Information and Security Awareness for Healthcare Professionals
Healthcare is a critical service. It can be a disaster if it’s unavailable for even a short period of time. This significantly raises the stakes if a cyberattack strikes. It isn’t just another business being affected by a cyber incident. Health care facilities are now more reliant on always-on and always-accessible IT systems than ever before. Our evidence-based training follows best-practice learning methodologies as used by world-class learning organisations.
Typical scenarios which lead to data breaches and cyber-attacks in the healthcare sector include:
A user stores patient data on an unencrypted laptop and then suffers loss or theft of the said device. This can mean your practice having to report the incident to the Data Protection Commissioner. It can also mean the name of your practice ending up in the media.
A user inadvertently downloads a data-stealing app onto their smartphone. The app steals the credentials for their email account (username and password) which results in a cyber criminal infiltrating their account. They then use this hijacked email account to propagate malware to email contacts such as patients, suppliers or other stakeholders.
A user inadvertently opens up a malicious email attachment (phishing). The attachment downloads data-stealing malware onto their system which steals the credentials for your billing system. Subsequently, hundreds of fraudulent invoices are emailed out to patients. (The bank account details having been changed of course)
Our information and cyber security awareness training provides you and your users with:
Top-of-the-mind awareness of current cyber security threats along with actionable advice on how to detect and mitigate such threats.
Information and cyber security awareness training tailored to the healthcare sector which makes content relevant and actionable.
Accurate testing and reporting which shows you improvements in employee security behaviours from a fixed baseline.
Some of our security awareness topics for healthcare professionals include:
The Cyber Threat Landscape
The role of Employee Responsibility
Phishing and Spear Phishing
Malware Prevention (keyloggers, remote access trojans, rootkits etc.,)
Psychological Tricks of Cyber Criminals
Device Security (reducing the risk of loss and theft)
Password Management and Security
Sensitive Data Handling
Protection of Data stored in Physical Devices
Protection of Mobile Data Storage and Computing Devices.
Avoiding Supply Chain Attacks in the Healthcare Sector
We help healthcare providers such as:
dental and orthodontal practices
general practice clinics
mental health clinics
Our training is delivered in a medium to suit your workforce.
Virtual Interactive Training (over Zoom, MS Teams etc.,)
On-Site Instructor-Led Training
E-Learning (drip-feed or spaced micro-learning campaigns)
Blended learning (E-learning, virtual and on-site)
Why are healthcare providers such an attractive target to hackers?
Healthcare providers are attractive target for a number of reasons:
Most healthcare providers hold personally identifiable information such as names, dates of birth and social security numbers of patients and staff. This data can all be used in identity theft fraud.
Cyber criminals can threaten to release confidential medical information into the Dark Web if their ransom is not paid. Confidential patient information is a very potent bargaining chip and threat actors know this.
Healthcare settings have an enormous collection of IT equipment and network-connected and internet-connected medical devices. All of these devices are targets for the cybercriminals. Simply ensuring that the security patches and updates are applied to all PCs, servers, network appliances and medical equipment is a significant challenge.
“We use very sophisticated anti-virus / anti-malware endpoint security here along with a firewall. Does this not make us very well protected?”
Anti-virus and anti-malware packages provide protection against known viruses and malware variants, but they are susceptible to newly-released cyberthreats that the software vendors haven’t yet encountered. To update their anti-virus and anti-malware packages they must capture an example of the new threat, characterise it and release updated signature files that can detect it. In the short space between the release of the new threat and the end point protection vendors releasing new signatures, the new virus or malware has free rein. Such malware can stealthily evade firewalls, email gateways and end-point security defences. Having your users being able to spot and mitigate threats which are not detected by security controls is one of the greatest security investments you can ever make.
Ransomware Case Study: Düsseldorf University Clinic
In Sept. 2020, a ransomware attack at the Düsseldorf University Clinic meant ambulances were redirected to other destinations. A female patient scheduled for life-saving treatment had to be taken to a hospital in Wuppertal roughly 60 kilometers (38 miles) away. The delay in receiving treatment led to the patients death. The authorities in the German state of North Rhine-Westphalia have launched an investigation into suspected “negligent homicide”. The administration of healthcare facilities know what is at stake. They’re full aware that every minute their services are off-line it directly impacts the care available for patients. This, the cybercriminals assume, will make them more likely to pay the ransom. As heartless as it sounds, to the cybercriminals this is just business. It’s simply digital extortion. Hospitals store vast amounts of special category personally identifiable information. Cybercriminals can make money on the Dark Web selling this personal data but, more often than not, they prefer to use a ransomware attack like the cybercriminals in Düsseldorf. A ransomware attack encrypts the data on the victim’s servers. This prevents the medical facility from making any meaningful use of their IT infrastructure. To decrypt the data and return the systems to a working condition requires a decryption key. This is provided by the cybercriminals once the ransom has been paid. If the victim refuses to pay the ransom—deciding instead to wipe their servers, reinstall the operating systems, reinstall the applications, restore the data and re-do all of the network configurations—the cybercriminals resort to their fallback plan. That entails leaking patient information online in increasing volumes until the ransom is paid.
Ransomware Case Study: Vastaamo, Finland and HSE, Ireland
Vastaamo ran the largest network of private mental-health providers in Finland. They were hit by a cyberattack but refused to pay the ransom. The cybercriminals leaked some patient records—including session transcriptions—to prove that they could, and that they would. Then 30,000 patients were contacted individually asking for a ransom from each patient to prevent their data from being leaked too. This resulted in (worldwide) negative publicity and extensive reputation damage.
Similarly, in May 2021 there was a ransomware attack on the Irish Health Service Executive. This all started with just one employee inadvertently clicking on a phishing email. The HSE was asked for a €16.4 million ransom for the decryption key. The HSE refused to pay the ransom. The cybercriminals have handed over the decryption key so that the HSE can start to return to normal running. Even with the decryption key the cost of doing so is estimated at €100 million, including the cost of restoring the network, upgrading systems to Microsoft 365 and the disruption caused to patients.
However, the cybercriminals didn’t suddenly grow a conscience. They’re still asking for payment of their ransom. If it isn’t paid, then over 700GB of patient records will be leaked online or sold on the Dark Web.
The cybercriminals know all about GDPR too. They know that being hit by a ransomware attack counts as a data breach, even if no data has been exfiltrated or leaked. Whether you pay the ransom or not, you’ll be paying a fine to your Data Protection Commissioner for losing control of your data. But if the data has been leaked online that GDPR fine will be much, much higher. And the affected data subjects can sue you, too.
It becomes a perilous balancing act, trying to find the least damaging way forward. Do you put the patients first, pay the ransom and get back online quickly, and hope for a smaller GDPR fine? Or reject the ransom, restore your systems from backups—however long that takes—and have patient data leaked online, leading to a top-tier GDPR fine and the risk of data subject lawsuits?
Why cyber security awareness training matters for healthcare professionals…
Email is still the main attack vector
The most common delivery method of malware like ransomware is through email-based attacks. The email addresses used in these automated attacks are gathered from all sources by the cybercriminals and collated into huge databases that are available on the dark web. There are many such collections, containing millions of email addresses. Phishing emails use infected email attachments or malicious links that infect the computer of any unwary user who tries to open the attachment, or clicks the tainted link in the body of the email. The infection will then rapidly spread across the entire network, infecting machine after machine. When all the machines have been infected the ransomware will trigger on them so that the machines are encrypted all at once.
Your employees play a more important security role than ever before
The software that’s used to propagate phishing emails neither knows nor cares anything about the organisations that will receive the emails. Everyone is fair game. That means the safety and operational capability of your network is in the hands of your staff. They’re the ones on the front line. These emails arrive in their inboxes. The quality of their cybersecurity awareness training is the only thing standing between the cybercriminals and your ability to function and operate.
GDPR and cyber security awareness are not the same thing…
It’s a requirement that you should provide your staff with GDPR awareness training, and refresh that training at least annually. But don’t confuse that with cybersecurity training. It’s a completely different knowledge-base and skill-set.
GDPR awareness training is all about following the GDPR data privacy guidelines, and avoiding breaching those rules. Cybersecurity training is concerned with being able to identify cyberthreats and knowing what to do when faced with phishing attacks, social engineering attacks, or any of the other common attack types.
It’s also about knowing, understanding, and adopting cybersecurity best practices like never reusing passwords on other systems, following good password guidelines, and using VPNs when on public WiFi.
The most effective type of cybersecurity awareness training doesn’t just pump facts into people. You need to get your workforce onboard with the organization’s security goals so that they embrace their responsibilities, follow your security policies and practices, and adopt a sensible and defensive mindset. Pulling that off is a skillset all of its own.