Article by Proofpoint APJ vice president Tim Bentley
Australians have until January 31 to decide if they will opt out of a nationwide My Health Record initiative designed to ensure healthcare providers have instant online access to important patient information.
At the same time, cybercrime is the fastest growing crime in the world, and Australia’s healthcare sector is the continent’s biggest target according to a July report from the Australian Information Commissioner.
While Australian healthcare cybersecurity teams are in a constant fight to defend patient information from cybercriminals, there are three important steps healthcare providers can take to proactively secure their systems from online compromise.
Cybercriminals have shifted methods from attacking network infrastructure to attacking users directly to break into systems and access patient information.
While facilities can eliminate most legacy threats at the network perimeter, targeted attacks can circumvent the most sophisticated security software to exploit well-intentioned employees.
All it takes is one well-crafted email and a single click to lose critical patient information.
IT and senior management must work together to develop a robust cybersecurity awareness training program for every employee to undergo.
As it stands, approximately 3 in 4 (73.5%) healthcare organisations provide cybersecurity awareness training for end users, but only half of those trainings occur annually.
While this may satisfy regulatory requirements, it isn’t optimal for memory retention and doesn’t adequately keep pace with today’s rapidly evolving threat landscape.
Continuous awareness training aimed at the most targeted people within an organisation needs to be prioritised.
In addition, using real-world simulations within these trainings will also help staff members recognise attacks that they are likely to encounter across email, cloud apps, and social media.
To address today’s attacks, healthcare organisations must practice the “ounce of prevention is worth a pound of cure” model by deploying a multi-layered approach to network defences.
Today’s fast-moving, people-centred attacks are immune to conventional signature and reputation-based defences.
In addition to firewalls and other perimeter security, a dedicated email security application must also be in place, removing employees from the equation whenever possible.
One of the most effective weapons in an attacker’s arsenal is business email compromise (BEC) or email fraud, which is the ability to disguise malicious emails, making them appear to come from a trusted source – often a CEO or CFO.
BEC uses social engineering tactics to fool victims into wiring funds, sending patient information, or divulging login credentials to someone the employee perceives is an authority figure.
Email fraud attempts are widespread in this industry and phishing attacks are at an all-time high. Healthcare employees are especially vulnerable to email-based attacks due to the high volume of personal health information they access, their frequent email communication with patients, time constraints in acute care settings, and highly publicised ransoms being paid by clinics and hospitals.
There has been a significant uptick in email fraud attacks aimed at clinical staff, business associates, and even patients – basically anyone who can access medical records.
Proofpoint’s research has shown that cybercriminals are especially targeting pharmacy directors, who control drug access, and chief nursing officers, along with any employee who can legitimately access all patient records.
These attacks are tailor-made for the recipients, often including specific references to the individual gleaned from researching their social media accounts.
This research is done with the goal of getting their attention and increasing the likelihood of ‘open rates.’
Rounding out this Pandora’s box of vulnerability is the fact that many medical facilities have complex supply chains running multiple clinical systems and security applications – many of them outdated.
One additional important component of an effective email security strategy is to deploy email authentication protocols such as DMARC and lookalike domain defences.
These technologies stop many attacks that use your trusted brand to trick employees, partners, vendors, and patients.
Our research shows that 1 in 5 emails purported to be from a healthcare organisation in 2017 was fraudulent.
Furthermore, of three billion emails using the domain of a known healthcare brand, about 8.3% of these were in fact from sources that were either unauthorised or malicious.
You can’t defend against what you don’t know.
As more and more organisations rely on cloud-based solutions to conduct global operations, enterprise security teams must have clear visibility into the third-party applications running within their environments (Microsoft Office 365, Google G Suite, Box and others) and appropriately secure them.
Best practice calls for organisations to deploy a cloud access security broker (CASB) solution that combines user-specific risk indicators with cross-channel threat intelligence to analyse user behaviour and detect anomalies in third-party apps.
Without this, healthcare providers don’t know when users and patient data are at risk.
CASB solutions allow IT administrators to deploy tools to detect unsafe files and content, credential theft, data loss, third-party data access, and abuse by cloud scripting apps.
Healthcare cyber attacks can have serious, if not fatal consequences, and Australians are looking to trust healthcare providers with their information.
It’s essential that security teams have the proper technology to quickly remediate risk while proactively educating the healthcare workforce to detect and quarantine today’s online threats.