Change is the only constant in life.
It’s a quote that was believed to have been coined some 1,500 years ago by the Greek philosopher Heraclitus, and yet, it’s as relevant as ever, particularly in healthcare. With technology advancing at an astounding rate, consumers are emerging as a driving force in market trends, and data is becoming more of a commodity than ever before.
That, of course, means it’s becoming increasingly crucial to safeguard patient information. It’s also becoming much more difficult; as IT systems have become more sophisticated, so have the methods being used by those looking to penetrate them.
“These aren’t the cyber attacks we were seeing 3 to 5 years ago,” said Ryan Witt, Managing Director of Healthcare at Proofpoint, who served on a recent panel along with Todd Richardson (SVP and CIO) and Wayne Pierce (Information Security Officer) of Aspirus. It’s no longer about network-based attacks; now, it’s getting personal. “Imposter-based, targeted attacks are becoming much more common,” he noted.
That’s the bad news.
The good news is that security is increasingly being viewed as an organization-wide priority. It’s no longer limited to CISOs, IT directors, and their teams — or at least, it shouldn’t be. And if health systems want to keep moving in that direction, it’s imperative for leaders to ensure everyone understands the threats that exist and how they can be avoided.
During the presentation — entitled, Protecting Your Health System from Imposter-based Emails — the panelists shed light on what has become an increasingly dark subject area, and offered best practices for safeguarding data (and subsequently, patients). Below are some of the key points from the discussion:
- Culture is the biggest vulnerability. It’s not actually technology, but the culture of the organization, and how security is viewed, that presents the greatest vulnerability, according to Pierce. Leaders need to ensure all team members feel empowered to question the legitimacy of an email — even if it appears to come from the highest levels.
- Social engineering is being used as a weapon. Most cybercriminals are driven by financial gain, and have realized that it’s easier to leverage social engineering to attack single individuals than to become an expert in network security controls, said Witt. “They take the time to understand peoples’ behaviors and how they fit into the organization, making it more likely to engender a response.” And for those who don’t have a trained eye, “it’s very hard to determine what’s legitimate and what isn’t.” According to Richardson, the most common targets include individuals in accounts/receivable and supply chain, as well as the ER staff.
- Don’t be fooled by logos. In one instance, cybercriminals attempted to hack into a health system that was undergoing a construction project. Using the name and logo of the builders, they sent an email to A/R claiming they had switched banks and needed to reenter the account information. “On the surface, it looked good,” said Witt. Sadly, these types of scams have a high rate of success (or more accurately, failure). “Never underestimate the due diligence cybercriminals are taking to understand the environment and put together a compelling attack,” he added.
- Make it personal. In addition to providing more targeted training, particularly to those who are more likely to be targeted, Pierce urged leaders to position training in a way that benefits individuals both at home and at work. That way, people are more likely to follow best practices and will build mental muscle memory.
- Know your audience. In researching data from hundreds of hospitals, Proofpoint has identified several patterns, one of which is increased attacks on ER nurses. “They work in a high-stress environment, which could make them more vulnerable,” said Witt. They’re also more focused on patients than administrative attacks, meaning that training shouldn’t be done solely over email.
- Feature more voices. When seeking funds from the board and conveying the importance of cybersecurity measures, it can’t just be the CISO or IS director making the case, said Richardson. “If you want to make it applicable to people, it can’t just come from security leaders — you need to have others involved.” CIOs, he added, need to keep their fingers on the pulse by working closely with security and constantly asking, ‘Where are the next threat opportunities? What should we be doing next?’
- Use data to build a case. Rather than relying on anecdotes, Richardson advised leaders to reference data and hard facts. “When you’re able to speak intelligently to the board and show the cost of being breached, it helps secure budget dollars,” he said.
It also reinforces the idea that cybersecurity isn’t an IT or security initiative, but rather, an all-hands-on-deck effort. “We need to bring these threats forward,” said Pierce.
To view the archive of this webinar — Protecting Your Health System from Imposter-based Emails (Sponsored by ProofPoint) — click here.