- Following recent headlines highlighting online attacks to hospital data security around the country, many are discussing the growth of not only ransomware, but various methods of targeted attacks and how to stop them.
One way is for hospitals to raise information security awareness, especially in the area of social engineering attacks. These attacks prey on employees’ courteous, helpful and accommodating natures.
It can be done through email, phone, online platforms and physical intrusions. Such attacks encompass manipulative techniques designed to prey on basic human nature.
In the healthcare industry, people want to help and look out for one another, so they will likely be more willing to share information and trust one another. Social engineering attackers count on it.
Social engineering hacks also thrive in hectic environments – like in a hospital – where employees are busy and distracted with other important tasks.
Finally, especially in large hospital environments, employees likely don’t know the names and faces of many of the people working in different departments or on other floors. If a social engineer has enough information to convince an employee that he or she also works at the hospital, often the impersonator is not questioned further.
Types of online attacks
There are so many ways these hackers can get into a system, it is no wonder these online attacks are so often successful.
With phone-based phishing attacks, hackers call and attempt to gain information that would allow them to bypass security controls and answer security questions.
In web-based and email-based attacks – phishing scams – they can send targeted emails with an action request for the user to visit a website designed to elicit sensitive information. Or, an email could have the request for a user to reply back to the message with sensitive information.
In a USB drop, hackers load a device with custom-developed software that will launch a virus when executed by the user.
Finally, and often most surprisingly, hackers can actually gain physical access to a hospital and its devices by tricking and evading onsite security personnel.
Those who think that their badge system, cameras, and door locks will prevent these types of attacks are definitely mistaken. Social engineers act and look like they belong in whatever situation they find themselves in.
They don’t suspiciously sneak around, they smile and greet employees in corridors, and know information about the organization.
Social engineering often gets bypassed as part of hospital data security strategy considerations, because it’s not something that can necessarily be fixed through new technology or better passwords.
The only thing that will save an organization from being compromised by any of these types of attacks is better employee security awareness training and regular reminders on its importance.
Unfortunately, many hospitals only train employees at the time of hire. From there, maybe just annually. Organizations simply don’t see this type of security training as crucial to their operations with so much more at stake on a daily basis. As a result, the information doesn’t stay top of mind for employees, and these attacks are typically successful.
Ransomware attacks are gaining headlines and driving more people into taking cybersecurity more seriously.
In today’s connected world, hospitals, like all other businesses, have many devices connected to the same network. The MRI machine and monitors are connected to the computers in the lobby and at the nurses’ stations. If a skilled hacker were to gain access to any one of these numerous devices, he or she could theoretically gain access to and control of every single device on the network. This includes medical devices.
To thwart these types of attacks, hospitals need to create a “culture of security.” While this may sound like a daunting task, it can be done.
With recurring training on hospital data security topics and simple reminders sent out on a regular basis, employees stand a much better chance of thwarting social engineering attacks.
Employees need to be trained to not be afraid to challenge strangers or get a manager involved, but also not be punished if they do so.
They should watch for questions that don’t seem to match the position of the individual with whom they are speaking, and verify before trusting anyone on the phone, via email or in person.
Although it seems obvious – it often is not – employees should be trained and reminded not to use USB drives they find on the premises that they don’t know for sure what is on them.
Hospitals need to take better care in building a secure network from the start, and update their systems regularly.
Through controls and segmentations in the network, IT teams can block hackers from being able to gain access to medical devices from a lobby computer.
By stopping and slowing down hackers within the network itself, and by detecting their presence more quickly, organizations can prevent actual physical harm from coming to any patient.
Tom DeSot is the Chief Information Officer of Digital Defense, Inc. (DDI). He is charged with developing and maintaining relationships with key industry and market regulators, and also serves as the prime regulatory compliance resource for external and internal contacts at DDI.