Rationalization Creates a False Sense of Cybersecurity
Facing the audacity of evil: when it comes to information technology and medical device security for healthcare organizations, believing your perceptions—or your rationalizations—can be dangerous.
In politics, it has been said that perception is reality.
In cybersecurity, the opposite is true. When it comes to information technology and medical device security for healthcare organizations, believing your perceptions—or your rationalizations—can be dangerous.
“Most people in IT security are really good people, and good people have a very difficult time believing the audacity of evil,” says John Gomez, CEO of cybersecurity firm Sensato. “Our natural response is to rationalize what may look like bad behavior within our own organization or to what extent a cyber attacker might go, and we lull ourselves into a false sense of security.”
You may be thinking that Gomez isn’t referring to you, as images of your various firewall, anti-virus, authentication, and other lines of defense are no doubt playing through your mind.
Now would be a good time to check your rationalizations.
Rationalization: We’re not a big enough target for a hacker.
Reality: You are.
Any size healthcare organization is a target. At the very least, an attacker looking for a payday would see any healthcare organization as an excellent target. What type of company relies more on the trust of its “customers” than a hospital, clinic, or other healthcare organization? What other type of company has more to lose through loss of trust, and resulting loss of business, than a healthcare provider?On the other end of the spectrum is the type of attacker that gets all our rationalizations going: the cyberterrorist. Most people assume that terrorists will go after very large events, buildings, infrastructure, or organizations. But terrorists want to create fear. Now, think like a terrorist: If you could cause even just a few deaths by breaching some medical devices, wouldn’t that be a big enough target?
Rationalization: We can get to the low-risk vulnerabilities later.
Reality: That’s what the hackers hope you’ll say.
“People often believe that low-risk vulnerabilities don’t need to be addressed quickly, choosing instead to focus solely on the critical, high-risk, and medium-risk vulnerabilities,” says Gerry Blass, CEO of compliance management solutions provider ComplyAssistant and chair of the New Jersey Healthcare Information and Management Systems Society Privacy, Security, and Compliance Committee. “Attackers know this, and they rely on this. Any vulnerability that they can exploit gives them a way into a system. They can go after several low-risk vulnerabilities, chaining them together to compromise a network.”
Rationalization: Requiring all staff to change their passwords every 90 days offers a good level of protection.
Reality: It doesn’t.
Gomez will often survey rooms of CISO and other IT Security leaders, asking if they require that passwords in their organization be changed on a periodic basis. “It is rare that not everyone in the room raises their hands,” says Gomez. “Yet when I ask these security professionals if they require themselves or their family members to change their personal banking passwords, it’s rare to get more than one or two hands raised in the room.”Although changing a password is a good practice overall, ultimately it won’t keep out the most professional attackers. This is an old practice that worked well in 2010, but today, if you change your password the attacker will just replay the attack that they used to get in the first time and they will get in again. A healthcare-specific cybersecurity solution protects you from hackers and your own security shortcomings.Learn more about MD-COP.
Rationalization: Your technology is your best hope of preventing a security breach and catching any attacker who does get into your system.
Reality: It isn’t.
Most attackers are caught by well-trained humans who are paying attention, noticing anomalies, and, most importantly, investigating. That’s because hackers are sophisticated, patient, and strategic. They will look for and find vulnerabilities. Once they’re in, they could “hang out” in your system indefinitely unless you employ something like a honeypot solution to turn the hacker’s tactics against them and catch them quickly after a breach. Most breaches are not discovered for an average of 265 days, and that number is actually going up.Your best line of defense is your people, which is why training is so important. How many times do we reboot our phones, our computers, our servers, etc. when they’re slowing down or acting wonky? That’s usually the first thing the help desk will tell you to do, but often a reboot is exactly what a hacker is hoping you’ll do. “When an end user calls the help desk or call center, at that point, there’s usually no security really happening,” notes Gomez. “They’re just trying to be helpful, make the end user happy, and meet whatever success metrics they’ve been given.”Is your staff trained to think first and ask what the user was doing before their computer slowed down or tried to reboot on its own, for example? Did they click on a link in an email? What sites had they visited?Read about the known and potential threats to healthcare information and medical device security.
Rationalization: Top executives don’t need to have an intimate knowledge of information security measures.
Reality: They really should.
From a regulatory, a fiduciary, and even a moral perspective, c-level executives have a responsibility to have a true understanding of how the organization is protecting itself and its patients from cyberattacks. To put it another way, the cybersecurity of a company is directly tied to financial outcomes. If something goes wrong on the cybersecurity side, you’re probably going to take a big financial hit. If a cyberattack impacts patients’ healthcare or results in loss of life, the devastation is unimaginable. Interestingly, a CEO can miss quarterly projections several times, even get fired for it, and still turn up as CEO of another company. That’s not at all uncommon. However, if a company experiences a cyberattack, it’s a CEO career killer.
Rationalization: What you do to protect yourself from external attackers will also protect you from internal attackers.
Reality: It won’t.
Things that would set off alarms coming from an external source often don’t trigger any response when coming from an internal source. Why? Because we trust the people we work with. Even if you notice an employee logging onto a server later than usual or accessing normally restricted areas, it’s common to give employees the benefit of the doubt or to question your own judgment about whether you can be sure what they’re doing warrants investigation.
A Welcome Reality: Protection is Possible
The ways in which we rationalize various types of threats are as many and varied as the ways hackers attack.That’s why Sensato put together a single solution that addresses the administrative, technical, and operational requirements of HIPAA, NIST 800-53, and FDA Post-Market Guidance for Medical Device Cybersecurity. Specifically crafted for healthcare information technology and born out of personal expertise from working in the healthcare industry, MD-COP includes every key component necessary for protecting medical devices from cyberattack. Chief among the MD-COP solution are the tactics, techniques, and procedures that every healthcare organization should have in place:
A medical device security policy
Threat intelligence gathering
Plan for replacement of older medical devices
Monitoring of segregated networks
Protecting your healthcare organization’s medical devices, networks, and systems isn’t just about protecting data; it’s ultimately about safeguarding human life. That’s a reality that should help any healthcare IT security professional clear away the fog of rationalization. MD-COP will secure your data, devices, and network from hackers’ ongoing assault. Act quickly.
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.