Implementing cyber hygiene best practices in healthcare

Transcript - Implementing cyber hygiene best practices in healthcare

Kyle Murphy: Hello and welcome to Healthcare Strategies. Today we are talking cyber hygiene and best practices healthcare organizations should implement to protect sensitive data, maintain system integrity and prevent breaches in an increasingly digital environment. This is Kyle Murphy, vice president of editorial at Xtelligent Healthcare, and I am joined by Healthtech Security, formerly HealthITSecurity, associate editor and rising star Jill McKeon. Jill, how are you doing?

Jill McKeon: Good, how are you?

Murphy: It's always good. All right, so let's get into today's conversation. Let's kick it off with social engineering, but before we get too deep into it, do you want to define social engineering for our audience?

McKeon: Yeah, so social engineering attacks are a really popular attack vector in healthcare. These types of attacks usually rely on human interaction, involving a threat actor manipulating someone to get them to bypass security procedures and gain unauthorized access, usually for financial gain. We saw this a lot during the COVID-19 pandemic with elaborate phishing schemes about vaccine availability and things like that in the healthcare sector.

Murphy: People are very gullible. They are the weakest link. We know this time and time again. You can have the most secure system, but when people have Post-it notes and click on links, they can easily make a system vulnerable. Staying on that topic for a moment, what are some of the common social engineering techniques that are being used against healthcare organizations and their employees?

McKeon: I'd say phishing is probably a type of social engineering attack you've heard a lot about. It happens over email, where a threat actor will send an email that often looks real but contains a link that might install malware on the victim's computer, and then from there, they can traverse through the network. Some other variations of phishing include spear phishing, which targets a specific individual, and then whaling, which involves targeting a high-level executive to get them to give up sensitive information. Social engineering can also be offline. It can be as simple as someone following someone into a building after they swipe their key card and gaining access that way.

Murphy: We also know with generative AI that there's a lot going on in terms of making social engineering attacks seem much more legitimate. So, it requires organizations to be a lot more vigilant, I would say, in terms of how they educate their staff. We always look at industry leaders leading organizations. What have you heard about what they're doing in terms of safeguarding their infrastructure, their employees, their patients and just data in general when it comes to social engineering attacks?

McKeon: From a technical perspective, there are a lot of email filtering tools that can detect phishing and prevent it from reaching the victim's inbox in the first place. They are not completely foolproof but using a secure email gateway can definitely help mitigate that risk. Then also encouraging employees to report suspected phishing emails is always good practice. A lot of organizations, as part of their employee security training, will send out simulated phishing emails that will set off a notification to the security team if an employee falls for it, and then they will get a communication about how to prevent that in the future.

Murphy: Obviously, you cover a lot of HIPAA, and HIPAA has administrative, technical, and physical safeguards to protect information, but we all know that really it comes down to education. Considering that we're focused on human behavior and how vulnerable that is for an organization, what have you heard in terms of what goes into good education? Obviously, you talked about training and simulation, but how do you get employees to take this seriously and understand the stakes?

McKeon: As you said, education is really the biggest piece there. Regardless of where you are in the organization, every employee needs to go through security training, and HIPAA does require that to some extent. So, what I've heard from organizations that I've spoken with is, if they have resources available, they might even craft targeted training content for different roles and responsibilities across the organization. There might be training specific to new hires or for executives or doctors and nurses. If there is an employee that works in a financial office processing important financial information, they are going to want to know how to prevent phishing from that angle as well. It's important to have targeted training for different groups within the organization.

Murphy: Do we have a sense of who are the most vulnerable targets? You just mentioned financials. Obviously, there's a lot of valuable information that bad actors would be pursuing, and then you talked about whaling with executives. Are there certain parts of the organization that seem to be prioritized as targets?

McKeon: I don't have any data on the specific targets within an organization, but it only takes one email to work in that way. So, I think a lot of these threat actors are just sending out these emails in bulk and hoping that someone bites.

Murphy: All right, let's talk about passwords, because passwords are really sexy and exciting. Cryptography and everything like that just makes everyone's world a better place, especially when you can't remember your password. So obviously, passwords are the weak link in many organizations. What are some of the password management best practices healthcare organizations can implement to strengthen security? Obviously, we know about multifactor authentication, but what else are organizations doing?

McKeon: Multifactor authentication is definitely a great first line of defense. A lot of organizations also will require you to change your password every 90 days so that if that password was impacted by a breach somewhere else and you're reusing it -- which is also not a great practice -- but that's a good way to mitigate that risk from there. Some other best practices for choosing a password is using complex characters, numbers, and, as I said, changing it often and never reusing it.

Murphy: It becomes really tough though when you run out of your favorite animals, your children.

McKeon: Definitely.

Murphy: Your birthday. That special character definitely pulls its weight. In terms of leadership, we talk a lot in healthcare about culture just for any type of change management as it pertains to cybersecurity. How important is leadership in terms of getting employees and staff to understand the seriousness of it among the internal staff, but then obviously, reputation ... healthcare organizations serve communities, they're integral parts of communities? What are some of the ways that leadership are leading the way when it comes to adopting and fostering that cybersecurity culture?

McKeon: Leading by example. Everyone in the organization should be essentially part of the security team. Whether you're an executive or a doctor or nurse, you are taking that training seriously. The trick for security teams that could be challenging is making that training engaging and not just having someone click through just to get to the end. So, recognizing that some people are more visual learners and they might implement videos or interactive games to keep people engaged or invested and just really emphasizing that every employee is a member of the security team and needs to be part of that effort.

A lot of organizations will also track the effectiveness of their training strategies. They might look at email open rates from the security team, and then if those are low, they will try a different tactic. One larger organization I've spoken with, the security team will actually reward people for reporting fake phishing emails by giving digital coins that they can cash in for merchandise, which is not feasible for a lot of smaller organizations, but anyway that you can keep security on someone's mind is a win.

Murphy: So, Jill, obviously, we talk about workforce shortages, challenges across healthcare that extend into the privacy and security departments at these organizations, and obviously, no two organizations are exactly alike. Some have more resources than others. How much do vendors complement or help organizations improve their cyber posture overall? What are you hearing in terms of what healthcare organizations are doing to engage with the vendor community about security?

McKeon: Vendors are a really important part of the cyber ecosystem. For better or for worse, implementing different tools can really help. They can also open organizations up to new risks, but regardless, working with vendors is an essential part of this ecosystem.

Murphy: Then obviously, there are business associate agreements that covered entities need to ensure that they have to protect themselves against those risks. The other question I really wanted to ask was ... in terms of ... how do healthcare organizations share intelligence with other healthcare organizations? Obviously, traditionally, some of these businesses, some of these companies have worked in silos. They've worked independently, and they don't necessarily share, but when it comes to cybersecurity, there are federal and state initiatives. What do you hear in terms of the value of organizations speaking to their peers and engaging with their peers? You were at RSA Conference. I'm curious what you may have heard about folks engaging other folks to learn a lot more and to be more prepared about what's out there.

McKeon: Something I hear a lot at these conferences, is that it is really important to collaborate and recognize that all these healthcare organizations are on the same team fighting against these threat actors. I think using resources even from HHS, from Health-ISAC, a threat-sharing organization, those kinds of resources are really invaluable. Just keeping up to date on the latest threats and being able to mitigate those proactively rather than reactively.

Murphy: Then what is your sense in terms of, so organizations with fewer resources, what are the most obvious places that they can go to find information? What are their strategies, and I guess how does it differ for them compared to larger organizations?

McKeon: It can be a challenge for smaller organizations. Their security team might be one person, and that can be hard to implement all of these more complex training mechanisms that we've been talking about today. So, I think some of those strategies are really relying on that network of partner organizations that we've been talking about and using free resources that are available. There are downloadable infographics that people can just print out from the HHS website, post them in the hallway, and that's a good way to promote cyber hygiene. Anything that can really just keep it top of mind for employees. It doesn't have to be expensive.

Murphy: Let's close it out with cyber hygiene. But before we dig down this concept as well, do you want to talk about just cyber hygiene at a high level?

McKeon: Yeah. So cyber hygiene really refers to all of the things that we've been talking about with password, best practices, really maintaining good authentication protocols, things like that. So it's been an organization-wide effort, as we've discussed.

Murphy: Now, obviously, there are some very important organizations that work in healthcare, really in the technology industry more broadly, that try to create and publish and share tried and true standards and guidance for healthcare organizations. What are some of those? Where should organizations be looking for that type of guidance when it comes to strengthening their cybersecurity efforts?

McKeon: The National Institute of Standards and Technology, known as NIST, is a really good place to start. They have the NIST Cybersecurity Framework, or CSF, which is a really comprehensive guide to governing and protecting data, as well as responding and recovering. It takes you through every step of security and also really stresses that security is a continuous process and not a box to check. They actually just released version 2.0 of their framework, which now includes a really detailed implementation guide and can be applied to organizations outside of critical infrastructure as well. So that is a really big development to keep an eye on. Additionally, some lawmakers are making an effort to really reduce cyber-risk in the sector. A few of them recently introduced the Healthcare Cybersecurity Act, which would formalize relationships between key agencies like HHS and the Cybersecurity and Infrastructure Security Agency to help these organizations respond to cyber incidents and really bolster the sector's efforts to improve security.

Murphy: That concludes today's episode. Jill, thanks for joining us today. I really do appreciate it. Always good chatting with you.

McKeon: Awesome. Thank you for having me.

Waddill: And thank you, listener, for tuning in. If you liked what you heard, head over to Spotify or Apple and drop us a review. We'll be choosing some of our reviews to be read on the show in appreciation, so keep listening through to the end because you might be name-dropped. See you next time. Music by vice president of editorial Kyle Murphy and production by me, Kelsey Waddill.