Ask IT security professionals about the biggest threat to an organization’s IT infrastructure, and many will point toward ransomware.
Ransomware in its original form led to an organization’s data being encrypted, and unless the affected organization paid a ransom, the data would be effectively put beyond reach. Ransomware Cyber Criminal groups would often use phishing emails, stolen credentials, or weaknesses in internet-facing devices (insufficiently patched) to gain a foothold in the organization, and from there, the Ransomware payload could be uploaded and distributed to as many devices as possible (including backup servers) before being triggered.
IT Organizations changed process procedures and technologies to help mitigate this risk. Unfortunately, Cyber Criminals evolved, too. Once blanket encryption failed to continue to yield the financial rewards Cyber Criminals wanted, double extortion became the next iteration. Before data was encrypted to bring IT operations to a standstill, it would first be exfiltrated (stolen) and stored by Cyber Criminals. The promise was made to delete the data if the ransom was paid (not that there was any way to prove that this was done, “Honor Amongst Thieves?”)
Well, the next iteration, known as SWATTING, has arrived. SWATTING was a term used to describe the making of calls to emergency services warning of an impending violent crime to trigger a SWAT Team response, usually targeted at a political figure with whom the caller disagreed.
So why am I discussing these details with ASCs?
This SWATTING attack methodology has been modified for the Healthcare space. Instead of calling in the SWAT team, information found in exfiltrated data under the control of Cyber Criminal groups is being used to threaten patients unless the patient pays a ransom. Healthcare providers are effectively being triple extorted. The options are to 1) pay or we will not decrypt your data, 2) we will publish the fact your patient data is stolen (including to regulatory bodies like HHS or the SEC), or, 3) we will go after your customers and extort them.
To compound this, patients are filing class action privacy lawsuits for “negligence” against the healthcare providers whose IT systems were impacted due to the emotional and financial stress caused by the patient’s private healthcare information being stolen.
As has been said many times, healthcare data is valuable in many ways, especially to Cyber Criminals.
How, as an ASC, can the risks of data extortion be reduced for the sake of the ASC and their patient’s physical, emotional, and financial well-being?
Recently HHS (Department of Health and Human Services) published Cybersecurity Performance Goals for healthcare providers. Here is a summary of the essential goals:
1. Mitigate Known Vulnerabilities (Operating Systems, Applications, Firmware)
2. Email Security (Malware Detection and Quarantining, DMARC)
3. Multifactor Authentication (MFA)
4. Basic Cybersecurity Training (employees are often considered the weakest link in cybersecurity)
5. Strong Encryption (makes stolen data harder to use)
6. Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers (in a timely manner)
7. Basic Incident Planning and Preparedness (Plan for loss of service)
8. Unique Credentials (every employee uses different credentials to compartmentalize the risk)
9. Separate User and Privileged Accounts (reduce the number of employees with admin access as an everyday occurrence)
10. Vendor/Supplier Cybersecurity Requirements (What are our I.T. vendors doing to protect our data?)
Notice goal #7 mentions “Basic Incident Response Planning and Preparedness.” This should include clear, identified steps about what will be done, by whom, and when. This may involve using a third-party Managed Security Service Provider (MSSP) for ASCs without dedicated staff to fulfill these requirements. Ultimately, patient care must always be the primary motivation; how will this be achieved if IT systems are down?
There are no silver bullets, but these are concrete steps an ASC can take to lower the risk. Like a patient’s well-being, security is not a destination; it is a journey.
Stay Vigilant.
Sites Mentioned:
https://www.hstpathways.com/blog/how-ascs-can-leverage-cybersecurity-performance-goals/
https://www.databreachtoday.com/hackers-try-to-extort-50-from-child-2-million-more-at-risk-a-24364
https://www.databreachtoday.com/cybercriminals-bully-cancer-patients-swatting-threat-a-24075
Don’t miss out on the good stuff – Subscribe to HST’s Blog & Podcast!
Every month we’ll email you our newest podcast episodes and articles. No fluff – just helpful content delivered right to your inbox.