You’re not imagining it, and you’re not alone. Cyber crime is on the rise. The threats keep getting bigger and more frequent. The FBI and HC3 (the Health Sector Cybersecurity Coordination Center) have recently published numerous warnings about ransomware strands threatening healthcare, like Karakurt, EvilCorp, APT41, and others.
It might seem there’s little you can do except take your chances. But that’s not true. No matter the type or size of your organization, you can take simple steps to fight back and defend your data. Criminal hackers, even at these bigger enterprises, still use fairly basic tricks to steal data from healthcare networks, and some simple defenses can stop many of them.
Along with basic steps you can take today, there are critical high-tech strategies to increase cybersecurity, and they can be found at HC3 or The Cybersecurity and Infrastructure Security Agency (CISA). But today’s focus is the less technical, relatively quick changes you can make to strengthen your defenses.
The HIPAA Security Rule requires these defenses, so if you’re not using them, or are concerned that what you have is not strong enough, you can improve your HIPAA compliance at the same time.
Cyber Threat Landscape
Cybercrime has evolved into a mature profitable industry today. Twenty years ago, lone wolf cyber criminals and small groups were the prevalent threats but those days are gone. Today criminal hackers are more sophisticated, operating out of major commercial enterprises run like businesses with trained employees. Many of them are nation state-sponsored by countries like China, Russia, Iran or North Korea.
Cyber criminals’ business is to target, steal and exploit personal data. Healthcare data are especially valuable to cyber criminals because they can be used to impersonate patients for expensive medical services, for Medicare and Medicaid benefits and prescriptions. Criminals often profit twice, first by obtaining ransom payments for the data return, and then by selling data on the Dark Web.
On troubling development is the growth of extortion along with ransomware. Criminals will threaten to publish data if they’re not paid, and return of the data may not even be part of the deal. In these cases, having a data backup doesn’t help.
Eric Cole and David Kris of Theon Technology, with decades of IT and legal experience, recently spoke about evolving threats in healthcare cybersecurity with Marianne Kolbasuk McGee of BankInfoSecurity.com. They explain that cyber criminals are highly sophisticated and their tactics are dynamic and evolving, so healthcare cybersecurity needs to evolve and grow.
You can listen to their full interview here.
The Rise of Sophisticated Phishing
The main cyber criminal entry points today are through a person, usually a workforce member. Attackers use phishing techniques, but these have evolved and are more difficult to detect. In the early days phishing emails contained obvious misspellings, were awkwardly worded, or contained a false tone of urgency. Today cyber criminals make phishing emails that appear legitimate. They may appear to come from a delivery service, e.g., UPS or FedEx, or an authoritative government site, e.g., HHS or USPS. They may ride in on malware from a third party vendor, like an HVAC contractor or a cash register point of sale software – all they need is for the email recipient to click an embedded link or open an attachment.
Cyber Defense Tactics
From a compliance and legal perspective the absolute best thing you can do is create appropriate defenses up front so you’re less vulnerable. HIPAA Risk Analysis and Risk Management contain all the guideposts required for cyber defense.
At a minimum, better cybersecurity requires:
- Daily offsite data back-up
- Appropriate access management controls, including multi-factor authorization (MFA)
- Strong password management
- A contingency plan, and use tabletop exercises to practice data restoration so you’re ready in case you are hit
- Provide the workforce with cybersecurity awareness training. Workforce is both the weakest link, but also the strongest defense, when equipped with knowledge and awareness.
Experts Cole and Kris go further and urge healthcare organizations to automatically block attachments and embedded links from external email. This removes the human error factor caused by staff clicking links that appear legitimate.
They also encourage the use of zero trust security in the IT architecture. In a zero trust network, devices are “not trusted by default, even if they are connected to a permitted network such as a corporate local area network, and even if they were previously verified.” (from Wikipedia). Without zero trust, once an attacker gets access to one computer inside they can spread rapidly through the environment and have wide access to data throughout the network. Segmenting connections with trust verification in between means if one device is compromised it won’t necessarily spread.
They also point out that today most attacks are Windows based – not because Windows is more vulnerable, but it’s the prevailing software system in use, including in healthcare. A short term solution is to provide healthcare professionals with non-Windows devices, like androids, tablets, and iPads. This should greatly reduce the probability that malware will travel freely and damage the system.
Ramp Up Cyber Defense Today
Unfortunately, the cyber landscape will only get more dangerous as criminal tactics evolve. Still, you can do more today to protect data now and in the future.
Review your HIPAA compliance program and make sure you have a recent Risk Analysis completed and documented. Use a zero trust security model in your IT networks and engage the workforce to defend against the most common phishing tactics.
Small steps can save money, time and resources and keep your data safe.