I am about to run into a meeting and need some Visa Gift cards for a customer. Can you run to the store and pick up $500 in Visa Gift cards and then send me the numbers?
By now, we all have received this email or know someone who has. The name is from someone in our organization, but the email address is not familiar. Maybe our coworker sent it accidentally from their personal email address? Perhaps they did, but chances are it is an attempt at getting you to send some money to someone you do not know.
Unfortunately, not all of these attempts are as easy to recognize as the example above. There are numerous scam emails out there today, not only are these scammers trying to get some quick revenue, but some are also trying to gain access to your email address, password, or some other type of personal data. While some of the consequences of these types of data breaches are evident immediately, many will only become apparent weeks or even months after your misguided actions.
Ten years ago, these attempts at hacking were usually made by an individual working out of their parent's basement using the tools that they have created. Now, most hacking and scams are perpetrated by organized entities who use off-the-shelf hacking programs from the dark web. What was originally a thrill or an attempt to make a few dollars, is now a multi-billion dollar industry.
The most significant risk to the security of the healthcare industry is not a brute force attack of a hospital's servers. It is human error. According to CSO Online *, 81% of the healthcare industry's cybersecurity incidents are the results of an employee's actions. Hijacked passwords, stolen laptops, lost thumb drives, and malicious employees intentionally stealing data are the leading causes of breaches in the healthcare industry. Because of human nature, we as individuals tend to set passwords that are personal, memorable, and use a word or phrase that makes sense. Often, a person's email password is the same password used to sign into their facilities' network or numerous software programs. Here lies the danger to the healthcare industry.
The use of managed and or encrypted hard drives and portable drives can alleviate much of the risk for stolen items. However, human behavior is not as easily corrected. Today's digital criminals are getting better at manipulating people to perform actions and divulging information through a technique known as "Social Engineering."
"Social Engineering" is a technique that uses human decision-making to influence a person to accept a given scenario because of social proof, a perception of authority/credibility, or by masquerading as a trusted figure. Within the category of "Social Engineering" are attack behaviors that may be used individually or in combination.
Pretexting is an act of Social Engineering, where a "bad actor" engages a target with the intention of gaining enough information about them that they can then impersonate the target. In the digital world, we celebrate birthdays on Facebook, list our resumes on LinkedIn, post pictures of ourselves on Instagram, and speak our thoughts on Twitter. A dedicated criminal can use this information to impersonate the target or impersonate a co-worker, the police, your bank, the IRS, or any other person with perceived authority. By imitating a person or entity we trust, these criminals will request information that we would usually not give to strangers.
Phishing is a method whereby the phisher (our same digital criminal) send mass emails attempting to get an individual to give up personal information or perform an action designed to access that same personal information. These types of attacks vary in complexity, with some of the more sophisticated ones referring the recipient to a website that looks identical to a legitimate, familiar site. These types of attacks usually attempt to gain access to a person's email account. Once in a target's email account, the phisher has access to information about our banking, credit card accounts and a ton of personal information to be used for pretexting attacks to those in contacts in our email account. Spear-phishing is closely related to phishing, but the emails are targeted and personal using information gained through the aforementioned pretexting attacks.
Jane receives an email from her friend Phil inviting her to a party with a link to RSVP at the end of the email. Jane is reasonably cybersecurity-savvy, so she checks the sending email address and name. These two items are correct, so she clicks the link. Clicking the link takes her to a website that accepts her RSVP and gives her details about the party. She then emails Phil thanking him for the invite and tells him she will attend the party. Her friend replies and all seems well.
What Jane didn't know is that Phil had his email hacked months ago because his password was "DallasCowboys#1" and he had professed his undying fandom to the Dallas Cowboys to anyone who would listen on Facebook and Twitter. The digital criminals accessed Phil's emails and learned that he had been emailing with Jane about a surprise party for Phil's wife. When Jane clicked the link to RSVP, in addition to taking Jane to the RSVP page, code with the link also provided the criminals with access to Jane's email account and password. Because the criminals had access to Phil's email account, they were able to set up a rule that any emails from Jane be routed to a different email account and then delete the email from Phil's account without hitting his inbox. The hackers then sent a reply to Jane and then removed the sent email directly from Phil's email account.
Because Jane had once emailed Phil from her work account, these digital criminals have her work email. Also, because Jane uses the same email password across her work and personal email accounts, and her hospital's RIS system the digital criminals now have access to the hospital's network of software and IoT equipment. These criminals now can encrypt the records and hold it ransom or extort the hospital under the implication that they will publicly release the patient data and therefore have the hospital violate HIPAA.
By the time Jane finds out that Phil didn't send the email with the RSVP link, it is too late. The digital criminals have changed her password to the hospital network, and her hospital now has a full-blown breach of patient data.
An article from IBM's Security Intelligence states that according to the 2018 Thales Data Threat Report 70%** of healthcare organizations around the world have experienced a data breach. The cost of each medical record breach averaged $408***, with an average price to the medical facilities of $717,000****.
Hope is not a Strategy
Within most healthcare organizations, cybersecurity accounts for 4-7% of total IT budgets. So what can be done?
- Use unique passwords for each of your personal and work email accounts.
- Do not use the same password for your facility's software network and email account.
- Avoid providing personal information when answering emails.
- If you receive a suspicious email, report it immediately to your IT department.
- Set a calendar reminder to change your passwords (if your company doesn't mandate password change.)
- Acknowledge that changing your password from "password1" to "password 2" is lazy and puts both your personal information and your organization's information at risk.
- Don't send Visa Gift card information to anyone over the email.
- * “Healthcare breaches need a cure for human errors” Taylor Armerding, CSO, 19 Jan. 2015, https://www.csoonline.com/article/2871215/data-breach/healthcare-breaches-need-a-cure-for-human-errors.html.
- ** “AMA Passes First Policy Recommendations on Augmented Intelligence.” HIPAA Compliance | American Medical Association, 14 June 2018, https://securityintelligence.com/news/security-breaches-in-healthcare-70-percent-of-organizations-hit-globally-report-shows/.
- *** “Healthcare Data Breach Costs Remain Highest at $408 Per Record” Heather Landi | Healthcare Informatics, 13 July 2018, https://www.healthcare-informatics.com/news-item/cybersecurity/healthcare-data-breach-costs-remain-highest-408-record.
- **** “The cost of a data breach in healthcare averages $717k: 5 report findings” Julie Spitzer | Becker's Health IT & CIO Report, 06 April 2018, https://www.beckershospitalreview.com/cybersecurity/the-cost-of-a-data-breach-in-healthcare-averages-717k-5-report-findings.html.