool that provides automated threat detection for an added layer of security. This tool continuously monitors every device on the network and uses multiple analytical techniques to outline normal behavior. The tool will then send alarms to the user when there is abnormal activity, helping the organization respond to the higher risk threats first.
Another tool that enables strong security is multi-factor authentication. This login method requires a user to present two or more pieces of evidence for authentication. This will ensure that only specific users are granted access to a desired website or application.
Create a Plan For What’s Next – Security Roadmap
In order to create an effective roadmap, you first need to identify gaps and vulnerabilities in the organization. One tool that helps discover gaps and vulnerabilities is penetration testing software. Penetration testing is an authorized, simulated cyberattack on a computer system and is an effective way to test a security system and find discrepancies. By conducting this test, gaps in the organizations’ security are highlighted and the company is able to recognize and mitigate areas of improvement.
Now that you have evaluated your gaps and vulnerabilities, consider developing a plan for how traffic can enter and exit the network. In other words, determine how to best segment your network. Network segmentation allows an organization to split a network into smaller sub-networks. This provides roadblocks in traffic such that if an unauthorized user gets into the network, they do not get full access to the organization’s data.
As the saying goes, “all good things take time.” So, improving healthcare cybersecurity and adapting to the ever-changing industry won’t occur overnight. It will take ongoing commitment, teamwork from multiple workstreams, and a dedication to strong communication across the organization for patient protection to improve. As an organization you never know when an attack will happen, so it’s important to be prepared, create a plan, and empower your workforce to play an active role in protecting your organizations’ information.
As an organization you never know when an attack will happen, so it's important to be prepared, create a plan, and empower your workforce to play an active role in protecting your organizations' information.