All the warning signs have been pointing to a rise in security breaches within the healthcare industry. Just yesterday, MedStar Health based in Washington D.C. fell victim to an alleged ransomware attack. How can this happen given such heightened awareness around security vulnerabilities?
Hackers Best Tactic is Social Engineering
Some of the data security problems in the healthcare industry is due to the lack of IT resources to protect critical business systems. Also, because Healthcare is considered critical infrastructure, cybercriminals have a better chance of successfully convincing a healthcare facility of paying the ransom, since more time offline means more danger to patients. Just take a look at the recent Methodist Hospital data breach in Kentucky.
However, when it comes to ransomware, lack of security technology cannot always be blamed. Most computers get infected with ransomware when people browse websites and click on something that interests them. Instead of seeing an ad, for example, they end up downloading malware without knowing it.
This is called social engineering and online fraudsters have been perfecting this method for years. A good example of this when Wal-mart was subject to this type of attack a few years ago. They even had strict security measures in place and they weren’t enough.
As healthcare companies become increasingly aware of the security risks due to the onslaught of recent security breaches, policies will need to be updated in order to safeguard from these types of attacks.
Unfortunately, updating browsers, firewalls, antivirus, and an OS is not going to help that much. These are great ways to help support a secure infrastructure and certainly in IT’s power to implement, but it doesn’t stop social engineering tactics. Social engineering is a far more devious tactic that sidesteps any security controls IT has in place.
John's Loneliness is a Security Risk
Educating your users is helpful, but it still leaves too much trust in their hands. Hackers have gotten really good at tricking their victims into doing something that would otherwise have them being skeptical.
Here is a fictional example, but is a tactic commonly used:
John works in the Maternal & Infant Center and is grinding through another slow shift. He has been fairly lonely since his divorce a couple years ago and wants to meet someone new.
He had been married for 30 years, so this online world of dating is entirely foreign to him. But he has a good friend who wants to help. His friend sent him an email introducing him to a lady around his age across state who is in a similar situation.
John since has been emailing back and fourth with this person for the past few days. She sends him an attachment of what she claims is a picture of her and some of her friends. John clicks on the attached exe file and runs the executable. But wait…this isn’t a picture?
This story ends
This spear phishing attack story ends with John’s computer being infected. Eventually the entire hospital’s infrastructure is infected, encrypting everyone’s data and then a hacker extorting the hospital for thousands of dollars.
Avoiding a Security Breach
There are two ways that this situation could have been prevented. Had John had not had the ability to download that exe file to his computer, the infection would not have the chance to incubate in the first place. That fix is simply configuring user access rights in Active Directory.
But even better, if John had the education and training he would know that he should always be paying attention. John may have noticed that his friend’s email address was actually coming from a slightly different email address.
John’s personal email account had already been compromised. When that happens, your business is next on the list.