Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, June 12, 2019

Some Sensible Notes From HISA On Cyber Security. Worth A Read.

This appeared a few days ago.

Healthcare Executives and Employees Are Hacker Targets – 5 steps to Protect Them

Tom Crampton

Cybersecurity Community of Practice Steering Committee Member
Cyber criminal activity continues to spread rapidly across Australian businesses of all sizes and in all industries. Healthcare is no exception, and frontline employees and ‘C-suite’ executives are increasingly the prime targets. While businesses may feel overwhelmed by the growing risk of cyber attacks and criminal activity, there are simple things that can be done now to manage the immediate risks.

Cyber crime rising – 61% of all data breaches are criminal

For the first three months of 2019, 131 or 61% of the breaches of personal or confidential information reported to the Office of the Australian Information Commissioner (OAIC) were criminal or malicious in nature. Other breaches were attributed to human error (35%) and systems faults (4%). A total of 215 breaches were reported.
The breached information included data about customers, stakeholders and other confidential business information. While the majority of data breaches involved smaller businesses and the exposure of the personal information of 100 individuals or fewer (68% of data breaches), one incident alone affected 10 million people!
Of the 131 criminal or malicious breaches, 87 were the result of cyber criminal activities including:
  • tricking employees into disclosing sensitive information or passwords (“phishing”);
  • electronic ‘break-ins’ (“hacking”);
  • introducing malicious software into a business to damage it or hold data to ransom (“malware” or “ransomware”);
  • automated guessing of customer or employee system logins (“brute force” attacks) and;
  • a number of incidents where the methods used by the criminals remain unknown.
Health sector organisations were a common target in that report, with their access to intimate health and patient-related data as well as insurance and Medicare details attracting the attention of cyber criminals. Next was professional services firms like accountants and lawyers which have access to the confidential intellectual property and financial data of numerous individuals and businesses. Similarly, access to banking and financial product details of numerous individuals and businesses made financial services the third most likely sector for criminals to target.
There were a further seven ‘social engineering or impersonation’ data breaches. Similar to ‘phishing,’ that involve the manipulation of employees into redirecting electronic payments from legitimate recipients to the criminals’ bank accounts.
‘Social engineering’ incidents which occur via email are known as ‘business email compromise’ or BEC. The Australian Competition and Consumer Commission (ACCC) reported that BEC fraud cost Australian businesses $3.8 million in 2018. Globally, US$12 billion was lost to BEC in the same year according to the FBI.
The growth in ‘social engineering’ and ‘phishing’ crimes in particular reflects a trend for cyber criminals to directly target both senior and frontline employees with fraudulent communications, in addition to continuing their systems-based attacks.
…..

5 things Healthcare Professionals can do to protect themselves TODAY

As the risk of cyber crime will only continue to grow, following are a number of critical steps that healthcare services of all shapes and sizes can take today to manage their immediate risks, while also preparing for future threats:
1.       Recognise that Cyber is a leadership challenge: To make cyber crime readiness central to the operations of a healthcare service, the ‘C-suite’ needs to lead the change and make it a priority. Implementing and actively (as well as visibly) participating in programs to improve cyber risk management will ensure it is embraced across the organisation
2.       Validate new or unusual transactions: Develop simple processes to validate the authenticity of financial transactions which appear unusual, or when existing suppliers and employees alter their bank account details. This addresses key areas of cyber fraud where staff have been tricked into authorising unusual payments, and when criminals impersonate suppliers or employees to trick businesses into re-directing payments to illegitimate bank accounts.
3.       Use security testing to determine staff training: Implement training programs that connect risky behaviors to learning about why it is risky. For example, my organization (Trusted Impact) runs programs which assess vulnerability to ‘phishing’ or ‘business email compromise’ activity. Employees who fail these tests are immediately given the opportunity to undertake training to recognise these and similar threats.
4.       Don’t just train – target behaviour change: Different people absorb new information differently. Awareness programs which makes risk mitigation thinking part of day-to-day behaviour need to be thoughtfully designed so awareness of cyber risks becomes ‘second nature.’ It also needs to be reinforced over time to ensure currency and staff readiness.
5.       Measure progress: “You cannot improve what you cannot measure.” This truism should be reflected by implementing a measurable plan to track the level of engagement that all staff demonstrate with the risk mitigation program. This can be done through ongoing phishing testing or by tracking training course results. Tracking the levels of participation, progress, and performance is vital to determine whether a ‘security aware’ culture is emerging.
Here is the link to the full article:
A useful set of tips I believe and well worth a read.
David.

No comments: