Monday, February 1, 2016

Hospitals coming under growing hack threats

Phishing created huge news in healthcare previous year – the really bad type.


This access for acquiring nefarious approach to network credentials was reported to be the cause of 2 of the greatest attacks reported in the healthcare industry previous year – the hack of 78.8 million identities from Anthem, and an additional 11 million identities hacked in a violation or breach at Premera.


Hacking or IT tragedies resulted in the release of protected health data of approximately 112 million individuals, over 65 times the number of such tragedies last year.


While the hacks reported at Anthem and Premera accounted for the lion’s share of those numbers previous year, hackers are utilizing phishing gambits more immensely, raising the requirement for healthcare organizations to make certain that workers and staff are aware of the threats.


In a basic phishing attack, hackers utilize urgent emails or phone calls to trick a person into revealing data network credentials. When workers unintentionally share sensitive network access information with a hacker, it can be the start of a cyber attack that can compromise great amounts of protected health data. Due to the ease of entry and deficiency of detectability, hackers may be capable to roam around a network for weeks without raising any red flags.


Phishing is not merely targeted at the greatest healthcare organizations; a latest survey by the Healthcare Information Management and Systems Society discovered that 69% of respondents have experienced a phishing attack.


Security incidents including those from outside the organization caused significant issues for some of the agencies responding to the HIMSS survey. Of all respondents affected by a breach, 21% reported the loss of information, and a total of 16% reported either primary disruption or actual damage to their IT networks.


Attacks at Anthem and Primera were frighteningly easy, in accordance to the annual report on healthcare security breaches, by Bitglass, a security solutions vendor. In the Anthem and Premera breaches, hackers utilized an approach called domain spoofing; in which hackers register variations on the real domain name, such as “prennera.com” or “we11point.com” in the Anthem breach.


Phishing emails were sent to workers to bait them to use the spoofed sites, and workers then logged into the fake sites, offering hackers the credentials. From there, workers then are diverted back onto their companies’ sites, so they are totally unaware that they have been the subject of a phishing threat or attack, Bitglass reports.


While the approaches of the hackers now seem obvious in retrospect, it is not simple for workers or staff to recognize such trickery. They are busy in their jobs, may be flooded with emails as section of their jobs, and they may not have the technical acumen to spot misleading emails or spoofed URL addresses.


Beyond that, many healthcare agencies have not trained workers on how to spot phishing attempts and thwart them. Although, even those agencies that have conducted this training have seen workers get lax and fall victim to a phishing email.


For training to be effective and influence long-term behavior, training requires being comprehensive, and reminders must be in place over time so that workers do not get complacent afterward, claims William Woodward, a research associate at Aite Group, a consulting and research firm.


One-off training events or memos do not give enough long-lasting protection, specifically in healthcare atmospheres, where the threats of successful intrusion can be catastrophic. “You cannot carry on like you did before,” he emphasizes. “The costs of cyber attacks are so high that you have to contribute in deeper training.”


Agencies should be conducting simulations of attacks so workers can identify the signs that something is not right; that helps to sustain the training so they identify an email that should not be opened or a phone call that should be considered suspicious.


Then, agencies should follow up by conducting penetration testing by expert firms that are ethically hacking workers to assess awareness levels, Woodward states. If testing finds most workers are still clicking on phishing emails, then training should be done more on daily basis. Twice-a-year training sessions would be the most effective, but that may not be cost effective for small agencies, he claims.


Attacks are getting growingly sophisticated, Woodward warns. A worker may click on a link that has the agency’s URL and not notice other data in the URL that should raise suspicions. Or a worker may get an email or chat message from a purported IT technician at the agency, saying he will call soon. Such a message should previously be treated with skepticism, because while an email address can be verified, that is generally not possible with a phone call, Woodward states. “These are things that should not be transmitted by email or provided over the phone.”


Excellent cyber security boils down to general awareness, Woodward states. “Treat it like any other training, with evaluation sheets and systematic reviews. Bring in external expertise to be more aware of the risky landscape. They will be up to speed on latest tactics and offer you external eyes to analyze what you are doing.”


No comments:

Post a Comment