Humans the Weakest Link in Security

 

Automated Security Challenges – Photo Credit Gizmodo

As humans, we are programmed with compassion and a desire to help but this human nature is the foundation of many of the risks that we are exposed to in the digital and cloud filled data world we all inhabit now. Our personal programming and desire to help others in need is part of humanity, but this trait is one of the reasons that hackers are so successful in infiltrating our networks and healthcare systems.

Just take a look at the ease with which this one social engineer hacker managed to gain total access to a user’s cell phone account in under 2 minutes using a combination of clever psychological manipulation, a soundtrack of a crying baby and an oversight in the security protocols for the company:

 

The approach via social engineering is not the end game but is an entry point to carry out targeted attacks and is increasingly in use and even be automated. Like everyone else, hackers are using technology to improve efficiency. Artificial Intelligence is being used in many areas and hacking is no exception to jumping on board this train to improve and increase the number and sophistication of their attacks. As with the case of all technology and innovations – it can be used for good or for bad uses and Artificial Intelligence is no exception.

“These days, the overwhelming number of cyber-attacks are automated. The human hacker going after an individual target is far rarer, and the more common approach now is to automate attacks with tools of AI and machine learning”

There are many types of attack that range from installing malware (software that is intended to damage or disable computer systems), Denial of Service Attacks (DoS), eavesdropping through to Phishing (sending email that people are induced to trust and click on infected links) and the variants – Vishing, and Smishing – voice-based and text-based attacks respectively. In many instances, the first vector for the attack is individuals in organizations fail to identify and prevent breaches.

As one expert in Social Engineering described, despite sending millions of phishing emails and writing books on the topic he too had been “Phished”

Unmasking the Social Engineering Book – Chris Hadnagy; Photo Credit Amazon

 

I can get anyone to click on a phish if I know your motivation and the right time and the right emotional content

 

The Anatomy of an Attack

What might a Phishing attack look like? The following is typical of the steps and methods used to open up a vulnerability in an organization

Opening email and checking for status updates on the clinics patients was a routine task for Colin, as was receiving an email from Lucy Thomson from the associated clinic with a patient referral. When he opened the link, it was confusing as it just displayed Lucy’s departmental web site. Colin assumed the link was broken.

Colin had just been “phished” and that one action would have widespread ramifications for his clinic, department, hospital, and patients as the ransomware that had downloaded and secretly installed from the link he had just clicked were now inside the information systems outer defenses. As the malware was no longer limited by the firewall and security systems as it was inside the perimeter it kicked action seeking out all the other connected devices on the hospital network quietly replicating throughout the network

Days later with the original email long forgotten, computers across the hospital started to lock users out displaying a message that the files had been encrypted and seeking payment in bitcoin for the key to unlocking the hospital systems and threatening to delete files every hour.

Hitting the Mother Lode – Healthcare Data

This problem is set to get much worse as healthcare represents the richest source of data for hackers and any stolen healthcare data attracts a premium when sold on the black-market – anywhere up to ten times the price of buying stolen identities or stolen credit card information.

Since healthcare data contains such a wealth of exploitable information that includes all of your demographic information – names, historical information of where you live, where you worked, the names and ages of your relatives and often includes financial information like credit cards and bank numbers along with your medical history it is the most comprehensive record about the identity of a person that exists today – a veritable treasure trove of opportunity for fraudulent credit and financial applications and ongoing mischief.

Healthcare cybersecurity has entered a new era where the health and safety of our patients can be impacted by malicious hackers. The traditional data security and HIPAA compliance paradigms of the past are not sufficient to limit the potential harms our we and our patient will face.

With the continued utilization of technology in healthcare, the attack surface for hackers has grown. The current regulatory environment surrounding the use of electronic medical records has catalyzed our dependence on such technology and has also incentivized often rapid and less secure system implementations, leading to the ongoing increases in frequency and sophistication of large-scale breaches and hospital network intrusions.

Healthcare Breach Report; Photo Credit HIPAA Journal

 

The delay and disruption of patient care across the globe during the recent WannaCry and Petya has solidified a growing sentiment in healthcare cybersecurity circles that patient care and safety is a very real concern. The speed with which these attacks swept around the world and crippled many companies and services offered a window into future potential challenges and raised the awareness of security. Ultimately the very well-being and lives of our patients may be at risk.

The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption.
Thousands of appointments and operations were canceled and in five areas patients had to travel further to accident and emergency departments.
The Department, NHS England and the National Crime Agency does not know how much the disruption to services cost the NHS

And healthcare continues to struggle to address the rising security threat

In the first six months of 2018, there were 154 breaches reported to the Office for Civil Rights, up 13% compared to the same period in 2017. There were 50 “hacking/IT” incidents specifically during that period in 2018, just two more than there were during the first six months of 2017

 

How do You Secure Your Data and Enterprise?

Security needs to be everyone’s responsibility and has to come from the very top of the organization. This is not just a corporate issue but a personal one and understanding the attack vectors and sharing the stories of individual and corporate failures and losses as a result of poor security are an integral part of mitigation and prevention.

The new imperative is not only making security everyone’s responsibility but equipping everyone with the knowledge and tools to be able to assess security threats in the context of the impact to patient safety these breaches and attacks pose. Increasing staff participation in all aspects of security from the top of the organization down to create a culture of security will create a solid foundation to mitigate the rising risk of security threats

While technology offers tools that can mitigate the risks from these attacks people remain the weakest link in securing the healthcare enterprise and patient data. Without attention to the human factors and creating a security culture that enables people with information and skills to make good decisions healthcare systems will continue to face the recurring nightmare of dealing with security breaches and loss of protected health information

 


Tagged as , , , ,



Comments

Comments are closed.




Search