The healthcare sector is a prime target for cyberattacks, and its employees are the first line of defense. A single frontline employee who clicks on – or knows how to avoid clicking – a malicious email link could be the difference between suffering a ransomware attack or not.
While healthcare is one of the industries most likely to self-assess itself as having mature security readiness, it is still too often unprepared for security threats, and healthcare workers’ cyber vigilance is critical to meet the challenges of emerging threats.
Meanwhile, artificial intelligence is changing the risk profile for healthcare systems enormous and petite, with novel attack techniques emerging daily.
“Trying to understand what comes next is always more difficult than fighting the last battle,” said Dr. Eric Liederman, CEO of CyberSolutionsMD.
Liederman will moderate a panel on empowering employees through a supportive approach to safety in the coming week HIMSS 2024 Healthcare Cybersecurity Forumscheduled for October 31-November 1 in Washington, DC
“The problem most organizations have is that they take a top-down approach to the how,” Liederman said. While organizations are using various approaches to assist train employees to recognize threats such as phishing emails, “there is no science behind it,” he said.
“It’s about education, but also about helping people connect,” said Anahi Santiago, ChristianaCare’s chief information security officer, who will join Liederman and the FBI’s David Fine on the call.
Santiago described three keys to cybersecurity training:
- Get to know your audience.
- Learn how to engage your audience.
- Leave the door open to “report, report, report.”
From a security standpoint, what’s essential to a clinician is likely to be different than what’s essential to someone in the financial world, she added.
“It’s not treating everyone the same and assuming that everyone will process information the same way… and tailoring the message to make it relevant to what they do.”
Santiago said being approachable is intentional throughout ChristianaCare, and the IT department’s message is: “It’s okay if it’s not a reportable issue – report it anyway.”
While the door is always open to anyone to report any safety concerns they may have with her organization, “One of the things we also do that I think has been really helpful is the safety roadshow concept.”
IT teams are meeting with departments to express, “We’re not just cybersecurity specialists working on what you think is really scary, and we don’t know what we’re doing,” she explained.
“We’re all known as people who don’t click on that link, and a lot of people think that’s the only thing they need to worry about,” she said.
However, there are many other issues that healthcare professionals need to be aware of.
“Emerging threats are always an area where we need to change and think about – what threats might emerge?”
Without scaring caregivers, cybersecurity professionals must come up with inventive ways to prepare them, she added.
Deepfakes are a perfect example of what’s coming next.
The business email compromise “has really picked up steam this year,” Liederman noted. Although IT teams have advised employees to avoid links in emails and “don’t open any attachments for anything they weren’t expecting,” he said, their next game doesn’t always work anymore.
It used to be: “If you have any concerns, please contact the person who sent it. Now, if you do this, how do you know you are talking to a real person?”
Santiago agreed that the level of voice and image sophistication in deepfakes significantly increases the security risks faced by healthcare organizations.
Now, criminals will go as far as scheduling Teams calls using their impersonations – “and they’re on video and they look exactly like the person you would normally interact with on video,” she said.
To illustrate the level of bogus threats occurring within ChristianaCare management, she asked her team to make a video talking about emerging cyber threats related to generative artificial intelligence, which she believes cost about $0.09.
After playing the two-and-a-half-minute bogus video, “I told them, ‘I have absolutely nothing to do with this video,’ and management looked stunned.”