In this episode, we welcome back Wade Wright, Chief Technology Officer at BESLER, here to discuss cybersecurity as it pertains to healthcare.
Highlights of this episode include:
- Most common types of cyber attacks in healthcare
- Difference between a ransomware attack and a data breach
- How do hackers gain access to healthcare data
- How can healthcare providers improve cybersecurity
- Suggestions to improve security
- What BESLER is doing
Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. . Today we have Wade Wright, the chief technology officer at BESLER, here to discuss cybersecurity as it pertains to healthcare. Thank you for joining us today, Wade.
Wade Wright: Thank you very much. It’s always an honor to be here.
Kelly: We’re just going to jump right into it today. Wade, what would you say are some of the most common types of cyber attacks in healthcare today?
Wade: The first one would be ransomware. This is a type of malware that encrypts the victim’s files and demands that a ransom be paid in order to get them decrypted and the information given back. This is the most common attack that we see today, and you’ve probably seen several of these mentioned in the news, not just with healthcare but across the board. The second type of attack that we see frequently falls under the social engineering attack vector. This is the type of attack that uses a psychological manipulation to trick people into revealing sensitive information or perform an action that grants the actor access to your systems. A particularly common kind of that is known as phishing. This is a type of social engineering attack that uses email or other communication methods to trick people into revealing sensitive information or by clicking on a malicious link in an email. Closely related to that is what is known as spear phishing. And this is a type of phishing attack that is targeted at a specific individual or perhaps a group, like a department in your organization. For an example, a bad actor may spoof the CEO’s email address and attempt to get the finance department to wire money to their account. And lastly, it’s been around for a very long time, is a trojan type of malware. This is a type of malware that masquerades as a legitimate file or program in order to trick users into executing it, which then can allow attackers to access your system.
Kelly: Some of those sound quite scary. Will you elaborate on the difference between a ransomware attack and a data breach?
Wade: Sure. When you suffer a ransomware attack, hackers encrypt your files and demand a ransom be paid in order to decrypt it. This can happen to individuals as well as organizations. We’ve seen a very large increase in these types of attacks against facilities because they’re more likely to pay the ransom. A data breach, on the other hand, is when sensitive information is stolen or accessed without the owner’s permission. This could happen through ransomware, hacking, social engineering, and even physical theft of a laptop or server. In healthcare, we all worry about the breach because it has our patients’ PHI involved. The fines and penalties for us in healthcare dwarf the problems that are caused by well-known breaches to companies such as Facebook, Yahoo, Twitter’s a big one back in 2018. They may expose 300 million records. About the worst that happens to them is that they get a black eye in the media. But in healthcare, with HIPAA, we could simply have 300 records exposed, and that could shut down your company or your hospital.
Kelly: It’s very true, yes. How do hackers gain access to healthcare data?
Wade: The primary approach is typically through various types of social engineering, which at its heart is just tricking an employee into granting the bad actor access to their employer systems. The most common vehicle is phishing events, which come in many different varieties, a couple of which I talked about already. But the most common one we see here at BESLER involves a scam where someone will pose as our CEO, Jonathan Besler, asking an employee to perform some task or click some link to download a file and email it to him because he’s on-site at a client and he’s not able to do it for himself. When they click the link, they’ve triggered the malware, which begins to perform whatever malicious task it was designed to do. Luckily, everyone at BESLER knows Jonathan doesn’t do this. He doesn’t ask for those kinds of things, and it’s because we train for it frequently. Another approach that bad actors use to gain access to healthcare data is simply to make a phone call and pose as some authority figure in the organization, especially larger organizations where you just simply don’t know everybody. The bad actor can call a manager and say, “Hey, this is Wade in IT. I see you’re having some problems with your computer. Give me your login credentials, and I’ll fix this for you right away so you don’t get in trouble.”
New employees are the most vulnerable to this type of manipulation. They don’t really know what the social norms are at the new employer, and they certainly don’t want to look foolish on their first few days at work. So, a savvy bad actor can simply look at someone’s social media or even LinkedIn and see that Jennifer started a new job at Lone Star Memorial Hospital, and he’s got a great target now. He can call the company’s main phone line, ask to speak to her so that he can then attempt to manipulate her into giving away her credentials. And due to her newness and likelihood of not pushing back, he has a decent chance of executing that. That’s why security is a large portion of our onboarding process. Not only do we make sure that they have the tools in place that they need to be secure, we also make sure that they feel safe reporting something that seems fishy or just plain feels off.
Kelly: Yes, I will attest to you and your team do a great job of preparing us for that. And how can healthcare providers improve their cybersecurity posture?
Wade: First and foremost is training. And I don’t mean training for your IT or security staff. I mean training for everyone in your organization. Your people can be the weakest link or they can be your greatest defense. Here at BESLER, we go to great lengths to train everyone in improving our security. We have both monthly training sessions along with quarterly training. As a result, our security team can quickly respond to threats identified by any of our employees. And while we have some great technology in place to protect us, it just simply cannot replace smart and savvy employees.
Kelly: So very true. Yes. What other suggestions do you have for an organization to improve their security?
Wade: One of the most effective techniques and training exercises that we’ve started using at BESLER is a tabletop simulation game. Basically, we have a group of people from different parts of the company get together to simulate what they would do in case of a cyber attack. To prepare for this exercise, we’ll designate someone from IT who will be playing the bad guy in this case. He or she will put together some type of nightmare scenario before we actually get together that only that person knows. This could be a ransomware attack, a successful phishing scheme, or perhaps a disgruntled admin. The more extreme the scenario, the more holes you will find in your current plans. So, what happens is the rest of us play against the bad guy using our skills, the training that we have, and the extremely important business continuity plan. This particular technique of doing this gaming exercise has allowed us to expose many little cracks in our plans that we’ve been able to address and fix. The key is to have people from all different parts of your organization so that everyone can see it from different perspectives. You’ll be surprised at what you uncover.
Kelly: I bet. Those are some great suggestions. Can you share one of the things BESLER has learned doing this or is that proprietary and confidential?
Wade: Well, most of it is certainly proprietary. I can share one thing that we learned. In our first drill, we played out what happens if you fall victim to a ransomware attack and all of our files are corrupted. We had very solid plans for what we would do from a technical standpoint, including shutting everything down in an attempt to contain the spread of the attack. After patting ourselves on the back a little bit for our cleverness, we knew that the next step in our procedure was to execute our continuity plan that we had spent months fine-tuning. The only problem was that it was only in electronic form on a server we lost encryption already. So, we learned a simple lesson of needing to have a couple of hard copies that we could retrieve in the event of a complete shutdown of our system. That one little thing pretty much knocked all the smugness out of everybody involved. One little misstep like that can be the difference between surviving an event and not.
Kelly: That is a really great lesson. Thank you for sharing that with us. What five things would you suggest an organization do to get the most bang for the buck in regards to cybersecurity?
Wade: Number one, teach your employees about cybersecurity and the importance of it. Number two, get a good cybersecurity insurance policy. It will soon be impossible to do business without one of these, but more importantly, they will help you figure out what changes you need to make to be more secure because it aligns both of your interests. Also, they have most assuredly worked with organizations that have already suffered an attack and can provide very valuable insight from previous experiences. Number three, have a plan in place for what to do in case of a cyber attack, and make sure your plan includes the training for all the employees and what they do when it happens. Number four, test your plan regularly with drills and simulations. I know it will seem corny at first when you start doing it, but I guarantee your people will learn a lot from doing it. Number five, stay up-to-date on the latest threats and technologies. Cybersecurity is an everchanging landscape, so you need to change with it or you’re going to suffer from it.
Kelly: Now, Wade, I expected you to give some technical type of answers. You don’t have any of those?
Wade: Oh, I definitely do. I’m a techie at heart, so I’ve got a lot of nerd in me. Number one on that would be strong passwords. We’ve recently moved to requiring 13-character passwords since our old requirement of 8 can be cracked in about 8 hours these days. Number two, I would say it would be multifactor authentication. A username and password combo is just no longer enough to protect systems. I suggest adding a secondary factor, such as biometrics, which would be things like fingerprints and facial recognition. Also, add an authenticator application, which you can get those for free, or even an SMS one-time password. Each one of these has pluses and minuses, but any of those is better than none of those. Number three, don’t skip out on your security software. There’s a reason the better ones cost more than Joe’s Excellent Malware Scanner, Plus, Plus. They actually work and they will stop most attacks. And they also take much less of your time to manage since they are mostly hands-off once you get them configured initially. Number four, encrypt, encrypt, encrypt. Anytime you can encrypt your data at rest or in transit, do it. This includes whole disk encryption, fields in your database, file encryption, and email encryption. And lastly, in a modern era where we have remote workforces all over the place, require using a VPN to access any of your internal systems. While it doesn’t guarantee your safety, it will massively reduce the number of ways you can be attacked across the internet.
Kelly: Wow. Wade, thank you so much for your time today. We really learned a lot of valuable information about cybersecurity.
Wade: Thank you very much. I always enjoy being here.
Kelly: And thank you for joining us on the Hospital Finance Podcast.
[music] This concludes today’s episode of the Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.com/podcasts. The Hospital Finance Podcast is a production of BESLER, SMART ABOUT REVENUE, TENACIOUS ABOUT RESULTS.
If you have a topic that you’d like us to discuss on the Hospital Finance podcast or if you’d like to be a guest, drop us a line at email@example.com.