January 2019, Volume XXXII, No 10
Is your practice prepared?
he human element is a key factor in cyber and computer network operations, and it is the most unpredictable factor in cybersecurity. Patient records contain a wealth of personal information, and many hackers have learned to trick unsuspecting health care employees into helping them plan and execute their data breaches through “social engineering,” defined in information security terms as the art of using influence or manipulation to trick targets into giving up confidential information or access to an organization. Cybercriminals will often use social engineering tactics as a first step in gaining access to privileged information because it is generally easier to exploit human weaknesses than to breach network or software vulnerabilities.
According to the 2016 Healthcare Industry Cybersecurity Report (Information Security Media Group), health care ranks 15th out of 18 industries in social engineering. This is a clear reflection of the vulnerability of health care organizations to this type of breach. That same report said that data breaches occurred in 85 percent of large health care organizations’ systems in 2014.
Social engineering depends on human inclinations toward trust, curiosity, and empathy. One of the reasons that social engineers love health care employees is their natural tendency to be trusting and their desire to be helpful. The complexity of most health care organization structures, networks, and systems is also an advantage to social engineers.
One form of social engineering that allows cybercriminals to physically gain entrance is called tailgating. Here are some common scenarios:
More commonly, cybercriminals act remotely, using electronic social engineering techniques. Common examples include phishing and spear-phishing, business email compromise, and ransomware.
Embracing change is not optional, it’s a requirement to survival.
Phishing and spear-phishing
Phishing attacks use email or fake websites to trick employees into clicking on a link and/or entering personal information, allowing access to a network or system to collect billing and health information or deposit malware.
Phishing emails and websites are often designed to look as if they have come from a legitimate source. In November 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) notified health care-covered entities of a phishing scam that used fake government letterhead and a fake email address to direct individuals to a fake URL. The fake email address and fake URL each had only a very subtle difference (a single added hyphen) from the official addresses, a typical approach in phishing scams.
Spear-phishing is a specific method of phishing that targets specific individuals or groups within an organization. Emails, social media, and other platforms can be used to persuade users to divulge personal information or perform actions that lead to network compromise, data loss, and/or financial loss. While phishing often involves random individuals, spear-phishing is aimed at specific targets and involves prior research. According to the Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3), phishing and related tactics were the third highest cybercrime experienced across the nation in 2017.
Business email compromise
Business email compromise (BEC) is a sophisticated crime that typically targets employees who have access to company finances. The cybercriminals trick these individuals into making a wire transfer to accounts thought to belong to trusted partners, but are actually controlled by the criminals.
BEC, also known as CEO spoofing, often starts by the criminals gaining access to a company’s network through a spear-phishing attack and the use of malware. This allows the criminals to study the organization’s vendors and billing systems, as well as the CEO’s style of communication and perhaps even his or her travel schedule, without detection. When the time is right, a spear-phishing request is made to a specific individual, such as a bookkeeper, accountant, controller, or CFO, requesting an immediate wire transfer, often to a trusted vendor. If paid, this money is often hard to recover due to laundering techniques and accounts that drain the funds into other accounts that are difficult to trace.
Ransomware is a type of malware in which attackers lock the data on a victim’s computer, typically by encryption, and payment is demanded before the ransomed data are decrypted and access returned to the victim. In 2017, the FBI’s IC3 received 1,783 ransomware complaints with adjusted losses of over $2.3 million.
Unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal’s identity isn’t known. Of course there’s no guarantee that the criminals will release the files or that the files have not been breached or disrupted in some way.
There is usually a delay between the insertion of the ransom software and the execution of the attack. This delay is intended to enhance the spread of the ransomware throughout the system, especially into backup files. This decreases the likelihood that the data can be recovered without paying the ransom.
Data breaches occurred in 85 percent of large health care organizations’ systems.