[BreachExchange] 5 Misconceptions Healthcare CIOs need to Address for Better Cyber Security

[Audrey McNeil]

https://www.hitechanswers.net/5-misconceptions-healthcare-
cios-need-address-better-cyber-security/

Cyber-crimes are at an all-time high and will continue to rise in
popularity for as long as organisations adopt a passive approach to online
security.

While some healthcare organisations look at cyber security as a “back
burner”, the hacking industry is evolving to the point where anyone can
become a successful hacker. An aspiring cyber-criminal can buy a
full-fledged exploit kit for as little as $3,000. A kit like this does most
of the work automatically—deploying various breaching tactics until it
finds a vulnerability. The more experienced hackers are more creative in
their approach, using social engineering, trickery, and other breaching
technology to get hold of your data.

Most practices, hospitals and healthcare IT businesses need a clearer
understanding of current security threats and vulnerabilities. Some
organisations deploy general security countermeasures and move on, but this
strategy is often ineffective because it typically fails to identify
underlying vulnerabilities.

Cyber-security remains mired in mystery, and there are misconceptions about
how hackers manage to breach supposedly secure environments. In reality,
most high-profile security breaches are facilitated by gross employee
negligence and could have been easily avoided by sticking to a simple yet
effective “don’t do” list.

Here are five of the most alarming mistakes that healthcare organisations
make when protecting their data:

1. We are a small Establishment. We have nothing to worry about.
Unfortunately, hackers look at small practices and hospitals as low hanging
fruit. The average hacker will almost always prefer an easy target instead
of spending months taking swings at something that is surrounded by
firewalls. Large hospitals and financial institutions have invested heavily
in improving their defense against malicious cyber-attacks, so hackers tend
to target physician practices and healthcare IT businesses and frequently
use them as an entry point to access high-profile targets. In fact last
year, Security Scorecard a risk management cybersecurity firm that tracks
cyber attacks on healthcare in the U.S, released an analysis concluding
about 75 percent of all major healthcare providers had experienced malware
infections that could cause them to lose data or money— and this number is
expected to rise significantly in the next few years spurred by further
adoption of cloud computing and the huge amount of information that is
being stored online.

2. Our security team is great and runs a tight ship.
No matter how robust your security apparatus, it only takes a single
non-technical employee to infect an entire network. Careless or poorly
trained employees are the biggest vulnerability a security system could
have. A big percent of security breaches last year were the result of an
employee innocently downloading an infected file on their work computer or
by falling for a phishing scam received via an infected email. Once a
hacker has gained entry to a network, it’s fairly easy to use that person’s
email/login details to infect all other PCs that share the same network.

It’s extremely important for healthcare management to train their employees
on the best practices against cybersecurity threats. A proactive leadership
should always put an emphasis on employee education prior to implementing
an in-depth level of cyber-defense.

3. Everything is password protected, so what’s the big deal?
Relying solely on passwords for your organization’s security is a practice
that’s been frowned upon by security experts for years. Computers can
process huge amounts of data in a small amount of time, and a hacker can
run more than 420 billion password combinations per minute. Brute force
attacks, hybrid attacks and dictionary attacks are just a few of the
various methods used by hackers to crack a password.

A strong password is a string of at least 20 characters. It should contain
upper, lower and special characters with a decent amount of gibberish
instead of real words as most password hacking scripts often use databases
that contain the most popular words. In password theft, the biggest problem
isn’t human error but the technology behind it. Security experts all agree
that the best protection against password cracking is to deploy
multi-factor authentication and to properly train employees on safe
password habits.

4. Our employees would never fall for an obvious scam.
A popular misconception is that social engineering–the “art” of
manipulating people into giving up confidential information–is restricted
to small, obvious scams that involve stealing some housewife’s credit card
details; False. Almost 30 percent of all security breaches have some form
of social engineering at heart. In 2009, hackers posed as Coca-Cola’s CEO,
persuading an important executive to open an infected email, and the
malware ended up infiltrating the whole network. All it takes for a complex
security chain to fall is one employee that accepts a scenario at face
value.

A recent study shows that most breaches were successful because employees
were unfamiliar with the organization’s security processes and policies
rather than employees simply being careless. Organizations need to simplify
security training and to provide a system that enables unambiguous
identification. Other best practices include providing employees with a
security checklist that is applicable to various situations and initiate
them in the basics of social engineering and cyber security. It’s also
important to encourage employees to report if they had done something
accidental, so security teams can proactively check and stop the malicious
activity quickly before it causes more damage.

5. We back up everything, so we can just restore operations.
Ransomware has been around for a couple of years now but has popped up in
the mainstream media recently when Wannacry infected more than 230,000
computers in over 150 countries in a single day followed by a new stream of
ransomware titled “Not Petya”. This malicious software encrypts the
victims’ files with the threat of deleting them unless a ransom is paid.
Superior ransomwares make use of a technique called cryptoviral extortion,
which makes it impossible for anyone to recover the files or use the
computer unless the decryption key is provided—even if backup is available.
Organizations affected by this malware experience partial or even complete
paralysis within operations while the attack is happening.

Fortunately, ransomware is much easier to prevent than to deal with an
infection in progress. A first step would be to provide a fully updated
ransomware solution across all organization endpoints. Security campaigns
that promote awareness about the dangers of clicking on unknown links or
email attachments are also a good idea. You can also apply pre-set rules
that prevent employees from clicking on invalidated links or from running
executables from attachments.

Also ensure all your software is patched or updated. It’s easy to overlook
the importance of software updates. However, as vulnerabilities are
discovered in software and they are not patched, they can be exploited by
hackers. The recent WannaCry ransomware global attack is a prime example.
Microsoft discovered the vulnerabilities and released Security Bulletin
MS17-010 – Critical advisory almost two months before the attack. If
organizations had patched the system they could have avoided such a global
scale attack.

Hacking is a very real threat, and there are many ways for a hacker to
breach an apparently secure environment—regardless of how well you’ve
cordoned off organization’s networks. There’s no “cure-all” that will
prevent every cyber breach from happening, but the best way to prevent and
mitigate an infection is to take a community approach to preventative care,
putting the responsibility of protecting the organization on every
individual. CIO’s who prevent rather than fix will always lead a safer
organization in the cyber world.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170717/e834f08c/attachment.html>