Recently, I was contacted by a reporter from a major broadcast outlet who was following the news of a big hospital cyberattack. Her email landed in my inbox, and I immediately thought it must be a phishing scam. Why else would she be contacting me?
Before opening it, I did a search on the sender’s name and saw that she was, in fact, a real person, a journalist who worked at the specified outlet. My next thought was that her email must have been hacked by someone and they were using her identity to do some evil deed. So I responded to her, suggesting that her email account had been compromised. She replied, “Are you always this paranoid?”
The fact is, yes, I am paranoid by default when it comes to IT security. And that is very much advisable these days, because between COVID-19 and a raft of crippling cyberattacks at hospitals across the U.S., 2020 was not kind to healthcare.
Monthly averages for data breaches remain well above normal, according to HIPAA Journal. Check Point Research recently reported that the global daily average of ransomware attacks in the third quarter had increased by 50% over the first half of the year, owing partly to new IT vulnerabilities at hospitals hit hard by the pandemic. The uptick prompted the Cybersecurity and Infrastructure Security Agency, FBI, and the Department of Health and Human Services to issue a joint alert warning of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” outlining several sophisticated new strains of malware and ransomware.
Unfortunately, there’s no single cybersecurity solution or tactic that can ensure 100% security. So, let’s talk briefly about some common cybersecurity tactics and how they fall short, and then I’ll offer suggestions for best practices.
Common practices and pitfalls
Many hospitals rely on redundancies and network backups as the go-to solution to preserve data in case of an attack. There are a couple problems with this approach.
1. Although it may preserve data, it may not meet the operational need of allowing user access to the information.
2. Redundancies could simply be duplicating the malware. Viruses typically enter at a specific point and replicate themselves, spreading throughout a network over weeks or even months before being triggered. So, backups may simply be backing up the same infected database that contains the undetected malware.
Even if you try to rebuild your system, you could be rebuilding it complete with the embedded malware. At minimum, restoring your system won’t happen quickly, since you’ll need a deep dive into the database to ensure it’s clean.
Ditto for using cloud storage, which is simply another form of redundancy and backup. It can certainly offer protection from hardware or site failures, but it can still be compromised. And how are you going to access the cloud when your entire network is down?
Resorting to paper records is a common fallback plan, but printing copies in a hospital setting quickly gets expensive, and it’s a logistical challenge to distribute it to the proper locations. It can slow things down and make it hard to find the specific information you need.
Cybersecurity technology is a must-have, of course, and a critical piece of your defense strategy. But it’s hardly enough. At the end of the day, it all comes down to people, policies and procedures. After all, the biggest vulnerability in your system is its users.
As the headline implies, adopting a culture of paranoia — or at least suspicion — is a good start.
Why be paranoid? Because it’s the users of your system that represent the biggest weakness in your cybersecurity plan. By falling for phishing scams, social engineering or other tricks, your users are the lowest-hanging fruit for cybercriminals. You need to implement sound practices and ongoing testing routines, so you can periodically conduct a false phishing attack and see how your users respond. Think of it as an educational exercise to determine how cyber-savvy your staff is.
Cybersecurity contingency plans are must-haves. A data breach can be localized to one machine, or global, where your entire network is compromised. You need to have policies and procedures for both, and they should be covered in your HIPAA security analysis.
Here are a few other effective tools and tactics:
Anti-malware systems utilizing artificial intelligence. In the context of cybersecurity, AI is an amalgamation of fuzzy logic and learnings about previous attacks used to generate suspicion of something new. AI is especially helpful at a time when cybercriminals are constantly adjusting their tactics and growing more sophisticated in their approach. The threats are constantly changing. AI can help you keep up.
Traps and tests. Cybercriminals fight dirty, and so you can you. While they’re trying to access your data, think about creating an environment that looks like your data — but isn’t — to stop them from accessing the real thing. This gives you an opportunity to track the attackers’ information.
Ongoing training. Because users are your greatest weakness, training should be ongoing, and you should teach paranoia and mistrust as standard positions. Think about appointing someone as a staff IT liaison, so your users can ask direct questions or get a second opinion about potential threats or suspicious files or messages they encounter.
Multi-factor authentication. Employing this tactic means that obtaining a user’s name and password may not be enough to gain access to the system. While your users might complain about the inconvenience, it’s a no-brainer for cybersecurity.
What tactics have you found to be effective at bolstering cybersecurity at your organization?
If you have questions about cybersecurity solutions or how you can mitigate risk at your healthcare organization, contact us any time. We’d love to hear from you.