Guest post by Mac McMillan, CEO, CynergisTek.Mac McMillan
There is no doubt about it, healthcare as an industry is absolutely reliant on its systems environment and electronic information to the point that efficiency, safety and productivity are affected any time it suffers any disruption. Yet it seems we are destined to incur disruptions more often than not because of our own actions or in-actions.
This article takes a somewhat tongue in cheek look at some of the naïve or bad behaviors, misconceptions, short-sighted decisions and mistakes we make that contribute to making our own data security situation more difficult.
The list of examples here is virtually endless, from having too much confidence in vendors to underestimating employees to naïve beliefs about the internet, social media and applications. Hundreds of hospitals blindly relied on a vendor to process their billings without once questioning the company’s security practices. They were surprised when their revenue cycle was interrupted when that company suffered a Ransomeware attack. Other healthcare entities have found themselves embroiled in breach investigations when subcontractors they never knew existed lost their data, some overseas.
Expressing surprise may be a realistic response, but it’s hardly an acceptable excuse for lack of due diligence. Few organizations watch the folks who represent the highest risk to their systems and information – those with elevated privileges. Examples abound of administrators who became saboteurs. What is amazing is the almost immediate reaction when these kinds of things happen. How could we not be auditing these folks? It should be pretty simple to answer this question when they are usually the ones responsible for auditing. And then there is the internet and social media. The first myth organizations fall victim to is, “we’re too small to attract anyone’s attention” or “no one is looking at us.”
Most attacks from the internet are indiscriminate automated probing of systems looking for anyone vulnerable. You’re right they are not looking for you specifically, but if you are connected they may find you. Last but not least, the naïve belief that there is actual privacy on social media and applications when they tell you there is. Weekly we hear about another app compromised or information leaked from a site thought to be secure. There is no such thing as foolproof security and apps, even ones named “secret” should be approached with caution.
Organizations make bad decisions all the time based on misplaced or erroneous perceptions of risk, or just plain disregard for the risk. Bad decisions though, regardless of the reason, are still bad decisions. How about underestimating the risk from USB ports?
Organizations routinely underplay the fact that these ports unprotected can be the source of information loss or importation of malware. We encrypt mail, laptops, maybe even provide encrypted USB drives, but fail to manage the ports themselves. In complex environments it’s also easy to be overwhelmed with what seem like routine chores, like documenting all changes. Someone says it’s a routine change, it only affects one system, or the vendor is just applying a regular update… implying that it doesn’t have to go through change control and thus, does not get documented. There is also underestimating the risk when we acquire another entity. This risk comes in two forms. The first is the acquisition without the assessment, or rushing the acquisition so assessment is not possible, and assuming the risk blindly.
Many entities have learned the down side of this lesson through their experiences acquiring physician practices. The second is conducting the assessment during due diligence but then not addressing the findings before or immediately after acquisition. Like learning the entity you just acquired has several desktops, unprotected, storing millions of records and deciding to allow them to be replaced according to schedule instead of securing them immediately, only to have someone break in and physically steal them causing a major breach. We also ignore things we learn in risk assessments like physical security weaknesses identified, but choose to accept the risk instead of the cost of remediation. Someone takes advantage of that weakness and breaks in, but no patient information is involved. We decide to ignore it again because it’s still going to cost to fix, and what are the chances lightning will strike twice?
Another break in occurs and this time the thieves grab several systems with patient information on them and we have a breach to deal with. Bad decisions don’t get better with time.
Other Silly Things We Do
Human beings have an enormous capacity for finding ways to break things, particularly computers, and unfortunately are also incredibly gullible and susceptible to curiosity, making them priority targets for would-be attackers. Just consider the spike in phishing and spear phishing attacks this year.
Hackers prey on all manner of emotion in phishing attacks from curiosity to greed to sexual proclivity to apathy to sorrow. The email with the attractive person, the opportunity to win the prize of a lifetime or easy money, the one counting on lack of attention or the one targeting family members and friends after a funeral. Rather despicable, but it happens.
Hackers know that users are busy, they get preoccupied, they’re tired, etc. and they just don’t look at their mail that closely before they click. Honest people make honest mistakes, but mistakes nonetheless. Attackers who engage in social engineering count on both the culture of healthcare and workers’ unwillingness to confront them to do what they do. In fact, the most powerful tool a social engineer has is their smile. We’ve all heard the old saying, “smile and the world smiles back,” but did you know it also opens doors? The point is not everyone who smiles or makes you feel good is a friend, and if they don’t work with you they should be challenged.
We could go on and on, but I think you get the point. When we don’t plan, don’t think, don’t assess, and when we procrastinate, rationalize, or trust without verifying, and basically take for granted the risk we know or suspect is there, we strengthen and empower the threat. Bad actors, criminals and even chance are counting on us to do just that, to make their jobs easier. Think, act, react…take back the advantage.