Healthcare executives and employees are hacker targets – 5 steps to protect them
By Tom Crampton
Part of the Cybersecurity Community of Practice Steering Committee
Cyber criminal activity continues to spread rapidly across Australian businesses of all sizes and in all industries. Healthcare is no exception, and frontline employees and ‘C-suite’ executives are increasingly the prime targets. While businesses may feel overwhelmed by the growing risk of cyber attacks and criminal activity, there are simple things that can be done now to manage the immediate risks.
Cyber crime rising – 61% of all data breaches are criminal
For the first three months of 2019, 131 or 61% of the breaches of personal or confidential information reported to the Office of the Australian Information Commissioner (OAIC) were criminal or malicious in nature. Other breaches were attributed to human error (35%) and systems faults (4%). A total of 215 breaches were reported.
The breached information included data about customers, stakeholders and other confidential business information. While the majority of data breaches involved smaller businesses and the exposure of the personal information of 100 individuals or fewer (68% of data breaches), one incident alone affected 10 million people!
Of the 131 criminal or malicious breaches, 87 were the result of cyber criminal activities including:
- tricking employees into disclosing sensitive information or passwords (“phishing”);
- electronic ‘break-ins’ (“hacking”);
- introducing malicious software into a business to damage it or hold data to ransom (“malware” or “ransomware”);
- automated guessing of customer or employee system logins (“brute force” attacks) and;
- a number of incidents where the methods used by the criminals remain unknown.
Health sector organisations were a common target in that report, with their access to intimate health and patient-related data as well as insurance and Medicare details attracting the attention of cyber criminals. Next was professional services firms like accountants and lawyers which have access to the confidential intellectual property and financial data of numerous individuals and businesses. Similarly, access to banking and financial product details of numerous individuals and businesses made financial services the third most likely sector for criminals to target.
There were a further seven ‘social engineering or impersonation’ data breaches. Similar to ‘phishing,’ that involve the manipulation of employees into redirecting electronic payments from legitimate recipients to the criminals’ bank accounts.
‘Social engineering’ incidents which occur via email are known as ‘business email compromise’ or BEC. The Australian Competition and Consumer Commission (ACCC) reported that BEC fraud cost Australian businesses $3.8 million in 2018. Globally, US$12 billion was lost to BEC in the same year according to the FBI.
The growth in ‘social engineering’ and ‘phishing’ crimes in particular reflects a trend for cyber criminals to directly target both senior and frontline employees with fraudulent communications, in addition to continuing their systems-based attacks.
‘C-suite’ executives and health professionals being targeted
It is not just frontline employees that usually access customer information who are the focus of cyber attacks. The Verizon Data Breach Investigation Report released earlier this month confirmed ‘C-suite’ executives across the globe are increasingly being targeted.
They were 12 times more likely to be involved in security incidents and nine times more likely to be the victim of data breaches than in the preceding year. This includes C-suite focused ‘social engineering’ attacks which grew from single digits to dozens of incidents reported in this year’s report.
Healthcare organisations overwhelmed by the cyber challenge
Despite widespread publicity related to cyber crime, the Healthcare sector and especially their people and processes remain under-prepared and vulnerable. The growing frequency and complexity of incidents has seen many struggle to balance security preparations with the day-to-day running of their core business.
Consequently, many employees and executives have not been adequately trained to recognise ‘phishing’ and ‘social engineering’ activity. Password management procedures for employees and customers are often poor. Some are unsure how secure their systems or those of their ‘cloud computing’ partners are from external intrusions.
This month, that view was corroborated by the Victorian Auditor-General’s Office (VAGO) who concluded from an audit of “Security of Patients’ Hospital Data” that “Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques”.
5 things Healthcare Professionals can do to protect themselves TODAY
As the risk of cyber crime will only continue to grow, following are a number of critical steps that healthcare services of all shapes and sizes can take today to manage their immediate risks, while also preparing for future threats:
- Recognise that Cyber is a leadership challenge: To make cyber crime readiness central to the operations of a healthcare service, the ‘C-suite’ needs to lead the change and make it a priority. Implementing and actively (as well as visibly) participating in programs to improve cyber risk management will ensure it is embraced across the organisation
- Validate new or unusual transactions: Develop simple processes to validate the authenticity of financial transactions which appear unusual, or when existing suppliers and employees alter their bank account details. This addresses key areas of cyber fraud where staff have been tricked into authorising unusual payments, and when criminals impersonate suppliers or employees to trick businesses into re-directing payments to illegitimate bank accounts.
- Use security testing to determine staff training: Implement training programs that connect risky behaviors to learning about why it is risky. For example, my organization (Trusted Impact) runs programs which assess vulnerability to ‘phishing’ or ‘business email compromise’ activity. Employees who fail these tests are immediately given the opportunity to undertake training to recognise these and similar threats.
- Don’t just train – target behaviour change: Different people absorb new information differently. Awareness programs which makes risk mitigation thinking part of day-to-day behaviour need to be thoughtfully designed so awareness of cyber risks becomes ‘second nature.’ It also needs to be reinforced over time to ensure currency and staff readiness.
- Measure progress: “You cannot improve what you cannot measure.” This truism should be reflected by implementing a measurable plan to track the level of engagement that all staff demonstrate with the risk mitigation program. This can be done through ongoing phishing testing or by tracking training course results. Tracking the levels of participation, progress, and performance is vital to determine whether a ‘security aware’ culture is emerging.
For more discussion, join us at HIC19.
CEO, Trusted Impact
Cybersecurity Community of Practice Steering Committee Member