Cyber Attacks Focus On Healthcare

Healthcare is now the most vulnerable industry to data breaches, with 328 breaches in 2017 alone (accounting for 60% percent of all breaches last year). The total estimated cost of these breaches reached $1.2 billion.

In 2017, we witnessed large-scale phishing attacks targeting health-care employees leading to the theft of patient data at both Morehead Memorial Hospital and Washington University School of Medicine.

In both attacks, phishing emails were used to obtain login credentials to staff members’ email accounts.

Later in the year, PII (personally identifiable information) of 18,470 patients at Henry Ford Health System in Detroit were exposed due to theft of credentials of a group of employees. The PII was protected using a single factor of authentication (a password) and encrypted at rest.

Through just these few examples, we can see that, despite the complexity of security technologies and investments like data encryption, and network and endpoint security, the most common and effective attack vector is still stolen user credentials. According to the 2017 Verizon Data Breach Report, 81% of data breaches are due to compromised or weak credentials.

Many of the organisations that understand this turn to two-factor authentication (2FA) to strengthen defense against stolen credentials. While simple 2FA helps raise an organisation’s security profile, many commonly deployed 2FA methods are insufficient to fully protect users and data and are easily circumvented.

On its own, 2FA will protect you some of the time but not all the time. Which is fine if you only want some of your organisation protected.

But it can be circumvented by attackers through:

  • Real-time phishing, which coerce a user into giving up their username, password, and one-time passcode by asking them to log into a phishing site or click a malicious link
  • SMS and voice call interception, where an attacker exploits the mobile carrier networks
  • Malware that uses malicious code to scrape SMS one-time passwords
  • Phone number porting fraud that uses social engineering methods to coerce a cellular company’s representative into issuing the attacker with a new SIM card or moving the victim’s phone number to a SIM card that the attacker already has
  • Out of band push-to-accept mechanisms, which essentially relies on bombarding an end-user to click ‘accept’ to make bothersome requests go away

Healthcare providers can strengthen authentication methods by adopting the following:

  1. Implement adaptive authentication and risk analysis, such as analysis of the user’s geographic location, device recognition, analysis of a user’s IP address, and applying machine learning to look for anomalous behavior of the user’s credentials. This provides the highest identity security without impacting user experience. Users are only burdened with an additional authentication step if risks are present. This validates authentic users, like doctors and nurses, while blocking attackers with compromised credentials.
  2. Phase out hard tokens to utilize self-service tools when possible while considering the total cost of ownership., Nurses, doctors and staff can access their data wherever they are through routine mechanisms by evolving to more modern authentication techniques that identify users through elements such as behavioral biometrics.
  3. Prioritise the most flexible solution with the most future potential instead of relying on a quick fix. Choose integration-friendly solutions that maximize existing security investments from a vendor who can be a partner in both security and EPCS & HIPAA compliance. Only then will you achieve an accurate holistic view of all security threats and save considerable effort in compliance audits.
  4. Provide the best possible user experience by building safeguards against human fallibility. By only requiring action when risk factors are high, teams balance security needs with user preferences. Utilize identity signifiers instead of passwords to empower physicians to access data and treat patients without having to call the help desk or initiate an online support ticket.

2FA is not strong enough to protect against even unsophisticated cyber-attacks. Clearly, busy healthcare workers need secure solutions that don’t inconvenience them as they tend to time-sensitive patient problems.

IT decision makers in the health services and patient care industry should strongly reassess their approach to authentication in order to keep their data and organisation out of the cybercrime spotlight.

InfoSecurity Magazine:   Image: Nick Youngson

You Might Also Read: 

Fixing Hacks Has A Deadly Impact On Hospitals:

NHS Trusts Failed Cyber Security Assessment:

 

« How AI Will Define New Industries
UK Launches Cyber Attack On Islamic State »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Bob's Business

Bob's Business

Bob's Business adopts a fresh approach to information security awareness and compliance training, delivering key information through the use of short animated movies.

IGEL Technology

IGEL Technology

IGEL Technology is one of the world's leading thin client vendors. Thin clients increase data security and compliance.

Evok

Evok

EVOK is an IT Service provider specialized in installing, maintaining and supporting IT infrastructures for SMB's in Switzerland.

Information Security Research Association (ISRA)

Information Security Research Association (ISRA)

ISRA is a non-profit organization focused on various aspects of Information Security including security research and cyber security awareness activities.

Protenus

Protenus

Protenus provide a solution to proactively monitor and protect patient privacy in the electronic health record (EHR).

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

National Cybersecurity Preparedness Consortium (NCPC)

National Cybersecurity Preparedness Consortium (NCPC)

The mission of the NCPC is to provide research-based, cybersecurity-related training, exercises and technical assistance to local jurisdictions, counties, states and the private sector.

Swarmnetics

Swarmnetics

Swarmnetics helps customers discover hard-to-find software vulnerabilities by hacking your system before the bad guys do.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

TestArmy

TestArmy

TestArmy CyberForces provide you with a broad spectrum of cybersecurity services to test every aspect of your IT infrastructure security and software development process.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.