The healthcare industry faces a growing risk from cyber attacks, which makes it critical for CAP members to devote sufficient resources to designing and implementing a strategy that can mitigate that risk.
The internet is a medium that offers many benefits. It provides easy access to useful resources and to people around the world. At the same time, criminals across the globe have unprecedented access to us. Recent events have shown that healthcare organizations can be severely impacted by cyber attacks.
It can be discouraging to learn that large organizations like Sony and Target are victims of these attacks. After all, if firms with large security budgets and staff cannot avoid them, how can a much smaller organization?
It also may be tempting to think that an individual or small organization has little value to attackers and is thus an unlikely target. Ransomware attacks of recent months are evidence to the contrary. Criminals have received millions in ransom payments from individuals as well as from small organizations.
Cyber security experts agree that no organization can prevent every possible attack. It is still important to take steps to reduce your security vulnerabilities. You should also be prepared to respond to and recover from an attack. You may not experience every possible type of attack, so your immediate focus should be on addressing the types of attacks most likely to affect you.
Here are some suggestions:
Keep all of your machines “clean.” As recommended by the National Cyber Security Alliance and others, this means keeping software on all Internet-connected devices up-to-date. Install updates and security patches as soon as possible.
Hackers stole personal information on 143 million U.S. consumers from Equifax in May. In that same month, a ransomware attack crippled the U.K.’s National Health Service. A large hospital chain in the U.S. had a similar ransomware incident last year. What do they all have in common? Hackers exploited software vulnerabilities. In all three cases, a patch had been available for weeks, but was not installed.
So, if you thought you couldn’t do better on cyber security than a large organization, here is an area where perhaps you can.
Backup often and maintain offline copies of backups. Many ransomware victims are able to recover without paying the demand because they are able to obtain damaged files from backup. However, be sure that if one of your computers is infected with ransomware, it can’t reach and compromise the backup data, or any computer connected to the backup data.
Keep your “human firewall” up to date. Phishing and social engineering are among the most prevalent attacks against small and medium-sized organizations. This means that email programs and web browsers are major conduits for malware delivery. Firewalls, spam filters, and anti-malware software all play a part in protecting against this. But cyber crime is lucrative. Attackers change tactics to avoid these counter-measures. Malware propagation by phishing and social engineering relies on exploiting human as well as technical weaknesses.
Consider cyber security awareness training for yourself and for employees who use email or browse the web. Informed people who understand attacker tactics can be an effective last line of defense. For example, simply taking a moment to examine an email for suspicious indicators before opening an attachment or clicking a link can avoid having to clean up a cyber mess.
Use current malware defenses. Antivirus and malware products have changed and are still evolving. “Old-school” antivirus programs relied on the vendors identifying their unique pattern or signature, and publishing that information for its clients. This approach already had a built-in flaw. Your computer could be infected if you received the malware before the vendor discovered it and published an update. Attackers are now developing malware that regularly changes the signatures, making it more difficult to identify. Newer products (“next-generation antivirus”) still recognize signatures. In addition, they use machine learning techniques to identify unusual behavior. Check your antivirus product to see if it includes such advanced capabilities.
Protect your email account. Email services are often free (Google, Yahoo, AOL, etc.). While the cost may be trivial, the value of your email account can be significant to you and an attacker.
If someone gained access to your email account, what could they find that is valuable? Your address book? Would you want phishing messages sent to friends and associates from your email account?
Do you have accounts with online merchants and services? Consider this scenario: A hacker takes control of your email account and discovers (from your emails) that you are an Amazon customer. The hacker can go to Amazon’s website, enter your email address, and click “Forgot Password.” Amazon will send a password reset link to your email, which the hacker now controls. If you have credit cards saved in your account, the hacker can login and make purchases.
Exercise care with your email credentials. It is okay if you go directly to the mail provider’s website and log in. But be wary if you find yourself directed to a login page after clicking on a link in an email or an attachment. The page may look like your email service. But check the address (URL). Some prominent national figures have had their email accounts hacked in this way.
If your email service offers it, consider using two-step verification. This generally involves entering a code that is sent to your mobile phone, or provided in an automated voice phone call. So even if someone obtains your password, they cannot login without physical access to your phone. This is also a good idea for any other online accounts that you want to keep safe.
Keeping computers safe is an ongoing challenge. Attacker tactics change constantly. So it is important to maintain an awareness of the latest threats and countermeasures. Fortunately, there are many online resources available for help. One good place to start is the National Cyber Security Alliance - StaySafeOnline.org.
Tom Andre is CAP’s Senior Vice President, Information Services. Questions or comments related to this article should be directed to tandre@CAPphysicians.com.