Phishing is Coming
“We have not seen the biggest attack yet,” says Jorge Rey, director of information security and compliance at advisory firm Kaufman Rossin. This statement, part of an interview with Healthcare Informatics about the current state of cybersecurity in healthcare, is part of Rey’s assertion that an ‘Enron’-scale attack, one that dwarfs even WannaCry and Petya, is likely on the horizon. Such an attack, he believes, would extend beyond any industries to affect an entire nation.
There can often be difficulty, however, in trying to convince people of such an enormous threat, and in mustering a strong resistance. Jon Snow is learning that this season on Game of Thrones, in trying to convince everyone of the seemingly outlandish dangers of the White Walkers sweeping down from the north to extinguish all life in Westeros; threats that only he and few others have seen, and that no one else much credits amidst all the factional fighting and politicking in the sunny south. When facing such dire scenarios, whether long winters or catastrophic data breaches, it’s crucial not to be overwhelmed to apathy with the scope of the task, and to approach it one step at a time (doing nothing, we will presume, is not an option).
For the best brooder in the seven kingdoms, so far that has meant gathering allies. For organizations and their IT staff, the steps are numerous.
Well, let’s start with the category of “not good enough.” While antivirus and firewalls are the most common recommendations, alone they are insufficient. Nor is simply being HIPAA compliant. Compliance does not equal security, as standards constantly change, and meeting the bare minimum of audits may not reveal true weaknesses. Backing up your data is also necessary, but this doesn’t go far enough.
What, then, does it take to ensure the best possible protection? Encryption should be high on everyone’s priority list, as well as being aware of the security practices of your business associates and third party vendors. Like we’ve discussed recently, the weak links that usually lead to massive breaches come from both third party sources and user error.
Unfortunately, this is where we run into challenges. Administrators and doctors across the board are often unaware of some of these rules and strategies for optimal data protection. Although smaller practices may lack the resources of some, with larger organizations, this can be especially tricky. Jon Snow might have an easier time convincing nonbelievers about the threat the White Walkers pose than IT staff or security experts have in trying to impress the importance of spending for education and training upon board members. This, despite the fact that phishing remains one of the biggest threats to healthcare—the source of so much downloaded ransomware—and yet the employee training to resist it is still sorely lacking. Phishing schemes are such a prevalent attack method, even creating substantial weaknesses in otherwise well-secured systems like Apple iOS, that preventative counter methods are indispensible.
Analysts like Rey believe that a major attack is inevitable. When winter is coming, the best defense is preparation: having the best tools and techniques to fight the storm. And when it has passed, hopefully we can move forward productively to develop even better cybersecurity approaches. Those who are not prepared, however, may find it hard to reach that spring.