How to wage a two-front war on hackers
History has shown that one of the most difficult challenges for any military force is fighting a two-front war. With the enemy attacking from multiple positions, especially with overwhelming force, it becomes difficult to defend a position against everything for long.
CIOs and CISOs are faced with that challenge today when it comes to cybersecurity. But their two-front war involves defending multiple attacks from agents acting outside the organization as well as security mistakes being made by their own “troops” – the users. Yet unlike actual military situations where the challenges on each front are similar (and thus can be defended using similar tools and techniques), each of these cybersecurity fronts is completely different, stretching internal cybersecurity resources thinner than ever.
In the past, cyber wars were essentially fought for amusement, revenge, or bragging rights. Today the primary motivator is money.
Ransomware, i.e., locking user out of their files until they pay a ransom, is currently grabbing all the headlines. But other threats such as stealing protected health information (PHI) and quietly siphoning off reimbursements to offshore accounts without being seen are also profit-driven. Stolen healthcare records are far more valuable than credit card data, with estimates ranging from $20 per record all the way up to the Ponemon Institute’s figure of $363 per record.
Since there is profit to be made, the heads of cybercriminal organizations can afford to hire their own armies to use technology or social engineering to find an avenue into health payer or provider networks. They can even purchase software on the Dark Web that does all the work automatically.
Either way, CIOs and CISOs can quickly find themselves greatly outnumbered. Especially given that IT departments have many other things to attend to throughout the organization. Ultimately, CIOs and CISO can easily feel like King Leonidas of Sparta at the Battle of Thermopylae. Only without the benefit of a narrow passageway.
While it is challenging, there are some best practices that can be applied to even the odds.
Front One: Technology
This front clearly falls under the umbrella of IT, although users must also make a contribution to be successful.
With the emphasis that has already been placed on cybersecurity, most healthcare organizations have their networks and internal technologies well-hardened. They are fully capable of managing nearly everything that occurs within their four walls in terms of technology.
As such, the biggest threats come from technology introduced from outside the core IT infrastructure. Starting with the devices we all carry in our pockets. Given that each of these devices has millions of times more computing power than was used to send the astronauts to the moon, the magnitude of the potential threat is staggering.
If the business supplies smartphones, tablets, etc. to the users, IT can dictate which apps (if any) can be downloaded to them, whether PHI can be stored on them, and other policies. Including a requirement that if a user loses a smartphone its contents will be wiped immediately.
Security gets even more complex with bring your own device (BYOD), which many healthcare organizations have adopted. It becomes far more difficult to control which devices are used, how they’re set up, whether they have sufficient security provisions, and how users use them. Some best practices that should be implemented include:
- Requiring that a personal device authorized for network access be wiped clean immediately upon the discovery that it has been lost or stolen. Yes, users may be concerned about losing their personal information, but remind them it also protects other aspects of their life by removing passwords and credit card information.
- Disabling all external ports (especially USB) that can be used to transfer data onto an external hard drive or thumb drive, or malware from an external drive to the device (and ultimately the network). For users who travel frequently, IT may want to disable data transfer capabilities of charging ports on mobile devices. Fake charging stations (aka juice-jacking) can quickly download all the contents off a device, capturing valuable data, saved passwords, and other information.
- Preventing PHI from being downloaded onto a device’s storage media. This practice may require changing technologies, which while painful is still better than suffering a data breach. Select applications that enable users to view PHI remotely without first downloading it.
Front Two: Users
This is normally the more difficult of the two battlefronts. Technology is rules-based, and easier to control. Helping users become aware of security requirements and educating them on what is needed to protect themselves (and the organization) is far more challenging.
While the assumption may be it’s only newbies and luddites who present a risk, even experienced and expert users can fall victim to a cybercriminal scheme. Recently, a cybersecurity expert described to a radio audience how after finishing a lecture on the topic he saw a short message asking him to look over a document. He was about to click on the link when he realized it was an instance of spear phishing – using innocuous-sounding messages that appear to be from a friend to get unsuspecting users to introduce malware onto the device and into a system.
If an expert can nearly be fooled it shows just how important it is to educate users – and keep educating them. Tell them:
- Use caution when opening emails or texts with simple phrases such as “Hey check this out” or “Can you look this over?” with no other context. Spear phishing and other cybercriminal techniques prey on our natural desire to be helpful, especially in business settings. If they’re unsure they should ask a co-worker to give it a look, and forward any fake messages to the IT security team.
- Never connect to an unsecured Wi-Fi network in a public location. While they may be looking to save data minutes, it’s not uncommon for cybercriminals to set up Wi-Fi connections that appear to be provided by local businesses. Once users enable the connection, cybercriminals can see/capture all the data that passes through the device and user key loggers to capture passwords for future intrusions.
- Don’t react or respond to messages claiming to be from the IRS, FBI or other government agency – especially if the message is marked urgent. That is not how these agencies operate. Instead, the user should forward the message to the IT security team.
- If devices are able to download PHI, make sure it is removed and the session closed when the user is finished. A lost or stolen device with PHI is a cybercriminal jackpot.
- Never store passwords on a device, no matter how inconvenient it may be to input them each time. A little extra time spent logging in is better than leaving a wide open entry into the network.
- When in doubt, assume the worst. This is not the time for bravery or bold decisions.
CIOs and CISOs may feel outgunned by cybercriminals at times. But despite what history tells us, this is a two-front war that can be won.
With a focused approach that includes taking advantage of security technology and best practices, and educating users, healthcare organizations can beat back the hordes and claim victory.