The 5 top healthcare cyber threats, according to the U.S. Department of Health & Human Services’ new guide

The financial impact of healthcare cyber attacks can be devastating, especially to small organizations. The HHS points out that the healthcare industry has the highest data breach cost of any industry, at an average of $408 per record and $2.2 million per organization. In 2016, the healthcare industry as a whole lost $6.2 billion to data breaches.

Noting that healthcare cyber security is “the responsibility of every health care professional, from data entry specialists to physicians to board members,” the U.S. Department of Health and Human Services (HHS) has published Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). The four-volume publication, which was mandated by the Cybersecurity Act of 2015, is aimed at hospital executives and cyber security professionals in healthcare organizations of all sizes and leverages the NIST Cybersecurity Framework. It outlines what the agency considers to be the most common healthcare cyber threats and recommends best practices to mitigate them.

Email phishing

The overwhelming majority of successful cyber attacks begin with a phishing scheme. Business email compromise (BEC), a highly targeted spear phishing technique, is responsible for over $12 billion in losses globally. Although many people still equate phishing with emails, this healthcare cyber threat has evolved, with hackers employing text messages, phone calls, and even social media “quizzes” to trick unwitting victims.

Ransomware

While cryptojacking is now the most common type of malware, ransomware is still a significant healthcare cyber threat, primarily because of the time-sensitivity of the information processed and stored in healthcare data environments. One-quarter of SamSam ransomware victims are in the healthcare sector. Authorities believe the SamSam hackers have earned over $6 million from their malware.

Loss or theft of hardware

Mobile devices, such as laptops, tablets, and smartphones, have opened up the world of remote work. In the healthcare industry, mobility makes electronic health records feasible; healthcare providers can access patient data from anywhere. However, these devices also present a major healthcare cyber threat, as they are easily lost or stolen. Even if a device is ultimately recovered, PHI and other sensitive information may have been compromised.

Insider, accidental, or intentional data loss

Insider threats exist in every organization, and there are two types: accidental and intentional. Intentional insider threats, which involve purposefully malicious behavior, represent the minority of cases. However, even an accidental insider healthcare cyber threat – an employee being tricked into clicking on a phishing link or sharing their password “just this one time” – can result in a ransomware attack, a data breach, or other cyber attack.

Attacks against smart medical devices

Smart devices are proliferating like rabbits, but a lack of common security standards means many devices suffer from serious security vulnerabilities. The proliferation of medical IoT devices has given hackers a much broader attack surface on which to target healthcare organizations. Recognizing the severity of this healthcare cyber threat, NIST has released a guide for securing medical IoT devices, SP 1800-8. While SP 1800-8 specifically addresses infusion pumps, the guidelines can be applied to the entire medical IoT ecosystem.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

These common cyber security mistakes could get your company hacked.

With an estimated 90% of cyber attacks caused by human error or behavior, it’s important to understand the most common cyber security mistakes your employees are probably making and know how to mitigate them.

Becoming victims of phishing schemes

Stolen login credentials are the most common way hackers breach enterprise systems, and most of the time, these credentials are stolen through a phishing scheme. A highly targeted variant of phishing, called spear phishing or business email compromise, is used to convince employees to wire money or send sensitive data, such as W2 information, to cyber criminals.

Avoid having your employees make this cyber security mistake by educating them about the warning signs of a phishing scheme. Organizations must also establish policies against sending sensitive data through email, ensure that employees have access only to the systems and data they need to do their jobs, and add redundancy into payment approval processes, especially wire transfers.

Mistakes involving login credentials

This is a broad category of cyber security mistakes that includes:

• Using weak passwords
• Not using multi-factor authentication whenever possible
• Reusing passwords
• Sharing login credentials
• Writing credentials down and leaving them in public areas, such as sticky notes in the work area
• Leaving a terminal unattended without logging out first

Most of these security mistakes can be avoided through employee education on the dangers of not keeping login credentials secure. Organizations can also employ technical measures to force login sessions to automatically time out when a terminal is inactive, require the use of MFA, and automatically generate strong passwords.

Using shadow IT software and services

Over three-quarters of employees admit to using shadow IT software and services at the workplace. Most of the time, their intentions are not malicious. They are simply trying to do their jobs better, and they do not realize how dangerous shadow IT can be to security and compliance. Employee education is the best way to head off this security mistake. Technical tools can also be employed to ferret out shadow IT apps.

Inserting “mystery” devices into workplace computers

A common social engineering tactic is for hackers to leave USB thumb drives and other plugin devices in public areas where employees will find them. Sometimes, the devices will have labels meant to entice employees to want to covertly access them, such as “Q4 Performance Reviews” or indicating that the device contains pornographic content. Employees must be educated about the dangers of making this security mistake.

Making security mistakes when using public WiFi

Free public WiFi networks are ubiquitous, found everywhere from fast-food restaurants to aboard trains. Remote workers and employees who frequently travel for business often take advantage of public WiFi to work on the go. As with shadow IT apps, this is usually because of a security mistake, not maliciousness or negligence; employees don’t realize how dangerous public WiFi is. In addition to educating employees on best practices when accessing public WiFi networks, organizations should provide VPN access to all employees who work remotely.

Not protecting computers and other IoT devices

This security mistake involves physical protection as well as password protection. In a recent survey, over half of working adults admitted to allowing friends and family to access devices given to them by their employers. Employees who travel for work may also leave devices unattended in public areas or hotel rooms or allow strangers to “borrow” their smart phones.

Employees who travel need to be educated about best cyber practices when traveling. Organizations should ensure that these employees’ devices are protected with strong passwords, multi-factor authentication, or a biometric lock. If possible, have disposable phones and laptops on hand to loan to employees for travel purposes. If an employee must travel with a device that contains sensitive data, make sure the device is encrypted.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Chinese hackers have successfully breached contractors for the U.S. Navy, according to WSJ report.

The years-long Marriott Starwood database breach was almost certainly the work of nation-state hackers sponsored by China, likely as part of a larger campaign by Chinese hackers to breach health insurers and government security clearance files, The New York Times reports. Why would foreign spies be so interested in the contents of a hotel’s guest database? Turns out “Marriott is the top hotel provider for American government and military personnel.” The Starwood database contained a treasure trove of highly detailed information about these personnel’s movements around the world.

Chinese hackers didn’t stop there. According to a report published in the Wall Street Journal last week, nation-state hackers sponsored by China have successfully breached numerous third-party contractors working for the U.S. Navy on multiple occasions over the past 18 months. The data stolen included highly classified information about advanced military technology currently under development, including “secret plans to build a supersonic anti-ship missile planned for use by American submarines.” The WSJ noted that hackers specifically targeted third-party federal contractors because many are small firms that lack the financial resources to invest in robust cyber security defenses.

In testimony before a Senate Judiciary Committee hearing, FBI counterintelligence division head E.W. “Bill” Priestap Wednesday called cyberespionage on the part of Chinese hackers the “most severe” threat to American security, citing the country’s “relentless theft of U.S. assets” in an effort to “supplant [the United States] as the world’s superpower.”

Inconsistent security practices leave U.S. Ballistic Missile Defense System vulnerable to cyber attacks

While the Navy has been hit particularly hard, the entire U.S. government, including all branches of the military, are under constant threats of cyber attack from Chinese hackers and other nation-state actors – and they’re ill-prepared to fend off these attacks. Around the same time the Marriott Starwood breach was disclosed, the Defense Department Office of Inspector General (OIG) released an audit report citing inconsistent security practices at DoD facilities, including facilities managed by third-party contractors, that store technical information on the nation’s ballistic missile defense system (BMDS). The report described failures to enact basic security measures, such as:

• Requiring the use of multifactor authentication to access BMDS technical information
• Identifying and mitigating known network vulnerabilities
• Locking server racks
• Protecting and monitoring classified data stored on removable media
• Encrypting BMDS technical information transmission
• Implementing intrusion detection capabilities on classified networks
• Requiring written justification to obtain and elevate system access for users
• Consistently implementing physical security controls to limit unauthorized access to facilities that manage BMDS technical information

Cyber security problems abound among DoD and other federal contractors

The OIG report comes on the heels of another the office issued earlier this year, citing security problems specifically at contractor-run military facilities. The WSJ report on Chinese hackers implied that inadequate security is the norm, not the exception, at federal contractors and subcontractors, citing an intelligence official who described military subcontractors as “lagging behind in cybersecurity and frequently [suffering] breaches” that impact not just the military branch they work for, but also other branches.

In theory, military contractors shouldn’t be having these problems. Most federal contractors must comply with the strict security controls outlined in NIST 800-171, and DoD contractors must comply with DFARS 800-171. DoD contractors were required to, at minimum, have a “system security plan” in place by December 31, 2017. However, many small and mid-sized organizations missed the December 31 deadline, often because they felt they did not have the resources to comply. However, continued non-compliance puts these vendors’ contracts at risk of cancellation, as well as national security at risk from Chinese hackers and other cyber criminals.

It’s not too late to begin compliance efforts. If your agency starts working towards compliance now, you can demonstrate that you have a plan to comply and are making progress with it to your prime contractor, subcontractor, or DoD contracting officer.

Affordable DFARS 800-171 compliance services are available for small and mid-sized federal contractors

Continuum GRC’s IT Audit Machine (ITAM) greatly simplifies the compliance process and significantly cuts the time and costs involved, putting NIST 800-171 and DFARS 800-171 compliance within reach of small and mid-sized organizations. Additionally, Continuum GRC has partnered with Gallagher Affinity to offer small and mid-sized federal contractors affordable packages that combine cyber and data breach insurance coverage with NIST 800-171 and DFARS 800-171 compliance services.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.