Cyber Attacks Focus On Healthcare

Healthcare is now the most vulnerable industry to data breaches, with 328 breaches in 2017 alone (accounting for 60% percent of all breaches last year). The total estimated cost of these breaches reached $1.2 billion.

In 2017, we witnessed large-scale phishing attacks targeting health-care employees leading to the theft of patient data at both Morehead Memorial Hospital and Washington University School of Medicine.

In both attacks, phishing emails were used to obtain login credentials to staff members’ email accounts.

Later in the year, PII (personally identifiable information) of 18,470 patients at Henry Ford Health System in Detroit were exposed due to theft of credentials of a group of employees. The PII was protected using a single factor of authentication (a password) and encrypted at rest.

Through just these few examples, we can see that, despite the complexity of security technologies and investments like data encryption, and network and endpoint security, the most common and effective attack vector is still stolen user credentials. According to the 2017 Verizon Data Breach Report, 81% of data breaches are due to compromised or weak credentials.

Many of the organisations that understand this turn to two-factor authentication (2FA) to strengthen defense against stolen credentials. While simple 2FA helps raise an organisation’s security profile, many commonly deployed 2FA methods are insufficient to fully protect users and data and are easily circumvented.

On its own, 2FA will protect you some of the time but not all the time. Which is fine if you only want some of your organisation protected.

But it can be circumvented by attackers through:

  • Real-time phishing, which coerce a user into giving up their username, password, and one-time passcode by asking them to log into a phishing site or click a malicious link
  • SMS and voice call interception, where an attacker exploits the mobile carrier networks
  • Malware that uses malicious code to scrape SMS one-time passwords
  • Phone number porting fraud that uses social engineering methods to coerce a cellular company’s representative into issuing the attacker with a new SIM card or moving the victim’s phone number to a SIM card that the attacker already has
  • Out of band push-to-accept mechanisms, which essentially relies on bombarding an end-user to click ‘accept’ to make bothersome requests go away

Healthcare providers can strengthen authentication methods by adopting the following:

  1. Implement adaptive authentication and risk analysis, such as analysis of the user’s geographic location, device recognition, analysis of a user’s IP address, and applying machine learning to look for anomalous behavior of the user’s credentials. This provides the highest identity security without impacting user experience. Users are only burdened with an additional authentication step if risks are present. This validates authentic users, like doctors and nurses, while blocking attackers with compromised credentials.
  2. Phase out hard tokens to utilize self-service tools when possible while considering the total cost of ownership., Nurses, doctors and staff can access their data wherever they are through routine mechanisms by evolving to more modern authentication techniques that identify users through elements such as behavioral biometrics.
  3. Prioritise the most flexible solution with the most future potential instead of relying on a quick fix. Choose integration-friendly solutions that maximize existing security investments from a vendor who can be a partner in both security and EPCS & HIPAA compliance. Only then will you achieve an accurate holistic view of all security threats and save considerable effort in compliance audits.
  4. Provide the best possible user experience by building safeguards against human fallibility. By only requiring action when risk factors are high, teams balance security needs with user preferences. Utilize identity signifiers instead of passwords to empower physicians to access data and treat patients without having to call the help desk or initiate an online support ticket.

2FA is not strong enough to protect against even unsophisticated cyber-attacks. Clearly, busy healthcare workers need secure solutions that don’t inconvenience them as they tend to time-sensitive patient problems.

IT decision makers in the health services and patient care industry should strongly reassess their approach to authentication in order to keep their data and organisation out of the cybercrime spotlight.

InfoSecurity Magazine:   Image: Nick Youngson

You Might Also Read: 

Fixing Hacks Has A Deadly Impact On Hospitals:

NHS Trusts Failed Cyber Security Assessment:

 

« How AI Will Define New Industries
UK Launches Cyber Attack On Islamic State »

Directory of Suppliers

Tenable Network Security

Tenable Network Security

Tenable Network Security - Need to Evolve to a Risk-Based Vulnerability Management Strategy but Don’t Know How? This Guide Will Show You.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Lunarline

Lunarline

Lunarline is a leading provider of cyber security and privacy solutions, specialized services, and certified cyber security training.

Juniper Networks

Juniper Networks

Juniper Networks is the industry leader in network innovation. We provide network infrastructure and network security solutions.

Bryan Cave LLP

Bryan Cave LLP

Bryan Cave LLP is a global business and litigation law firm. Practice areas include Data Privacy and Security.

RoboForm

RoboForm

RoboForm's industry-leading encryption technology securely stores your passwords, with one Master Password serving as your encryption key.

Infrascale

Infrascale

Infrascale specialise in providing cloud backup and disaster recovery services.

ISHIR Cyber Security

ISHIR Cyber Security

ISHIR Cyber Security is a Managed Security Services Provider (MSSP) providing outsourced cyber security services to mid-market and enterprise companies.

COMPASS Cyber Security

COMPASS Cyber Security

COMPASS is a professional services firm offering cyber security, program management, and technical services to academic, federal government, non-profit, and commercial clients.

DQM GRC

DQM GRC

DQM GRC are one of the UK's leading providers of data governance, e-privacy and GDPR services, to commercial organisations across all industries in the UK.