Malicious hacking using social engineering against healthcare has multiple goals. The most obvious ones are to steal money or data, or to deliver ransomware. Health systems are particularly susceptible, because many of the basic critical security controls are not in place within these highly integrated delivery systems.
In this preview of the upcoming HIMSS21 educational session entitled “Social Engineering in the Healthcare Environment,” speaker Kathleen Ann Mullin, CISO at Tampa, Florida-based Healthmap Solutions, talks about how a healthcare provider organization recognizes hacker motivations, how healthcare CISOs and CIOs detect the common methods used by social engineers to victimize healthcare organizations, and how CISOs and CIOs prepare for the impacts of malware, including ransomware.
All healthcare organizations are target-rich environments for the value of their health, payment and insurance information, as well as for their methods of treatment and research information.
“In order to recognize a hacker’s motivation, a healthcare provider needs to understand where their organization sits in the context of all organizations and healthcare,” Mullin explained. “Do they have a strong and mature information security program? Is the organization an industry leader? Do they have a large market share? What country or region are they in? Are their leaders active in the media? Or social media?
“Do they have famous, wealthy or other notable patients? Do they have research facilities? Do they do teaching or training? Have they had breaches in the past? Does their organization or [do their] employees post or share information about their systems or infrastructure? Are there disgruntled current or former employees? Are the vendors that provide or support their systems known?”
Perhaps the most difficult one of all, she said, is: Is there anyone that is particularly unhappy about a patient outcome? This information provides context as to why one healthcare organization is more likely to be specifically targeted, what the potential motivations are and perhaps how they might be attacked, she added.
Where should a security program start?
“Resources to support our systems are finite,” she noted. “Once an organization knows whether they are a target because they are an easy opportunity, this helps to broadly determine where a program should start. Then it is important to understand the motivations of [the] attack to determine which systems are most likely to be targeted and need protection.”
This helps align the resources that should be spent protecting systems, and establishes which type of controls will have the most impact to ensure the least disruption to the healthcare organization, she added.
Then it’s a matter of healthcare CISOs and CIOs detecting the common methods used by social engineers to victimize healthcare organizations.
“All employees in health systems need to understand the common methods used by social engineers,” Mullin advised. “The best way to detect social engineering is to learn how to recognize the methods and tactics and then train everyone in their organization. Social engineers manipulate individuals to take action that may not be in their best interest.
“Some social engineers build relationships over time and some have others validate them to increase their credibility,” she continued. “The methods commonly used include phishing – emails purporting to be from reputable individuals to induce individuals to reveal information or take an action, vishing – voice elicitation, smishing – using text messages, and physical intrusion.”
Protecting against phishing, vishing and smishing
CISOs and CIOs need to understand how they leverage these vectors to specifically target victims within an organization in order to protect them, she stressed.
“Specific mitigations can be put in place for different target groups,” she advised. “The most common method that is most easily detected is phishing. Healthcare organizations should consider having an email gateway in place and not allowing personal email to be used within their environment. An email gateway not only protects an organization, it also can report on which employees are being targeted the most and the type of phishing attacks.”
In the United States, the FCC-mandated STIR/SHAKEN protocol should start to help identify callers and reduce phishing that uses spoofed phone calls. Understanding the limitations, including the implementation deadlines, is important. For text messages it is important to train users to recognize that this is an attack method that is becoming increasingly used, she suggested.
“The most important way that CISOs and CIOs are made aware of attacks is by employee reporting,” she said. “To have a successful reporting program, employees need to be empowered by training them to recognize and report suspected social engineering attacks at work and at home.”
Preparing for the impacts of malware
So how do CISOs and CIOs prepare for the impacts of malware, including ransomware?
“It is important that CISOs have conversations with their board and executive management in advance of a malware incident, including ransomware attacks, to determine how the board wants the organization to respond,” Mullin said. “Boards should understand that it is a matter of when, not if, they will have an incident. They need to be able to trust it will be addressed appropriately by their IT and information security leadership.”
Discussing incident response and what the healthcare organization’s capabilities are to detect and respond is crucial, she added.
“This includes discussing what specialists are on retainer or have been pre-approved by the organization’s cyber insurance carrier,” she said. “This should include forensic response, legal and public relations – additionally, when or if the FBI is brought in, and when is HHS notified and by whom. It is important to articulate the risk in business terms, which includes explaining in advance which systems, not applications, can be recovered.”
No guarantees with paying hackers
“Which systems are at risk and how that will impact service delivery,” she continued. “Payments of ransomware help fund future, more advanced ransomware attacks and may be paid to terrorist organizations. The payment of ransomware does not guarantee that the encryption key will be provided or that data will not be published. Cyber insurance as a risk mitigation is an option. But these policies, if you can obtain them, are getting more expensive and are looking to have security infrastructure in place that is not quickly and easily implemented.”
This leads to the final risk-based decision, which is: Does one invest in infrastructure to protect one’s critical systems, or does one wait until after an incident to have a third party repair and replace systems, she said.
“For CIOs, it is important that they know what their software and hardware assets are…
Read More:How to protect against social engineering attacks