Any security program has an obvious goal: protect sensitive information from unauthorized access. This is often very easy to say but more difficult to do in our interconnected, on-demand world.
Why? Money! As we have previously discussed, health information is of great value, so malicious organizations are interested in taking it hostage and extorting as much money as they think they can. If that fails (and sometimes even if it doesn’t), they intend to sell it directly on the dark web for others to use. Either way, they turn a profit.
The most obvious question becomes: Where do we start?
To fully understand the issue, one has to shift an organization’s mindset and ask about the basics. What are the potential security risks? Risk analysis is a routine part of any surgical procedure and is as straightforward as identifying the risk, accounting for mitigations, and implementing necessary measures. It is not too dissimilar to IT security risks. First, you need to identify the possible ways malicious organizations could try and enter your environment, then prioritize your response based on probability.
Security survey after security survey has consistently listed the following as potential entry points into computer networks:
- Phishing/Smishing/Vishing
- Malware – Viruses, Ransomware, Botnets
- Man in the Middle attacks
- Insider Threats
- Malvertising
- Password Attacks
- Unpatched Devices
- SQL Injection
Looking at this list, though unpopular as it may be, your employees are the weakest link. Employee behavior allows malware, man-in-the-middle attacks, password attacks, insider threats, and malvertising to be successful. Naturally, we would want to know what these things are and how we can prevent them. In a nutshell: user education.
Phishing/Smishing/Vishing: The Most Common Attack
Phishing/Smishing/Vishing attacks use what’s called Social Engineering. Social Engineering is trying to persuade the end user to act on behalf of the malicious actor and, unfortunately, is endemic because it is so successful. When distracted or rushed, even trained professionals have fallen prey to well-honed social engineering attacks. Whether via email (phish), SMS text message (smish), or voicemail (vish) containing a threat of bad things or a request from “management,” the net results can be potentially devastating to the organization and its patients.
The links included in these attacks can be used to steal credentials (including MFA), download, and install malicious software unbeknownst to the user that can compromise every computer in your network and make its data inaccessible or open to being stolen (exfiltrated).
Some attacks are simply information requests from strangers trying to understand your organization (while pretending to apply for a job), so they can target their attacks (Spear-Phishing). Others mask themselves as a “boss” asking you to buy gift cards because they are busy in a meeting or at a conference, and it would be appreciated if you helped them out.
However, most scams have the following traits.
- They arrive unexpectedly.
- They ask the receiver to do something the sender has never asked the receiver to do before.
- They indicate a sense of urgency, claiming the receiver will be penalized if they do not act immediately.
- The requested action could be harmful to the receiver or their organization if the requested action is taken and is malicious.
In the next post, we will discuss the telltale signs of social engineering that can help employees become more skeptical and less likely to fall prey to social engineering attacks.
What Should I Do Next?
Find a third-party vendor to provide security awareness training and launch a simulated phishing attack at your ASC. These vendors will help to help educate your users about the key indicators of a social engineering attack.
Don’t miss out on the good stuff – Subscribe to HST’s Blog & Podcast!
Every month we’ll email you our newest podcast episodes and articles. No fluff – just helpful content delivered right to your inbox.