5 lessons horror movies can teach you about next-gen security threats in healthcare
This is a guest post from Boaz Krelbaum, general manager of cybersecurity at Bottomline Technologies.
It’s fitting that Cyber Security Awareness Month takes place in October, right alongside Halloween, a season filled with the spooky spirit of jack-o-lanterns, haunted hay rides and horror movies.
Healthcare was the most targeted sector for cybercrime in 2015 and attacks in 2016 have been even more widespread and commonplace. That’s as effective as any ghoul or goblin at striking fear into the hearts of healthcare executives. Rightfully so. The 113 million records that were compromised in 2015 represent 25% - 35% of the U.S. population. Protecting the remaining 65% is a responsibility that rests squarely on the shoulders of healthcare organizations who have to start taking the threats to their organizations seriously.
In the spirit of the season, here are 5 lessons horror movies can teach you about the next generation of cyber security threats that haunt your organization:
The best way to protect yourself is to assume that everyone, and everything, is a threat.
Never open the door when a knock comes in the middle of the night! That might seem obvious, but every horror movie has someone doing exactly that – taking a simple action that exposes them to tremendous threat. Similar things happen in healthcare facilities every single day. Doctors writing passwords on sticky notes under the keyboard is a great example. The intent to enable nurses to access the system in case they need to place an order makes sense but the result is a compromised credential, a security vulnerability that’s easy for a malicious insider to exploit. The same holds true for clicking on links in emails, improperly secured databases or unencrypted data. In a survey conducted by HIMSS, it was discovered 32% of acute-care facilities and 52% of non-acute care facilities don’t encrypt data in transit. This lack of cyber hygiene is a huge and unnecessary point of vulnerability for organizations who should be exercising a little more common sense.
Monsters will find you, no matter where you hide.
Squeeze yourself into the corner of a dark closet if it makes you feel better, but sooner or later, that door will creak open and your time will be up. The same holds true for hackers. Attacks are no longer limited to a select few computer gurus using their specialized wizardry to get into your network. The numbers of threat vectors threatening organizations is growing every day. Beyond network sniffing, packet capture, phishing emails and social engineering, attackers are getting creative. They’re targeting third-party supply chain partners because they often have access to confidential information and hospital IT systems. They’re using ransomware as a diversionary tactic, to give them time to scan the network and devices. You might be able to run from these attacks temporarily, but in the end, they’ll find you. It’s only a matter of time.
Threats are everywhere you turn.
When running for your life, it might seem like the biggest threats are behind you – until suddenly they’re in front of you and there’s no room for escape. Computer networks and systems are no longer the only – or even the biggest – threat that organizations face today. Internet of Things (IoT) has introduced an unending array of new points of vulnerability that pose a serious threat to patient safety as well as privacy. Johnson & Johnson recently warned that its insulin pumps could be accessed by hackers, who could then overdose patients. The source code for the malware that infected hundreds of thousands of IoT devices and used them to launch DDoS attacks is now readily available online. Connected medical devices are coming under attack, a threat that will force healthcare organizations to remove their blinders and consider the security of their network holistically, one device at a time.
No one takes the threat as seriously as they should.
Kids might dash past the haunted house and whisper about the legends of the demon who lurks there – but no one ever really believes it’s actually true. Hackers hold a similar type of mystique. Long believed to be a handful of antisocial misfits holed up in a dark basement in front of a bank of computers, the hackers of today are more like savvy entrepreneurs than Internet trolls. The business of hacking now employs all of the expected tactics of any legitimate small business. They offer free trials, money-back guarantees, discounts for regular customers, and regularly employ slick marketing techniques to attract new customers. There aren’t sole actors out to make a quick buck. They’re organized networks of business professionals with a plan to make money from your hospital.
If you don’t use the right weapon, you’re done.
Seems silly to say it, but if you think about the horror movies you’ve seen, they all invariably involve someone wielding a tennis racquet for protection. The lesson here is simple: You’ve got to use the right tools if you want to survive.
It might feel as though you have the right technology in place to keep malicious insiders at bay – but is your cutting-edge perimeter security or your audit tracking and logging system enough? To truly be secure, you’ve got to assume that there are already “things” (people, bots, etc.) on your network that don’t belong there. That is the new standard in security detection. With so many vulnerabilities available to them, people intent on stealing your patient data will find a way in. It’s what happens to them once they are in that you’re in the best position to control.
Healthcare organizations need to employ behavior profiling and monitoring solutions if they hope to prevent the theft of their patient data. They need to know who has a legitimate reason to be in the network and why, understand what’s typical traffic and what’s not, so anomalous behavior can be easily detected, and they need to arm themselves with real-time security alerts, so they can stop patient data from being exfiltrated from system in the first place.
Bottom line? Cybersecurity threats are a menace that will terrorize you year round if you don’t face them. So come out of your hiding spot, put down that frying pan and fight.