Update: HIMSS20 has been canceled due to the coronavirus. Read more here.
While there are no shortage of technical approaches for hackers targeting a healthcare organization, the fact of the matter is that many attacks start with doctors, administrative workers and the other employees who might not have cybersecurity on the mind.
This approach, often referred to under the umbrella term of “social engineering,” is at the core of phishing, pretexting, baiting and several other attack patterns designed to engage and manipulate an individual for the attacker’s gain. And while there are certainly measures that an organization can put into place to prevent these incidents, Kathleen Mullin, chief information security officer at Healthmap Solutions warns that it’s just a matter of time before one of these attempts will breach the defenses.
“Social engineers have existed for a very long time and this is their full-time job. Part of it is putting controls in place, but when things go wrong you need to fix it,” she said. “It doesn’t matter how much preventative medicine you do, people still get sick. This is the same thing — it doesn’t matter how many preventative controls, how much training you put in place. Things will go wrong, and [you need to] address it when it does.”
Healthcare is particularly vulnerable to these types of attacks for a number of reasons, Mullin explained. For starters, it’s organizations that have already suffered an attack are slow to get back on their feet due to the complexities of replacing hospital IT systems, especially when they’re short staffed and need to continue providing services to sick patients.
Further, social engineers are able to exploit healthcare staff, who have varying levels of tech literacy and are unlikely to be thinking hard about their once-annual email safety training course while focusing on their patients.
“We’re adult learners and we’re multigenerational, so how one person learns versus another person is completely different,” Mullin said. “If you just tell somebody something once, they don’t actually understand because, guess what, a nurse’s job or a doctor’s job isn’t to learn about security controls. It really isn’t.”
Aside from more frequent (and more engaging) security training, Mullin said that the key for healthcare organizations is to have a plan in place. On the preventive side, encourage staff not to use enterprise devices to check personal email or social media, and if possible enact straightforward controls like attachment screening or delayed message delivery.
But when a social engineering attack does succeed, be prepared to enact an “isolate and amputate” strategy to limit damage to the wider systems, she said. Have conversations beforehand on topics like whether or not your organization is willing to pay out a ransom, when to reach out to law enforcement and how best to handle the eventual media attention that comes with a ransomware attack.
For all of these plans to work, however, she said it’s vital for those in charge to understand their attackers’ tactics, motivations and most likely targets.
“If you know why people are doing things, then you know what to protect,” Mullin said. “And one of the important things is you can’t protect it all, so figure out what we’re protecting, how we’re protecting it, how we’re training our employees — basically, the decisions we should be making in advance and the training we should be doing in advance.”
Mullin will be providing real-world examples of these social engineering strategies and how to prepare for them in a HIMSS20 session titled “Social Engineering in the Healthcare Environment.” It is scheduled for Tuesday March 10, from 4:15-5:15p.m. in room W311E.