So, you have installed a new server and a unified threat management device, firewalls, and updated software that intercepts malware. You have also conducted vulnerability and penetration testing and coached and trained your staff. You think you are safe, and maybe you are—for today. However, while you are sleeping tonight, evildoers will be hard at work preparing for their next cyberattack, and it could be on your system or data.
No one is immune to cyberattacks. Individual employees can be successfully attacked. Companies and their vendors (or other e-connected stakeholders) can also be penetrated. Entire organizations have been brought down by a successful cyberattack. If you were to monitor threat map resources, you would see that 24,595,344 cyberattacks occurred over more than 17 hours on December 7, 2020. That translates to 24,113 attacks per minute.
In this article, I will explain why you should never assume that your information technology system, network, or data are secure; why humans are the weakest link in the cybersecurity war; and how a successful attack can severely compromise your mission. I will also discuss several actions that you can take to minimize cyber threats.
Cyberattacks: A Growing Problem in healthcare
An area of increasing concern is the threat of cyberattacks on protected health information. The US Department of Health and Human Services’ Office for Civil Rights posts breaches that affect more than 500 patients to their online portal. In May 2020, these breaches affected a total of 157,173 patients. Of the 15 reported breaches, 9 were caused by hacking, 5 were caused by unauthorized access or disclosure, and 1 was the result of improper disposal of protected health information.
It is important to note that the breach of healthcare data constitutes a large majority of identity theft. A Pennsylvania health system recently began notifying more than 700 patients that they were at risk for identity theft when it was discovered that a former employee had inappropriately accessed their medical records.
The WannaCry ransomware attacks struck worldwide in more than 150 countries. According to a June 2019 report from the cybersecurity firm Armis, more than 40% of healthcare organizations were victims of these attacks.1 Organizations paid more than $325 million in ransom, and the total cost in terms of financial losses was greater than $4 billion. Ransomware attacks increased 25% from Q4 2019 through Q1 2020, and these attacks show no evidence of slowing down.2
In February 2020, the country of Iran sustained a nationwide cyberattack on its Internet infrastructure; Forbes reported that this was a Distributed Denial of Service (DDoS) attack.3 The NetBlocks Internet Observatory, which maps Internet freedom, reported extensive Iranian telecommunications network disruption on February 8, 2020, and another disruption on March 3, 2020.
There are 2 reasons this cyberattack was particularly dangerous. First, Iran is in a battle against COVID-19. When its infrastructure becomes compromised, the flow of information stops, which results in people dying. Second, Iran has a history with cyberattacks. In 2010, the country was hit with a virus called Stuxnet, which damaged its uranium enrichment capabilities. This was widely considered the first cyberattack that affected a physical machine, otherwise known as ground zero.4 In 2021, cyberattacks are much more sophisticated and prevalent.
It can be argued that the attack on Iran is not our problem. However, I think that this view is shortsighted and dangerous. If the entire country of Iran can be affected by a cyberattack, then it stands to reason that the United States is also at risk. If a cyberattack was to stop the flow of scientific, logistic, and financial information in our country, the consequences would be devastating.
Cyber Habits Can Render an Attack Successful
A DDoS attack sends millions of requests to a network, overwhelming it, and denying service to legitimate users. The only way an attack such as this can be successful is if those requests were to come from hundreds, if not thousands, of computers. One of those computers could easily be yours.
There are several ways that a cybercriminal can get software onto a personal computer or wireless device without the user’s knowledge. Unfortunately, the growth of telehealth and remote workspaces during the COVID-19 pandemic has created new avenues for attack. A recent article by a malpractice insurance company, The Doctors Company, stated that telehealth “increases cyber liability, especially when providers are seeing patients from a variety of devices in a variety of locations.”5
One strategy currently being used to mitigate the spread of COVID-19 is the use of contact tracing apps. Guardsquare, a mobile app security company, assessed 17 Android mobile contact tracing apps built by government entities in 17 different countries and found that the “vast majority…are not sufficiently protected.”6
Only by creating a culture of cybersecurity can we hope to avoid disaster and optimally manage our risks.
Strategies to Protect Against Cyberattacks
A good first step toward protecting your practice against cyberattacks is having a solid password policy. You may complain that passwords can be inconvenient and coming up with complex passwords with many requirements seems like overkill. However, the information technology professionals that I know assure me that it is not overkill. There are ways to manage passwords and make this part of your cyber life more secure. Using a password manager and allowing a program to generate a random password for you, or using a phrase such as "frogs eat spinach in the desert" instead of a "strong" password, are effective tactics to consider.
Another strategy that can be used to guard against cyberattacks is to gain a better understanding of phishing and learn ways to effectively combat it. In 2019, Avanan published their Global Phish Report, which stated that approximately “25% of phishing emails bypassed Office 365 default security.”7 Generally, phishing attacks are e-mails prompting a user to click on an embedded, malicious link with attachments to a main vector. When these links are clicked, the software used to attack others is downloaded onto the user’s computer. The user has no idea it is there until the hacker who controls the program activates it remotely. At the same time, this attacker activates thousands of other machines that have also been affected. Through this method, networks can be taken down and access to information comes to a grinding halt.
A third approach to get your “cyber house in order” is to ask for help from a cyber coach. These professionals can help you set up proper password policies and educate you on effective practices to keep you and your practice safe. Train, educate, reinforce the training, and never stop.
During my time in the Marine Corps, training was explained with the statement, “The more we train in peace, the less we bleed in war.” Make no mistake; you are in a war for your data and the control of your electronic or information processing systems.
There are talented cybersecurity professionals guarding our networks and the information stored within them. Our job as users is to perform the inconvenient tasks, and in so doing, we can avoid making these professionals’ jobs harder than they need to be. Continue to educate yourself; read books, watch videos, and learn all you can about proper computer and network security behavior.
Cybersecurity is a Mission-Critical Imperative
Now you may understand the mission-critical imperative for a greater focus on the human element, on daily vigilance, and the need to develop and reinforce a culture of cybersecurity. The line between our online and offline lives is indistinguishable. These technology-fueled times place our lives, our homes, and our society’s safety—as well as our economic prosperity and the country’s security—at constant risk.
We are all making the effort to protect ourselves and others from COVID-19 by washing our hands, wearing masks, and social distancing. In the same way, we should be taking the necessary steps to guard against cyberattacks, especially during the current era of vulnerability and uncertainty. When it comes to cybersecurity, we must try to be “right” constantly, because unfortunately, the cybercriminals only need to be “right” once.
- Armis. Two years in and WannaCry is still unmanageable. www.armis.com/resources/iot-security-blog/wannacry/. Accessed January 20, 2021.
- Beazley Breach Response Services. The enduring threat of ransomware: COVID-19-related phishing scams likely to dominate Q2. June 9, 2020. www.beazley.com/news/2020/beazley_breach_insights_june_2020.html. Accessed January 20, 2021.
- Winder D. Powerful cyber attack takes down 25% of Iranian Internet. February 9, 2020. www.forbes.com/sites/daveywinder/2020/02/09/powerful-iran-cyber-attack-takes-down-25-of-national-internet/?sh=398dee3c20dc. Accessed January 20, 2021.
- Hafezi P. Iran admits cyber attack on nuclear plants. November 29, 2010. www.reuters.com/article/us-iran/iran-admits-cyber-attack-on-nuclear-plants-idUSTRE6AS4MU20101129. Accessed January 20, 2021.
- The Doctors Company. Your patient is logging on now: the risks and benefits of telehealth in the future of healthcare. August 2020. www.thedoctors.com/articles/your-patient-is-logging-on-now--the-risks-and-benefits-of-telehealth-in-the-future-of-healthcare/. Accessed January 20, 2021.
- Goodes G. Most government-sponsored COVID-19 contact tracing apps are insecure and risk exposing users’ privacy and data. June 18, 2020. www.guardsquare.com/en/blog/report-proliferation-covid-19-contact-tracing-apps-exposes-significant-security-risks. Accessed January 20, 2021.
- Avanan. 2019 global phish report. April 2019. www.avanan.com/hubfs/2019-Global-Phish-Report.pdf. Accessed January 20, 2021.