The continued onslaught of cybersecurity attacks which if anything are only getting worse have impacted the healthcare system in dramatic fashion with the payment network brought down by the attack on Change Healthcare.
Healthcare under Cyber Attack
I keep hoping that we all get better at combatting these attempts to breach our data and that overall vigilance rises as we become more wary of potential attacks for business and on a personal level. But the recent Change healthcare security breaches suggests that this is not happening and if it is certainly not fast enough.
Beware the Target on Healthcare’s Back
It should come as no surprise to anyone listening that healthcare has a big target on its back for all the hackers worldwide. Think about it – our data banks are filled with names, addresses, social security numbers, credit cards, and email addresses not to mention personal clinical information.
That’s a veritable treasure trove of rich high-quality sellable data.
Change Healthcare is just the latest high-profile attack that was particularly debilitating thanks to the widespread use of its payment systems in healthcare. But we seem to have some very short memories – it was not that long ago that Petya and NotPetya brought down systems worldwide including large tranches of the NHS.
While we have seen some national responses including the recent Cyber Incident Reporting Act which requires registered companies to disclose “material” cybersecurity incidents we are still quite clearly falling far short of securing our data.
And, to borrow some words from Joe Strummer, the lead singer in the Clash – “this is NOT enough”
The problem is not just healthcare data or business systems, it affects individuals like you and me. Most of us are familiar with one of the original attacks, the so-called “Nigerian 419” scam – named after the Nigerian law that prohibits it.
The stories just keep on coming of individuals spoofed into handing over access to their accounts, and in one recent story putting fifty thousand dollars cash into a Shoe Box and handing it over to a total stranger.
The truth here is indeed stranger than fiction
Think you would never do something that foolish – think again
Even for so-called experts in the field of security who know better, they have been caught out.
Here’s what I would tell you – if you have not been subject to an attack, then just wait.
You will.
It is only a matter of time before this comes knocking on your door. And if you are in healthcare, remember there’s a bigger target on your back.
Tales of Cybersecurity Survival
In my own personal case, I found myself on the end of an attack on my bank account using a technique known as SIM-Jacking. The process whereby the hackers take control of your phone calls and messages by activating an illegally acquired SIM Card for your phone number. They don’t need access to your actual phone or its data. They just take over your number and using standard password reset processes that many institutions still insist on using – sending text messages to your phone, with that code, resetting your passwords, and gaining control of your accounts. I survived but only just, and I wrote a detailed post-mortem of that attack titled: 3 Minutes to Financial Ruin
I am hoping everyone will be more vigilant and wary of potential attacks and attempts to breach security in their business and on a personal level.
But bear in mind that your adversaries know this and will do everything to lure you into a false sense of security. Hackers continue to up their game and their innovation knows no bounds. In fact, they are using the same tools we use, just in different ways. AI and automation are alive, well and clicking away in Hackerspace
In healthcare we have a duty to elevate our behavior and actions to protect ourselves, our families, and our business data.
So – what you can do?
Staying Safe in a Digital Minefield
Here are 3 things you can do
Step 1
I’ll date myself here but in the immutable words of Mulder and Scully – Trust no one
I mean no one. Family, friends, work colleagues, and bosses. That’s hard, as it goes against our psyche but it’s important. If you receive a request through *any* channel – text, email, and sadly even by phone – yes the phone! Voice cloning is on the rise.
Don’t accept any incoming message at face value. Reach back out using your phone and don’t reply through the original channel you received the note from.
Step 2
Enable two-factor authentication on all your critical accounts which includes your own personal email. Where possible make this a separate factor like an Authenticator app on your phone rather than a text message to your phone. But if the text option is the only option available use that rather than no second factor.
Step 3
Never, ever, I repeat ever, re-use passwords. And make them complex. There are lots of ways to approach this, using a password manager, use 24 characters or more, long phrases, and using all those funky characters not just the letters of the alphabet.
Bonus
And here’s your bonus Step – tell a friend and educate them too.
We are all in this together and fighting this will take a combined effort from everyone involved
