“You have to move to the cloud sometime.”
It’s a belief held by most, if not all, healthcare IT leaders, and for good reasons. Cloud services can help lower operating costs and run a more efficient infrastructure, while offering the ability to scale as needed.
“There’s a lot of value in moving it to the cloud,” said Ryan Witt, Managing Director of Healthcare for Proofpoint, during a recent webinar. “You don’t want to be involved in having to manage servers.”
What it doesn’t, offer, however, is increased security. In fact, “those environments are just as vulnerable and are attacked even more often,” not just because more data are available in the cloud, but because credentials can be accessed, which is the “holy grail” for bad actors, he added. “You can outsource the capability to Microsoft or anyone else for that matter, but you can’t outsource the responsibility for safeguarding that data and safeguarding your email environment. You need to make sure you have security controls in place, just as you would when everything is on premise.”
During the webinar, Witt and co-panelists Chuck Podesta (who at the time of the webinar was Interim CIO, UConn Health – and now is CIO at Renown Health) and Steven Goriah (CIO, Westchester Medical Center Health Network) discussed the security implications of moving email to the cloud, and shared best practices for safeguarding data.
The first step, according to Podesta, is recognizing that the threat landscape has evolved dramatically, and will continue to do so. For example, whereas five years ago, PHI was the top concern, that type of breach now “seems like child’s play” compared to ransomware, which can result in huge financial losses and, in some cases, weeks of downtime. “The game is totally different,” he said.
Ransomware, however, isn’t the only threat, according to Witt, even though it dominates the headlines. What’s just as damaging is fraud, which is largely done through phishing emails. As many as 54 percent of all attacks come from legitimate file shares, which cybercriminals utilize to break into the system and launch fraudulent attacks. “That’s what we see most on a day-to-day basis,” he noted. “Those are the ones that cost healthcare organizations the most.”
Identifying the “big fish”
Because the cost can be so detrimental — not just to the bottom line, but to the organization’s reputation — it’s critical that IT and security leaders adopt a multifaceted approach to security.
One of the most important steps, said Witt, is identifying the most likely targets. And although they can differ from one organization to the next, areas like finance and clinical research tend to be the most sought-after.
“We know who the top victims are,” said Goriah, whose team recently transitioned email to its Microsoft platform in the cloud. “We know ‘big fish’ that are getting spammed more than anyone else. We run analytics and statistics on these things daily, and we’re tailoring efforts toward those groups.”
The next move is to determine what controls are needed to help safeguard data, and what actions must be taken. One of those is privilege access management, which enables organizations to ensure data access is limited to those who need it, and removed when that’s no longer the case. This step, said Goriah, is critical. “You can do all the education and have all the right tools, but somebody is going to get in at some point.” And once that happens, “You want to make sure they’re limited in what they can do, and they can’t crawl across the network and get to someone who has elevated access to change credentials,” he said.
It’s a major focus at Westchester, and will continue to be for the foreseeable future. “You think you’re in control, but you’re not,” he added. “You’re always fighting against the new threat that’s out there.” However, knowing which individuals or departments carry the highest risk can help leaders create targeted educational programs.
“A multi-faceted approach”
The challenge when it comes to education, however, is that there’s no one-sized-fits-all approach. For some individuals, regularly scheduled online training courses are sufficient. On the other hand, those who have failed multiple phishing tests are required to attend “intense” one-on-one sessions with security experts, and are continuously monitored to ensure no further missteps, said Podesta.
“You can’t have people who are constantly violating it,” he added. “It puts the organization at extreme risk,” he added.
Another tactic is to replace online training with in-person instruction, said Goriah. His team found that “being in front of that person and looking them in the eye to convey the seriousness of clicking on links” has made a significant impact. But regardless of the method being utilized, what’s critical is to understand that cybersecurity “is a multifaceted approach,” he noted. “It’s not a one-phase approach. You need to attack it from all angles and prevent it from coming in. But at the same time, be aware that they are going to get in somehow, and make sure you controls in place to limit what they can do.”
Although it may sound fatalistic, the reality is that cyberattacks have become increasingly sophisticated, and the emails appear so legitimate that even experts can click on a bad link. In fact, Podesta admitted that he almost failed a phishing exercise. “We’re really seeing an uptick in how good these emails are,” he said. “It’s getting harder and harder.”
It’s a trend that will likely continue, according to Witt, with bad actors now leveraging social engineering to gather information such as job function, where an individual fits within an organization, and what data he or she can access. Once that has been obtained, they’re able to write “a very compelling lure with all the right vernacular that would make you want to interact,” he noted. “It’s happening. I can’t over-emphasize how sophisticated these lures now are getting.”
And even when organizations boast high scores from phishing exercises, they may not be in the clear. In fact, as part of UConn’s massive cleanup effort, Podesta’s team has detected dormant accounts that have been compromised without anyone knowing. “You need to do something about those accounts. That’s just as important as trying to stop things on the front end.”
Goriah agreed, adding that leaders must always “keep your eyes open, and do not assume risks have been mitigated” — even if the organization has allocated time and resources toward it. “You can have all the greatest tools, but unless you have the processes behind the tools and ability to execute in a strategic way, following best practices and focusing on the culture of security, tools aren’t enough,” he said. “It has to be a holistic view of cybersecurity across the board.”
To view the archive of this webinar — Exploring the Security Considerations of Moving Your Email to the Cloud (Sponsored by Proofpoint) — please click here.