HEALTH TECHNIQUE: Why is healthcare such an attractive target for cybercriminals?
GOODEN: Protected health information is coveted. It’s worth a lot of money on the dark web, even more than traditional sources of predation like credit cards, personal information, and social security numbers. Health information has it all and is very valuable to bad actors.
HEALTH TECHNIQUE: What kinds of threats do healthcare organizations face? Can you give some examples?
GOODEN: I would say that around 85 percent of all attacks against healthcare organizations are sent via email as the primary vector. Most of it is some form of ransomware. There are also brute force and drive-by attacks, where they organize attacks against firewalls and the external perimeter.
TO EXPLORE: Learn how to create an effective incident response plan for healthcare.
HEALTH TECHNIQUE: We often hear that humans are the weakest link in cybersecurity. What is social engineering and how is it used by criminals to breach systems?
GOODEN: You have decoys. Humans are curious. Bad actors are creative and are always thinking of cool ways to earn their credentials. They will ask you to click on a link or a file that will download something to your endpoint device. Everything is based on human curiosity. Social engineering feeds on that and creates lures in a way that makes them appear attractive or necessary to interact.
HEALTH TECHNIQUE: What can healthcare organizations do to assess their risk and identify vulnerabilities?
GOODEN: Every organization is different. The first thing to do is make sure you have basic lock and board technologies. Do you have a firewall? Are your email systems running through a threat filtering gateway? Are you looking for where attackers may come from and are you using threat hunting? If you have building blocks in place, you’ll want to spend your time looking at the controls that are poor.
Click the banner below to learn more about incident response planning best practices.
HEALTH TECHNIQUE: Why is organizational culture such an important component of cybersecurity?
GOODEN: For the social engineering component. It’s not just about top executives; These lures can go to anyone with active credentials. There are individuals who, by virtue of bad practices, become an internal threat to themselves. Cybersecurity begins with the end user, and education and awareness are essential. You may have the best technology and penetration testing in place, but personnel simply become the vector in your chain of attack without a situational awareness training program.
HEALTH TECHNIQUE: What type of cybersecurity is in place at Seattle Children’s?
GOODEN: We have next-generation firewalls and methods for observing traffic movement and anomaly behavior. We carry out operations 24 hours a day, 7 days a week in search of possible anomalies. We have also managed endpoint technologies that look for endpoint and infrastructure anomalies. We manage our emails that arrive through corporate email gateways. In addition, we have a physical security practice to ensure that all cameras and medical devices are managed. It’s a pretty comprehensive set of things that happens 24 hours a day, seven days a week, 365 days a year.
GET THE WHITE PAPER: Find out why effective incident response is necessary.
HEALTH TECHNIQUE: How does a healthcare organization rate the performance of its cybersecurity efforts?
GOODEN: There are a couple of different ways. You can run annual tests on your environment and have external audit groups audit the effectiveness of your security controls. They can report on what they call governance, risk management and compliance (GRC) to consider the maturity of security controls and how you score against that. That’s more for higher-level reporting, and you use it to establish your organization’s risk on a daily basis.
HEALTH TECHNIQUE: Why is it important for healthcare organizations to continually reassess their risk and evolve?
GOODEN: Advanced groups of persistent threats are constantly innovating. They have an organizational structure, operate like for-profit businesses, and attack constantly. It is easier for them to attack than to defend. We must regularly ensure that we are investing in appropriate next-generation technologies, that we are constantly auditing and testing the controls we have in place, and that we know who is really attacking us. Reinvestment is a constant theme. If you understand who is attacking you, you can put the controls in place and adapt them over time. They only have to get it right once. We have to get it right every day, 100 percent of the time.