“I’m not sure you can overdo it right now.”
When it comes to protecting against security threats, healthcare organizations find themselves in a dicey position. At the same time they were rolling out solutions seemingly overnight to ensure patients could receive care and teams could work remotely, cybercriminals were identifying new opportunities to penetrate systems and gain access to valuable information.
To the bad actors, Covid-19 presented an opportunity; one that has proven difficult for CISOs and other security leaders.
“Not only were new vendors introduced, but the speed at which technologies rolled out meant that for many organizations, a lot of the common security checks and controls that they would have put in weren’t necessarily implemented in a timely manner,” said Chris Frenz, CISO and AVP of IT Security at Mount Sinai South Nassau, during a recent webinar. And that means hospitals “now have to go back and look at what was done and make sure it was done to industry standard best practices.”
It also means hospitals need to get creative in their approach and utilize some of the same principles that were put into place to manage the pandemic when managing security, noted Ryan Witt (Managing Director of Healthcare, Proofpoint), who also participated in the discussion, along with Steve Dunkle, CISO at Geisinger Health System.
“We convinced a broad population of the need to wear masks and put some controls in place before we let people into your health system. It’s not that dissimilar from a cybersecurity standpoint,” said Witt. “You have to also persuade them of the need to do diligence; to look critically at emails and take a mask-oriented approach. Just as Covid-19 can happen, so can being attacked by a bad actor.”
During the discussion, the panelists identified the steps organizations can take to be better prepared for attacks — both now and in the future.
Mitigating Email Threats
A critical step, according to Witt, is understanding the importance of protecting email, which is “almost always the initial point of contact.” Below are some best practices shared by the panelists:
- Authentication is key. “You need to try to understand who you’re working with,” said Frenz. That stars by having a means or mechanism to authenticate that the email traffic coming in to your system — “is coming from who it is purporting to come from.” One method he recommended is DMARC (Domain-based Message Authentication, Reporting and Conformance).
- Pick up the phone. Using plain old common sense certainly applies to vetting emails, according to Dunkle. “If it looks suspicious, it probably is.” The best thing to do is to get the organization on the phone and verify the request, especially if it’s in regard to payment.
- Assume the worst. It may seem drastic, but sometimes keeping the organization safe means viewing every email with a critical eye, particularly if the request “pulls at your heart strings,” said Witt. “Any email that tries to get you to act emotionally should set off bells.”
- Go to the sandbox. A very effective tool, according to Frenz, is filtering incoming communications and putting links and attachments through a sandbox to determine whether they’re malicious. “It’s a great way to discover some novel malware phishing attempts and build on training aspects.”
- Switch it up. Part of that training is to occasionally send phishing emails as a way to test the staff. But one mistake that must be avoided is sending the same attacks. By changing it up, “you can keep users on their toes,” said Frenz, who also recommended putting vendors and supplies through risk management processes to help vet their security posture.
- Go deep. Even for organizations that have solid filters in place, attacks will occasionally slip through, which is why defense in-depth is so important, he added. “If you give it long enough, something’s always going to bypass that control. You need other controls in place to pick up the slack when that one control fails.”
- Know your vendors. Or, perhaps more accurately, know your relationship with your vendors, said Dunkle. If someone you haven’t been in touch with suddenly becomes very engaged, sending emails frequently and with urgency, raise the flag. “It’s better to be safe than sorry,” he noted. “Use your instinct. If something about it bothers you, there’s more than likely some justification to that.”
Frame Your Case
One of the most important components in safeguarding an organization is in being able to communicate risks in a way that resonates with users. The first step in doing that, according to Frenz, is educating yourself about the vertical. “You have to frame your case in ways that the doctors are going to understand.” While they might not be interested in the specifics of guarding against an attack, they do understand the concept of availability. They understand that systems being available is critical to patient care. So it’s a matter of understanding their needs and phrasing security needs in that same regard.”
Frenz advised pointing out that security, IT and clinical have common goals, and that the ultimate aim of security isn’t to make it harder for them to do their job, but to help promote patient safety.
Dunkle agreed, adding that increasing awareness is something security leaders need to be doing, whether that means speaking at department meetings or holding conversations to let people express their concerns. “It’s making people understand that you care, you have a passion for this, and you need their help.”
In This Together
Although the targeted departments are always changing, Witt noted that going forward, there will likely be a heavy focus on supply chain for a few reasons. One, supply chain employees tend to interact with third parties and are more likely to open attachments. Two, it deals with money — always a motivator, and three, it’s not difficult to mimic the relationships supply chain has with other departments.
“Cyber criminals are really oriented on this sort of threat vector,” he added. “And I don’t think we’re going to see that change anytime soon.”
There is, however, one thing organizations can do to help defend against this: threat intelligence. In fact, it’s a method commonly used by bad actors, and should be leveraged by health systems as well, said Frenz. “If we want to stay on top of keeping ourselves protected, we as defenders need to begin to do the same thing. We need to keep in mind that we’re all in this together, that any threat one hospital sees is likely to be seen by others. And the more open we can become about the challenges we face and what we’re doing to solve those challenges. I think the better off we all are going to be.”
To view the archive of this webinar — Devising Defenses to One of Your Top Security Threats: Business Associate Imposter Emails (Sponsored by Proofpoint) — please click here.