Skip to content Skip to navigation

Damned If You Do, Damned If You Don’t

July 12, 2016
by Mac McMillan, CEO of CynergisTek
| Reprints

Last week I saw two ugly scenarios play out that did nothing positive for healthcare or its mission to protect patient information. The first incident involved escalations of the cyber threats healthcare organizations face. We were introduced to the hacker “The Dark Overlord” who had hacked multiple hospitals and then attempted to extort them for money. His request was simple, “Pay me and I’ll return your data and show you how I got it so you can fix things.”

According to the account of what happened, the hacker took advantage of errors or omissions in maintenance and administration of the targets networks, which are oversights. When they refused he did what any self-respecting hacker (cybercriminal) would do and promptly placed those hospitals information on the dark web for sale. That was Tuesday; on Thursday, he posted the other nine million plus health records he’d stolen on the dark web for sale. It is unclear how many hospitals those records represent, but what is clear is that the threat to health information is very real. We also saw Crysis, one of the newest varieties of ransomware, introduce a new challenge for everyone to deal with because unlike former variants of ransomware, Crysis has the ability to steal the victim’s data.

The second incident involved what can only be described as unenlightened and irresponsible reporting by the press. The story was about a hospital that had conducted a phishing test of its employees to help raise awareness and hopefully make their workforce less susceptible to infiltration. They were doing the right thing. They were doing what countless other hospitals and businesses are doing around the country to try to raise awareness and increase their resistance to such attacks. Unfortunately, all the reporter took away from the situation was an opportunity to slam the hospital for fooling its employees, not once but twice, in two different articles. They saw it as a workplace satisfaction issue, reporting that those employees who were duped were embarrassed, some even upset that a “trick” had been played on them, rather than seeing it as an institution trying to raise awareness and using the newest innovation in experiential training to give employees the ability to experience phishing attacks in a safe environment and to learn from it.

Mac McMillan

What this speaks to is a culture that needs to change. Healthcare leadership cannot afford to continue to tolerate poor security or attitudes that promote bad habits or apathy towards protecting information. The Dark Overlord is just the latest bad actor that healthcare is facing. There are many more like him out there just waiting for their opportunity. Some are not as talented, some are more. Unless we started doing a better job of managing enterprise systems and cultures, the number of individuals with the ability to compromise our networks will increase.

We need to also stop coddling the workforce, and worrying so much about offending a few sensitive individuals when we conduct phishing and other security tests. Employees need to understand that security professionals are not engaging in personal attacks or pranks, and are conducting necessary assessments of vulnerabilities in the hospital’s network. We work in a business that can be life or death for patients, and we have a responsibility to keep their personal information sacrosanct. Leaders need to be able to take whatever steps are necessary to ensure the integrity, availability and confidentiality of information assets to ensure that they are safe and that they will be there when we need them to care for our patients. We need to increase awareness and understanding that testing and monitoring is essential to a safe and secure hospital network, and that staff should welcome that work, not be offended by it.  

According to the SANs Institute, over 95 percent of all attacks on the enterprise was the result of successful spear phishing. These are emails that most often look like they come from a legitimate company, normally your own hospital, and usually seek to elicit some emotional response by presenting some situation that requires urgency or promises doom if ignored. They want workforce members to react with their emotions rather than with their heads. We need workforce members who think when they use a computer or other device and ask, “does this seem right, does it seem too good to be true (you just won tickets to X, even though you didn’t enter any raffle), is this abnormal or is this what they would ask of me normally?”

Ask anyone in Hollywood Presbyterian, MedStar Health or Methodist in Kentucky if phishing can lead to undesirable consequences. Hospitals all over the country are conducting phishing-prevention campaigns to assess, educate and raise awareness, to hopefully reduce the likelihood of an incident. Their action to be proactive and help workforce members know what to look for should be applauded, not derided by unhappy workers an unenlightened press looking for a human interest story.

Certainly, hospital leaders should never cave to such griping, and should instead make personal accountability a hallmark of their corporate cultures. An employee’s reaction to taking the bait in a phishing attack should be to take responsibility and learn how to never let that happen again. Any notion that hospitals should not simulate threats to test workforce readiness in just plain nonsense. So to those that are testing and monitoring and looking for innovative ways to improve institutional awareness: I say keep it up. You are doing the right thing.