Cyber Attacks Focus On Healthcare

Uploaded on 2018-04-23 in BUSINESS-Services-Health & Welfare, FREE TO VIEW, NEWS-Cybersecurity News

Healthcare is now the most vulnerable industry to data breaches, with 328 breaches in 2017 alone (accounting for 60% percent of all breaches last year). The total estimated cost of these breaches reached $1.2 billion.

In 2017, we witnessed large-scale phishing attacks targeting health-care employees leading to the theft of patient data at both Morehead Memorial Hospital and Washington University School of Medicine.

In both attacks, phishing emails were used to obtain login credentials to staff members’ email accounts.

Later in the year, PII (personally identifiable information) of 18,470 patients at Henry Ford Health System in Detroit were exposed due to theft of credentials of a group of employees. The PII was protected using a single factor of authentication (a password) and encrypted at rest.

Through just these few examples, we can see that, despite the complexity of security technologies and investments like data encryption, and network and endpoint security, the most common and effective attack vector is still stolen user credentials. According to the 2017 Verizon Data Breach Report, 81% of data breaches are due to compromised or weak credentials.

Many of the organisations that understand this turn to two-factor authentication (2FA) to strengthen defense against stolen credentials. While simple 2FA helps raise an organisation’s security profile, many commonly deployed 2FA methods are insufficient to fully protect users and data and are easily circumvented.

On its own, 2FA will protect you some of the time but not all the time. Which is fine if you only want some of your organisation protected.

But it can be circumvented by attackers through:

  • Real-time phishing, which coerce a user into giving up their username, password, and one-time passcode by asking them to log into a phishing site or click a malicious link
  • SMS and voice call interception, where an attacker exploits the mobile carrier networks
  • Malware that uses malicious code to scrape SMS one-time passwords
  • Phone number porting fraud that uses social engineering methods to coerce a cellular company’s representative into issuing the attacker with a new SIM card or moving the victim’s phone number to a SIM card that the attacker already has
  • Out of band push-to-accept mechanisms, which essentially relies on bombarding an end-user to click ‘accept’ to make bothersome requests go away

Healthcare providers can strengthen authentication methods by adopting the following:

  1. Implement adaptive authentication and risk analysis, such as analysis of the user’s geographic location, device recognition, analysis of a user’s IP address, and applying machine learning to look for anomalous behavior of the user’s credentials. This provides the highest identity security without impacting user experience. Users are only burdened with an additional authentication step if risks are present. This validates authentic users, like doctors and nurses, while blocking attackers with compromised credentials.
  2. Phase out hard tokens to utilize self-service tools when possible while considering the total cost of ownership., Nurses, doctors and staff can access their data wherever they are through routine mechanisms by evolving to more modern authentication techniques that identify users through elements such as behavioral biometrics.
  3. Prioritise the most flexible solution with the most future potential instead of relying on a quick fix. Choose integration-friendly solutions that maximize existing security investments from a vendor who can be a partner in both security and EPCS & HIPAA compliance. Only then will you achieve an accurate holistic view of all security threats and save considerable effort in compliance audits.
  4. Provide the best possible user experience by building safeguards against human fallibility. By only requiring action when risk factors are high, teams balance security needs with user preferences. Utilize identity signifiers instead of passwords to empower physicians to access data and treat patients without having to call the help desk or initiate an online support ticket.

2FA is not strong enough to protect against even unsophisticated cyber-attacks. Clearly, busy healthcare workers need secure solutions that don’t inconvenience them as they tend to time-sensitive patient problems.

IT decision makers in the health services and patient care industry should strongly reassess their approach to authentication in order to keep their data and organisation out of the cybercrime spotlight.

InfoSecurity Magazine:   Image: Nick Youngson

You Might Also Read: 

Fixing Hacks Has A Deadly Impact On Hospitals:

NHS Trusts Failed Cyber Security Assessment:

 

« How AI Will Define New Industries
UK Launches Cyber Attack On Islamic State »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

CERT.LV

CERT.LV

CERT.LV is the national Computer Emergency Response Team for Latvia.

BSA - The Software Alliance

BSA - The Software Alliance

BSA is the leading advocate for the global software industry before governments and in the international marketplace.

Bit4id

Bit4id

Bit4id provides software and systems for security and identification based on PKI technology.

Haystax Technology

Haystax Technology

Haystax’s security analytics platform applies artificial intelligence techniques to identify and prioritize threats in real time.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Nexis

Nexis

Nexis GmbH is a German IT security company specializing in IAM, access control, and risk management.

Data Eliminate

Data Eliminate

Data Eliminate provide data destruction, secure end-of-life IT asset disposal, and data protection consultancy services.

UltraSoC Technologies

UltraSoC Technologies

Saepio Solutions

Saepio Solutions

Saepio promote an all-encompassing approach to cybersecurity, ensuring the appropriate balance of budget and resource across Policy, Product and People.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command is responsible for Navy information network operations, offensive and defensive cyberspace operations, space operations and signals intelligence.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.