Daniel Buchanan: Hello and welcome to the Stringfellow Technology Group webinar series. This is our educational series that we provide for our clients and non-clients as a way to educate you about different issues that are important in healthcare iT.
So today’s issue that we’re discussing will be the top five cyber threats to healthcare. I’m joined today again with Edward.
Edward Stringfellow: Hey everyone. How are y’all doing? Excited to be here. These top five threats actually come from the Health and Human Services report. They updated it just recently for 2023.
So this is very relevant and timely. It’s very important that you have awareness about what’s going on in the threat landscape.
Everybody’s been security to death. We all agree: security’s a big deal. Today we’re really gonna just be talking literally about awareness of the top five things that you need to understand and be aware of. We’re not gonna talk solutions today. We’re not gonna talk how to fix it. That’s not what this is.
This literally is just awareness for the folks that you work with. You know, I hope this video can be used to share with them so that they can understand, hey, here are the things we need to be thinking about in, in our organization.
A caveat is that, everybody’s in a little bit of a different situation.
When we get to the solutions point, it’s not cut and paste necessarily. If you have specific questions that’s always a great time to reach out to us because specific instances might require a little different solution than just a cookie cutter solution.
Anything else to add, Daniel, before we jump in?
Daniel Buchanan: Every situation is different and this is not specific advice for your clinic. If you want specific advice, reach out to us. We’ll be more than happy to talk to you.
Edward Stringfellow: Why does this matter? The reality is it matters because since 2021, there has been a thousand x increase in attempts, phishing, hacking, email, everything.
So it can happen to you. This is really happening on a daily basis. Local clinics in our Nashville area have been affected.
Nationwide they’re affected. 32 million healthcare records are currently compromised. Why it’s important to have awareness of these top five issues is because 9 million bucks for most practice is the average loss of a data breach, huge financial impact.
And the second issue is on average, without some of this awareness we’re gonna talk about today. The hackers they’re in there for an average of almost a year before they launch the attack.
So it’s very important that you have awareness of how they’re doing this so that, so that they’re not sitting in your system forever and then launching an attack. And those, those two numbers to us are, are the, are the biggest drivers of, of this type of education? A money.
Yes. And it l it does, it costs money. I mean, there’s in, in the HHS report that just came out, there was a practice. They literally. Rather than paying the ransom. It was an older, older group that, that ran the practice. They just, they literally shut the practice down. They just, they said, forget it. Hospital systems said we we’re gonna have to pay it.
So they paid it, you know, so this is happening to practices of all sizes, not just hospital systems. And it’s, it’s important to, to understand, you know, what are the, the top five, top five things that can happen. And so we’ll go. We’ll go over each one of these in detail, but generally, this is almost an order of importance too.
Generally it’s, it’s social engineering. We’ll get into that. That’s your phishing, your email attempts, phishing, which is where people are calling ransomware. So typically they use phishing. And now ransomware, they’ve encrypted your files, right? And you don’t have access to either. You know, billing and, and claim files, your whole EHR, those types of things.
Loss or theft of equipment. Pretty self-explanatory. Insider and malicious threats. Again, decreasing, decreasing kind of potential of happening. And then attacks against connected medical device has also been high highlighted. That one’s probably the, the least relevant to this audience in so much is that hospital systems are the ones that really have the most connected medical devices in, in that case. Daniel, anything to add there? Is this making sense?
Daniel Buchanan: There’s just one thing I wanted to add, and I think we can kind of put this in the context of patient safety. I think the patient safety piece is really important. So, you know, doctors, medical providers take the Hippocratic oath and it’s like, do no harm.
And so you think about that in terms of like prescribing medicine and prescribing treatments, but I think this also extends to your patient data. And so at the end of the day, we’re all consumers of healthcare, and this is something that we all have to go into the healthcare system and none of us want the idea of our medical records, all of our sensitive information, our name, address, social security number being leaked out into the wild.
So it affects every single person, but specifically providers and practice administrators. You know, we have a extra set of burdens on top of us because we’re in charge of all of this data and keeping all this data safe and, you know, yeah, somebody can catch, you know, a cold or something from being in a, in an office, but they could also get their personal identity leaked out onto the internet, which can affect them for the rest of their life.
They could lose their house, they could get credit card, like it could just go on and on and on. It can be really bad. So I think that’s important to frame up as well.
Edward Stringfellow: Really what we’re saying is technology is not a box over here, and then patient care is over here at, at this point. It’s so integrated. It’s one thing. Caring for your patients is also making sure their information’s safe, which makes sense.
So diving in the first one, oh, it’s the hacker with the hoodie on. But the reality is social engineering remains the number one way that people are breached. It can come in the form of phishing emails.
It can come in the form of vishing, which is where they’re doing voice calls. Microsoft will never call and ask for your password, but you’d be surprised how many people think that’s legitimate.
It can come in the form of text messaging. You know I get about. At least three or four texts a week from our staff, asking for my credit card so they can buy gift cards for other staff members.
I think everybody at this point is kind of tired of hearing about this. But the fact remains, people are still clicking on the links, they’re still signing in. It becomes habit and they’re still doing it. Security awareness and training around this is important.
And, and again, in another webinar, we’ll get into some very specific ways that we help groups, you know, solve and tackle some of these. But number one, social engineering, it’s still the number one I, I suspect it will be the number one cybersecurity threat for a while. We still operate very much based off email especially with referrals and different provider systems.
And I mean email’s still kind of the go-to communication method and the hackers know this. So being aware that email is definitely continuing to be the top attack vector, I think is important. Having your people understand that the average worker gets 80 emails a day and it doesn’t take but one click.
It’s kinda like driving a car. Everybody has to drive a car and everybody knows they’re dangerous and we just kind of put the seatbelt on and go. But. I think sometimes it’s helpful to maybe refresh those safe driving habits, refresh those safe computing habits.
Does that make sense, Daniel?
Daniel Buchanan: I wanted to add as well too, with the AI element that we’re all becoming more and more aware of that this just gets scarier and scarier. It used to be the fact that you could identify a phishing email through really bad broken English by a non-native speaker. Now with ai, that’s not the case. They can sound like anybody else they wanna sound like, and now they’re even getting to the point where they can call you and sound on the phone like somebody you know. So it’s a huge problem and it’s probably not gonna go away.
A healthy dose of just skepticism out of the gate is gonna really be
helpful.
Edward Stringfellow: Let’s talk about number two. Ransomware, they kind of almost go together because a lot of times the social engineering is how they get in to then plant the ransomware. But, but the reality is ransomware is its own kind of issue and it has its own set of protections that we’ll talk about in another webinar.
But the point is, They come in and they take your files, your data, whether it’s claims data, patient records, word docs, excel docs, practice documents that are in a file share. Your EHR A lot of times is on a server somewhere that can be encrypted.
The idea is that they encrypt the data. You can’t read it, you can’t use it, you know, they can encrypt the EHR files. Guess what: the EHR won’t work. And so you can’t get in. And the ransom piece of it is then they demand payment.
One group said, we’re not gonna pay, we’re just gonna shut the practice down, which is probably literally the worst case scenario. Another group did pay and then got their files back.
The takeaway here is just storing files wherever, not putting files in the place they’re supposed to be. Storing files on your desktop computer, you know, just poor data hygiene in general. Is not great because now all of a sudden I can encrypt, you know, the, let’s call it the front scheduler’s laptop that had all our, our scheduling files on it.
It was an easy target. They weren’t supposed to be there, and now it’s encrypted and now all our scheduling files are gone as a, as an example. So everyone needs awareness. If, if IT or your provider, whatever, said, Hey, we need to store data in the certain place, you should do that. Cuz let’s hope that they’ve got it set up where ransomware, you know, won’t affect it.
And or if it does, they can, they can do recovery. And again, we’ll talk more about how to, how to recover and stop some of this later.
Number one’s fishing, right? That’s how they’re getting in. And then a lot of times it’s ransomware is next.
So it’s two prong, really. Those top two make up a large majority of, of what we’re seeing, but they, the fishing gets ’em in. And then ransomware, we’ve got data that’s encrypted. And, and, and we can’t, you know, we don’t have good backups. We don’t have a way to recover. So that’s what happens. But it’s important to understand, hey, I don’t wanna be storing files just anywhere I want.
I want to understand where my data is and control it so that we can back up and recover. So those, those two kind of go together.
Next up. And again, we’re kind of going down in, in prevalence. I, I wouldn’t say importance, but really we’re, we’re going downhill as far as what, what happens, you know, losing stuff has been going on forever, right?
The hope for us is that on mobile devices, that, that they are encrypted, especially smartphones, external stores, that it is encrypted. So basically if it’s not signed in, it’s, it’s effectively useless but still. A lot of folks are not doing that. So they’ve got laptops floating around, you know, practice admin took her laptop to the coffee shop to catch up on some work cause it was quiet.
And the next thing you know, the laptop’s not there.
It was connected to a VPN. Now they’re in.
What happens too? I, I, we’ve even heard of this. I know it’s wild, but. Just leaving your machine, not even lost, but just unattended, you know, they’ll go plant this. Somebody will sit down, plant the ransomware, and it goes back to their, in the systems for 350 days before anybody recognizes. It happens just like that.
They get what’s called a command and control situation in your environment, and then they, they come back to you when they get to it. Right? And so it’s not even just loss and theft, it’s also just being mindful of where your machine is, where are you logged in, something as simple as getting up from the practice and walking, you know, maybe to the restroom or something like that.
Part of this is making sure that things auto lock, that they’re encrypted and those kinds of things, but. We should all be aware that things do get lost, stolen, and not, not monitored. One of the, one of the other big things is we get it. Providers are very busy running around, especially if you have workstation based exam rooms and nobody wants to log in and log out, log in and log out. So we just stay logged in all the time.
Well, Not great, right? Being logged in generically, it’s like you might as well have just lost it anyway cuz it’s just sitting there, if that makes sense. Anything to add on, on missing stuff other than keep up with your stuff and watch who’s watch who’s using it?
Daniel?
Daniel Buchanan: I mean, the, the main problem there is yeah, not only have you lost your device, right? And it could be your personal device if you’re doing a BYOD at work, which would totally stink, but it could also be the company device. And so, you know, computers are not cheap and nobody just wants to buy new computers willy-nilly.
So you know, it’s a, it’s a huge deal. So I think it’s just, like you said, super important to just keep track of your stuff and then, you know, just treat that thing like, it’s got access to all your patient records, cuz it probably does.
Edward Stringfellow: It, it can for sure. And, and so, so it’s not even really lost it’s loss of control, whether that’s physical control or operational control.
I think that’s probably the more important thing. I think a lot of groups, they understand not to lose their stuff, but they also just leave it laying around their house. Roommates, apartments, coffee shop. So just loss of control I think is, is maybe even a better way to think about that.
Moving on down the list here, insider threats.
So this is folks inside the organization, we really hope this isn’t going on. But an insider threat doesn’t have to be malicious. It can be accidental or unintentional. Regardless it happened within the organization. These are probably The hardest to defend against, cuz we’re kind of getting into a little bit of just human nature and people that need to be trained and people not paying attention to policies and procedures.
So that’s where training comes in. So accidental and unintentional insider threats. That, that’s a lot of times training and then configuration of the environment.
The one that, that in my opinion is really difficult to defend against is that malicious. if somebody intentionally wants to do the practice harm and they have access, that’s not great for a number of reasons.
There are some things you can do. Principal of least privilege, making sure everybody has cybersecurity training, incident response, looking at access logs. if you’ve got somebody with malicious intent and they’re a scheduler and then all of a sudden they’re logging in the billing side of your ehr or accessing patient records in an area they’re not supposed to be in we should flag those things and look at that kind of stuff and ask some questions.
A lot of times the malicious part of it, unfortunately comes from the IT side, internal IT, and, and we’ll, we’ll address that in a later webinar about some things you can do around that.
So insider threats, ugh, just hire good people and, and trust, but verify.
if somebody seems to be accessing things they shouldn’t, then a conversation is probably gonna be helpful there.
Daniel Buchanan: One more thing I would add to that is this can become a problem over time.
So a lot of times when companies are starting out, you know, it’s kind of all hands on deck, sort of, everybody does everything and so, you know, everybody has access to everything. It’s kind of a flat file system. And so, you know, just early on it’s important to have a partner. You know, to at least think about how you’re setting up your systems, who has access to what, and as companies get bigger and bigger, this can become a problem.
Because, if you started out small and everybody had access to everything and you get a little bigger, and then all the employees have access to all of the sensitive data, that can be a huge deal. And it’s not something people think about a lot of times. Right. Cuz they’re just thinking, well, they’re employees, they’re in the office, they’re good people.
And, and I’m not saying that they’re not, but even if they have access and they click on the wrong link that somebody emailed them, so it can be unintentional as well. But that’s a big part of this. It’s just kind of like, you know constantly assessing the way things are set up and making sure that people don’t have access to the wrong stuff.
You may not even have a way to track it. Edward, you mentioned, you know, check in to see what people are looking at. There may not even be a system in place to do that. So huge problem.
Edward Stringfellow: You’re a hundred percent right. As organizations grow, everybody was an admin of everything and did everything, and we just kept with that model. So now someone that literally just needs scheduling access, has access to everything. Cuz we know we didn’t spend the time to set up, you know role-based access controls or what have you in the EHR.
Network connected medical devices. This is most prevalent in larger interconnected hospital systems. The majority of the practices that we work with, they certainly have medical devices that are on the network.
We, you know, blood pressure readers a lot, a lot of our eyecare clinics, you know, there’s all kinds of imaging going across and being sent. So there’s a number of connected medical devices which produces PHI different than a hospital though. I, I think the bigger threat here is: in a hospital system, those devices might be connected to a patient that, you know, if, if they go awry, it can cause the patient to die.
We’re not seeing that as much in a non-hospital setting.
But I think it’s important to have awareness around this. There’s so much to do on the other four that we talked about. It’s almost like you got limited resources in a lot of cases. So I think awareness is good. If you have a practice with medical devices, just be aware if we’re just plugging ’em in the same network as everything else, we’d probably wanna have a plan to not, not have that go on over time, or at least just be aware and make sure that they’re, they’re secure.
Does that make sense?
Daniel Buchanan: It does. Yeah. I think that that checks out.
Edward Stringfellow: Yep. So, you know, today the goal was to kind of talk about the top five threats to cybersecurity and healthcare. And, and we didn’t make these up. This again came from Health and Human Services. They, they do this document every couple of years.
They just refreshed it. And these, these have come out, there’s some crazy statistics about how it’s, you know, a thousand x on the emails and stuff because the criminals, you know, whatever works they’re gonna keep doing. So just to recap, top five. These are in order of, of what we would look at and address as part of an engagement with a client.
Social engineering, phishing, vishing, all that. You know, that’s really top number one. Most groups are aware of it. Most groups are doing something, but it’s still not perfect. And I think the, the biggest missing chunk there is the security training and awareness, which leads to ransomware, either through the social engineering or just directly.
That’s really the worst part of it. So that’s their end goal. Encryption of files and how do we recover? I think recovery is what people, people say, oh, we got backup, but they don’t have recovery. So ransomware, really big threat.
Loss of control of your equiptment or data. So whether you actually lose the laptop or just lose control of it: same thing.
Inside or accidental. Talked about that, that could be accidental, hopefully mostly malicious. We talked about, that’s probably, that’s probably one of the harder ones to figure out.
And then the last was the connected medical devices. So those are the five, top five is identified.
You need to have a plan to address all of them in the right order, in the right priority, depending on what type of practice you are. That is something that Stringfellow does each and every day is talks to people about their situation and what’s going on. If you have any questions, please feel free to reach out to us. You can email learnmore@stringfellow.com.
Obviously you can go to our website, also stringfellow.com to learn more, and then there’s a Contact us button there. And then you can just give us a phone call at the, at the number on the screen here (615) 386-4920.
Call us up and, and we would love to have a discovery call with you, understand what your concerns and needs and seeing if there’s something we could do to help.