"Phil,
I am about to run into a meeting and need some Visa Gift cards for a
customer. Can you run to the store and pick up $500 in Visa Gift cards
and then send me the numbers?
Thanks,
John"
By now, we all have received this email or know someone who has. The name is from
someone in our organization, but the email address is not familiar. Maybe our
coworker sent it accidentally from their personal email address? Perhaps they
did, but chances are it is an attempt at getting you to send some money to
someone you do not know.
Unfortunately, not all of these attempts are as
easy to recognize as the example above. There are numerous scam emails out there
today, not only are these scammers trying to get some quick revenue, but some
are also trying to gain access to your email address, password, or some other
type of personal data. While some of the consequences of these types of data
breaches are evident immediately, many will only become apparent weeks or even
months after your misguided actions.
Ten years ago, these attempts at
hacking were usually made by an individual working out of their parent's
basement using the tools that they have created. Now, most hacking and scams are
perpetrated by organized entities who use off-the-shelf hacking programs from
the dark web. What was originally a thrill or an attempt to make a few dollars,
is now a multi-billion dollar industry.
The most significant risk to the
security of the healthcare industry is not a brute force attack of a hospital's
servers. It is human error. According to CSO Online *, 81% of the
healthcare industry's cybersecurity incidents are the results of an employee's
actions. Hijacked passwords, stolen laptops, lost thumb drives, and malicious
employees intentionally stealing data are the leading causes of breaches in the
healthcare industry. Because of human nature, we as individuals tend to set
passwords that are personal, memorable, and use a word or phrase that makes
sense. Often, a person's email password is the same password used to sign into
their facilities' network or numerous software programs. Here lies the danger to
the healthcare industry.
The use of managed and or encrypted hard drives
and portable drives can alleviate much of the risk for stolen items. However,
human behavior is not as easily corrected. Today's digital criminals are getting
better at manipulating people to perform actions and divulging information
through a technique known as "Social Engineering."
"Social Engineering"
is a technique that uses human decision-making to influence a person to accept a
given scenario because of social proof, a perception of authority/credibility,
or by masquerading as a trusted figure. Within the category of "Social
Engineering" are attack behaviors that may be used individually or in
combination.
Pretexting is an act of Social Engineering, where a "bad
actor" engages a target with the intention of gaining enough information about
them that they can then impersonate the target. In the digital world, we
celebrate birthdays on Facebook, list our resumes on LinkedIn, post pictures of
ourselves on Instagram, and speak our thoughts on Twitter. A dedicated criminal
can use this information to impersonate the target or impersonate a co-worker,
the police, your bank, the IRS, or any other person with perceived authority. By
imitating a person or entity we trust, these criminals will request information
that we would usually not give to strangers.
Phishing is a method
whereby the phisher (our same digital criminal) send mass emails attempting to
get an individual to give up personal information or perform an action designed
to access that same personal information. These types of attacks vary in
complexity, with some of the more sophisticated ones referring the recipient to
a website that looks identical to a legitimate, familiar site. These types of
attacks usually attempt to gain access to a person's email account. Once in a
target's email account, the phisher has access to information about our banking,
credit card accounts and a ton of personal information to be used for pretexting
attacks to those in contacts in our email account. Spear-phishing is closely
related to phishing, but the emails are targeted and personal using information
gained through the aforementioned pretexting
attacks.
Example:
Jane receives an email from her friend Phil inviting her to a party with a
link to RSVP at the end of the email. Jane is reasonably
cybersecurity-savvy, so she checks the sending email address and name. These
two items are correct, so she clicks the link. Clicking the link takes her
to a website that accepts her RSVP and gives her details about the party.
She then emails Phil thanking him for the invite and tells him she will
attend the party. Her friend replies and all seems well.
What Jane
didn't know is that Phil had his email hacked months ago because his
password was "DallasCowboys#1" and he had professed his undying fandom to
the Dallas Cowboys to anyone who would listen on Facebook and Twitter. The
digital criminals accessed Phil's emails and learned that he had been
emailing with Jane about a surprise party for Phil's wife. When Jane clicked
the link to RSVP, in addition to taking Jane to the RSVP page, code with the
link also provided the criminals with access to Jane's email account and
password. Because the criminals had access to Phil's email account, they
were able to set up a rule that any emails from Jane be routed to a
different email account and then delete the email from Phil's account
without hitting his inbox. The hackers then sent a reply to Jane and then
removed the sent email directly from Phil's email account.
Because
Jane had once emailed Phil from her work account, these digital criminals
have her work email. Also, because Jane uses the same email password across
her work and personal email accounts, and her hospital's RIS system the
digital criminals now have access to the hospital's network of software and
IoT equipment. These criminals now can encrypt the records and hold it
ransom or extort the hospital under the implication that they will publicly
release the patient data and therefore have the hospital violate
HIPAA.
By the time Jane finds out that Phil didn't send the email
with the RSVP link, it is too late. The digital criminals have changed her
password to the hospital network, and her hospital now has a full-blown
breach of patient data.
Sound
far-fetched?
An article from IBM's Security Intelligence
states that according to the 2018 Thales Data Threat Report 70%** of healthcare
organizations around the world have experienced a data breach. The cost of each
medical record breach averaged $408***, with an average price to the medical facilities of
$717,000****.
Hope is not a Strategy
Within most healthcare
organizations, cybersecurity accounts for 4-7% of total IT budgets. So what can
be done?
- Use unique passwords for each of your personal and work email accounts.
- Do not use the same password for your facility's software network and email account.
- Avoid providing personal information when answering emails.
- If you receive a suspicious email, report it immediately to your IT department.
- Set a calendar reminder to change your passwords (if your company doesn't mandate password change.)
- Acknowledge that changing your password from "password1" to "password 2" is lazy and puts both your personal information and your organization's information at risk.
- Don't send Visa Gift card information to anyone over the email.
- * “Healthcare breaches need a cure for human errors” Taylor Armerding, CSO, 19 Jan. 2015, https://www.csoonline.com/article/2871215/data-breach/healthcare-breaches-need-a-cure-for-human-errors.html.
- ** “AMA Passes First Policy Recommendations on Augmented Intelligence.” HIPAA Compliance | American Medical Association, 14 June 2018, https://securityintelligence.com/news/security-breaches-in-healthcare-70-percent-of-organizations-hit-globally-report-shows/.
- *** “Healthcare Data Breach Costs Remain Highest at $408 Per Record” Heather Landi | Healthcare Informatics, 13 July 2018, https://www.healthcare-informatics.com/news-item/cybersecurity/healthcare-data-breach-costs-remain-highest-408-record.
- **** “The cost of a data breach in healthcare averages $717k: 5 report findings” Julie Spitzer | Becker's Health IT & CIO Report, 06 April 2018, https://www.beckershospitalreview.com/cybersecurity/the-cost-of-a-data-breach-in-healthcare-averages-717k-5-report-findings.html.
Comments
Leave a Comment