Healthcare Cybersecurity: Why Technical Controls Aren’t Enough
By Dane Boyd, Lead Solution Manager at PhishLabs
Over the past few years, the healthcare industry has been a rich hunting ground for profit-motivated cyber criminals. healthcare cybersecurity is more important than ever before.
Healthcare records are an extremely attractive target for enterprising hackers, and with some of the lowest security budgets of any major industry, it’s really no surprise that healthcare organizations are increasingly being targeted.
Here’s the real problem. Despite all the headlines, healthcare organizations all over the world are still dragging their feet where security is concerned.
And when a single healthcare data breach can net a hacker up to $1.7 million, now is the worst time to pretend everything is fine.
Of course, if you’re involved with healthcare security, you’re already intimately aware of these problems. With such limited security budgets and a plethora of security holes to fill, what can you possibly do to secure your organization?
I’ve worked with many healthcare organizations, and I can confidently say your #1 priority should be your users. Here’s why.
End Users: Blessing or Curse?
If you want to make radical changes to your healthcare organization’s security program, it can be tempting to start by scanning the security market for potential investment opportunities.
But I wouldn’t recommend that. The cybersecurity industry is growing extremely fast; a cursory look at what’s available is enough to make anyone’s head spin.
Instead, it pays to analyze past breaches. New threats might be exciting and newsworthy, but the vast majority of breaches are caused by a small number of historically successful attack vectors. And according to Verizon’s 2016 Data Breach Investigations Report, when it comes to attacks on the healthcare industry there are three primary threats to consider:
Insider threats
Lost/stolen devices
Phishing (including ransomware)
Notice any common factors here? I’ll give you a clue: They all rely on human error.
Yes, even the insider threat is primarily a case of silly mistakes. Sure, you get the odd disgruntled employee engaging in vandalism or espionage, but for the most part insider threats are far less glamorous: well-meaning users putting the organization at risk by inadvertently handling sensitive data in insecure ways.
But if you invest the time and resources necessary to train your users, you can significantly enhance the cybersecurity profile of your healthcare organization in a surprisingly short period of time.
What Good is Security “Awareness”
I’m going to put this out there: The vast majority of security awareness training sucks.
Not exactly a controversial opinion, right? Almost everybody feels the same way. It’s tedious, infrequent, and quite honestly it wouldn’t exist at all if it weren’t a key requirement of HIPAA compliance.
But before you start allocating additional funding to your existing program, I have a genuinely controversial opinion to share.
It’s not just the operational side of security awareness training that needs improvement....it’s the whole concept.
Hear me out.
What’s the value of security awareness? In theory, it’s about providing users with additional security information in the hopes that it will lead to better decision making. But in practice that just doesn’t happen.
People are too busy and too distracted to apply occasional classroom training to real world situations. No matter how much awareness training they receive, their decision making never improves.
So rather than betting the farm on a model that demonstrably fails to work in almost 100 percent of cases, we’d be better off working from a different paradigm. My humble suggestion would be to focus on security behaviors.
Picture this: Instead of simply providing security information, you could teach your employees the practical security skills they need to identify and prevent potential security risks. Not only that, once you’ve identified the skills your users need, you could test them regularly to ensure a consistent standard of practice across the organization.
Let’s take a look at an example of how you might do that.
Ready, Set, Phish
Earlier on we shared the three most common causes of a data breach: Insider threats, lost/stolen devices, and phishing.
Now, with a few technical controls such as device encryption and user access management, and a little training, the threat of careless insiders and device theft can be dramatically curbed. Sadly, phishing isn't so easy to conquer.
Phishing emails (also known as “lures”) are routinely used to deliver malware (e.g., keyloggers or ransomware), steal login credentials, and even trick users into making large payments right into hackers’ bank accounts. Sophisticated attacks make use of a variety of techniques to convince users of their legitimacy, and can be almost impossible for untrained users to identify as malicious.
And here’s the thing. Irrespective of the technical mechanisms used later on, the vast majority of data breaches start with a phishing campaign. And sadly, while certain technical controls can help limit the impact of phishing, there is no way to block 100 percent of incoming malicious emails.
So what, then, can be done to modify user security behaviors in a way that minimizes the risk posed by phishing? How can we train users to identify and report phishing lures, instead of falling for them?
Simple: Phish your own users… regularly.
Does that sound odd? It shouldn’t. The only way to reliably train your users to identify and report the latest sophisticated phishing lures is to create your own based on real-world samples, and routinely send them to your users.
Now, of course, you will need to provide a level of training before you start sending out your phishing simulations. Your users will need to understand why the program exists, how they’ll be tested, and what to look out for. They’ll need to understand the tactics and techniques employed by attackers to make their phishing lures appear legitimate.
Perhaps most importantly, your users will need to understand just how dire a threat phishing is to your organization, and how reported phishing emails can be used to help you identify and quarantine future campaigns.
But ultimately, it’s the simulated phishing campaigns that will help you track your users’ ability to identify and report phishing emails.
Why Winning is Important
When a user receives a malicious email (or a simulation) there are three possible outcomes:
They fall for it and follow any instructions given
They ignore it
They report the email to your security team
And when you first start out with a program like the one I’ve described above, anything other than option one feels like a win. In reality, though, there’s a huge difference between an ignored phish and a reported phish.
Anytime a real phishing email is reported, your security team has the opportunity to identify and quarantine other emails from the same campaign. Naturally, this activity alone can prevent a lot of breaches.
But there’s more to it. The whole program will rely on your ability to construct phishing lures that resemble those used in the real world. What better way to achieve this than to routinely collect and analyze real samples of malicious incoming email?
And where do those samples come from? Reported phishing emails.
There’s a problem, of course. It’s difficult to overcome inertia… it’s just easier for users to ignore malicious emails than it is to report them. And naturally, it falls to you to solve this problem.
Here’s my suggestion: Make “winning” as easy as it can possibly be.
Adding a simple “Report Phish” button directly to your users’ email client can dramatically increase employee reporting of suspicious emails. Whenever they think they’ve identified a malicious email, all they’ll need to do is click a single button, and it’s sent directly to your security team.
In other words, they get to win, and it was no harder than hitting the delete button.
But there’s more to winning than doing the right thing. Any time an email is reported, your users should immediately be praised for their vigilance, whether it’s correctly identifying a simulation, or reporting a possible real-world phishing lure.
This isn’t trivial. In my experience, these little touches have a dramatic impact on the proportion of malicious emails that are reported, rather than simply ignored.
Failure Isn’t the Enemy
If you decide to take the plunge and implement a program like the one I’ve described, you’ll see improvements almost immediately. But you know what you’ll also see? A lot of failure.
But you know what? That’s OK. Really, it’s fine.
Detecting phishing emails, particularly when they reach a high level of sophistication, is hard. Your program will naturally start out by teaching users to identify and report simple phishing emails, and even then you’ll see a lot of failure.
And when your users get good at detecting those simple phishing emails, what then? You up the complexity and they start failing again.
The truth is that whether you’re playing the clarinet or detecting phishing emails, failure is a natural part of the learning curve. If you’ve ever tried to learn something hard, you’ll already be keenly aware of this.
But what you might not realize is that in this case, failure is actually desirable.
Any time a user “fails” a simulation, they should immediately receive a multimedia training session, delivered via their web browser. The session should help them understand where they went wrong, and how to correctly identify that type of phishing email in future.
Imagine you’ve created a simulated phishing email that looks like this:
Above is an example of a typical holiday-themed phishing email, which would easily fool the majority of untrained users.
Let’s imagine you sent this as a simulation to your users. Naturally, some of your users would fail to identify it, at which point they would receive a digital training session that would help them identify holiday-themed phishing lures in future.
But that’s not where the process ends.
Later that same month, those users should receive a second simulated phishing email of the same type. This gives them a chance to put their learning into practice and enables you to target those users who fail a second time with an additional in-depth training session.
Slow and Steady Wins the Race
If you’ve been paying attention, you’ll no doubt realize that the process I’ve described in this article isn’t an overnight fix for all your security problems, and it’s not a one-shot solution.
No, this approach is one that you’ll need to work at over time. You’ll see results almost immediately, yes, but in order to really reap the benefits of a powerful security behavior training program, you’ll need to invest in it for the long haul.
Over time, your users will dramatically improve their ability to identify and report incoming phishing emails. When new employees come along, they’ll quickly learn that your organization takes phishing defense seriously and that they’ll need to do the same if they want to get ahead.
Will you ever be able to confidently say that 100 percent of phishing emails are identified and reported? Of course not.
But what you will be able to do is save your security resources for the small number of phish that do make it through the net, and jump all over them. And as a result, you’ll massively reduce the likelihood that your organization will become “just another healthcare data breach headline.”