Discover Practical & Tangible Professional Articles &
Advice Dedicated to the Anesthesia Community

800.242.1131
Ipad menu

Summer 2022


Three Cybersecurity Safeguards to Implement in Your Organization Today

Kathryn Hickner, Esq.
Brennan, Manna & Diamond, LLC, Cleveland, OH

Chuck Mackey
Security Principal, Fortress SRM, Cleveland, OH

Within the past few months, we have worked with large and small physician groups, hospitals, home health agencies, laboratories and others that have been the subject of data breaches due to failures in security policies and procedures, as well as devastating ransomware and phishing attacks. Every physician practice and healthcare organization is a target for cybercriminals. No business is too small.

Healthcare attorneys and cybersecurity professionals recommend that physicians, hospitals and others in the healthcare industry take prompt and meaningful action to mitigate the risk of a cyberattack. Luckily, in this space, legal compliance and business interests are aligned.

Safeguard #1: Understand That Cyber Resiliency is Business Resiliency

In order for an organization to adopt and implement an active and robust data privacy and security compliance program, it’s imperative that leadership understands that protecting the organization from cybercriminals not only mitigates legal risk and financial liability, but it is also good business.

Cyber resiliency is an organization’s ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on cybersecurity resources. This standard definition of cyber resilience was created by the National Institute of Standards and Technology, and we believe it is spot-on.

Cyber resiliency is also business resiliency. A business that is cyber resilient can defend itself against cyberattacks, limit the negative impact a security incident can have, and ensure business continuity and uninterrupted operation during and after the attack. Being cyber resilient also helps organizations withstand and recover from other business interruptions, such as natural disasters, hardware failures, data loss and power outages.

There is a distinct difference between cybersecurity and cyber resiliency. Cybersecurity is preventing a cyberattack using tools such as endpoint detection and response (EDR), firewalls, malware detection software and improving security behaviors with employee anti-phishing email training and timely security patch updates.

Being cyber resilient is letting go of the belief that an organization can create an impenetrable barrier between it and cybercriminals. Instead, cyber resiliency assumes that attacks will happen, and operations will be disrupted, so safety precautions must be implemented to respond to, and recover from, cyberattacks.

A cyber and business resiliency mindset seeks to identify the parts of a business that can be disrupted, and once identified, is focused on limiting the impact of a disruption. As an example, if a power outage occurs, are there data backups in place for critical and non-critical business systems? How soon can systems be restored? Are there multiple backups in different locations in the event of a natural disaster?

Not until measures are put in place to minimize the impact of disruptions can a business consider itself resilient.

There are three main elements of cyber resiliency: cybersecurity protection, continuation of normal business and adaptability.

  • Cybersecurity Protection is putting security measures and tools in place to prevent unauthorized access to your systems and network. It includes using EDR, firewalls, VPNs and staff training to defend against cyberattacks.
  • Continuation of Normal Business is the point at which an organization is operating normally after a security incident or can continue operating during an incident. This includes the time it takes to restore all systems from backups.
  • Adaptability refers to how easily the organization can defend against ever evolving and changing cyberattacks. The more adaptable an organization is, the more cyber resilient it is.

Achieving cyber resiliency is like seeing a city on a map—you know where it is, but the important question is, how do you get there?

In particular, there are at least six key steps to cyber resiliency that can help your organization become more business resilient:

  1. Plan Create an incident response team and response plan. Test your security and practice what to do in the event of a security incident.
  2. Protect Put cybersecurity tools in place, such as EDR, SIEM and firewalls to create a defense system that can withstand most cyber threats your organization may face.
  3. Defend With an active cybersecurity framework established, your security tools can defend your business against most security threats and disruptive events and allow you to keep operating during an incident.
  4. Restore Have a plan and safety measures in place to restore your critical and non-critical business systems from onsite, offsite or cloud-based data backups.
  5. Observe and Analyze Implement software tools that report, log and repel cyber treats in real-time. These tools rely on machine learning, artificial intelligence and automated threat hunting and can learn and adapt to prevent future cyber threats.
  6. Adapt Always assess your threat-readiness and cybersecurity protection to maintain normal operations now and in the future.

Cyber resiliency takes work but is essential for business survival in the information age. It’s also important to know that it’s OK to ask for help from healthcare attorneys, information technology and cybersecurity professionals and others. Based upon our recent experience, one of the most important things you can do today is to educate yourself and your workforce to appropriately respond to phishing attacks.

Safeguard #2: Know How to Respond in the Event of a Phishing Attack

Phishing is an online scam where cybercriminals send messages that appear legitimate to get the recipient to click a link and enter confidential information. Once a phishing link is clicked, the criminals can steal personal information, gain access to a computer network or download malware.

Phishing is a serious cybersecurity issue; 65 percent of U.S. organizations experienced a successful phishing attack last year and only 49 percent of U.S. workers can answer the question, “What is phishing?” correctly. (ProofPoint, 2020.) Phishing is going mobile—87 percent of phishing attacks on mobile devices use social media apps, games and messaging as the attack method of choice. (Wandera, 2020.)

As the awareness of phishing increases and its effectiveness decreases, hackers have developed increasingly sophisticated and personalized phishing attacks.

This guide to phishing is meant to illustrate the many ways cyber criminals attempt to access your information so that you and your business can remain cyber-safe.

Spear Phishing

Spear phishing is a targeted attempt to steal information from a specific person. Spear phishing uses information specific to the target to appear legitimate, often gathered from social media or “About Us” sections of company websites.

Real World Example: An email is sent to the parent of a youth soccer team’s player from a cyber criminal posing as the coach of the soccer team. The email is personalized and advises that the soccer game had been cancelled and the recipient should view the attached file for the updated schedule. BOOM.

Whaling

In a whaling phishing attempt, the unknowing target is typically a member of a business’s senior leadership team. Whaling emails used spoofed “from:” fields to trick other employees of the company into sending sensitive data.

Real World Example: An email is sent to the HR department of a large technology company that appears to come from the company CEO asking for salary information, social security numbers and home addresses of dozens of employees. The HR team, believing the email was legitimate, proceeded to unknowingly send the required confidential information to the cyber criminal. BOOM.

Vishing

Phishing attempts that happen on the phone are known as vishing attacks. The scam attempts to create a sense of urgency and panic, making the victim want to act quickly and without thinking. Vishing attacks use spoofed caller ID numbers to add to the believability of the scam.

Real World Example: A call appears to come from a local bank. The caller says they have noticed fraudulent activity on the potential victim’s account and need to verify account information to prevent further fraud. The criminal will ask for account numbers and passwords to “verify” the account. Never provide this info. Call your bank to verify.

Smishing

Smishing uses SMS text messages to target victims.

Real World Example: A text is sent from a parcel delivery company with a tracking number and link to “choose delivery preferences.” Clicking the link takes the user to a fake Amazon site which asks for a username and password to claim a free gift card “reward” for taking a customer satisfaction survey.

Zombie Phishing

Zombie phishing is when a hacker gains access to a legitimate email account, resurrects an old email conversation, and adds a phishing link.

Real World Example: A months-old email thread between two company employees appears in the victim’s inbox, with a message like “Message truncated, click to view entire message.” The link takes the user to a fake company webmail portal and when the user logs in, the cyber criminal has gained network access.

Evil Twin

Evil twin phishing uses wi-fi to accomplish its goals with a wireless access point that looks like a legitimate one. Once an unsuspecting user logs onto the evil twin wi-fi, the criminal can gather personal or business information without the user’s knowledge.

Real World Example: A victim sets up his laptop in a coffee shop and logs into the “Starbuck5” wi-fi, not noticing that the business name was misspelled.

Search Phishing

Search phishing uses legitimate keywords in search engines to offer unbelievable sales or discounts on popular products. This scam uses fake webpages as the phishing link.

Real World Example: A search for a popular portable music player returns a link to an incredible sale on the product. When the link is clicked, the victim is taken to a fake web site that asks for a credit card or bank account to create an account. A different version of this scam creates a fake warning in your web browser saying your computer has been infected with malware, with a link to download software to “fix” it, or to download an updated version of your web browser.

Angler Phishing

Social media offers cyber criminals a whole new way to exploit people with angler phishing, which uses social media posts with links to cloned websites that look legitimate, malicious links in tweets and instant messaging.

Real World Example: A bank customer tweets about the bank’s lackluster service. A fake bank customer service account DMs the customer and offers immediate assistance; all the user must do is click the enclosed link, which downloads malware, or asks for personal bank account information.

Tiny URL

While not a phishing attack per se, another way to hide phishing links is by using a link shortening tool, like bitly or ow.ly.

Misspelled URL

Cyber criminals also buy domains that sound or look like popular websites, hoping you click the link, not noticing the misspelling or wrong URL. One of the best examples is hackers using the domain arnazon.com, which looks very much like amazon.com because, when placed together, rn looks very much like m.

The Bottom Line

Why is the awareness of phishing tactics important? Phishing attacks account for more than 80 percent of reported cybersecurity incidents (Verizon, 2019) and attackers use phishing as an entry point for almost one-third of all cyberattacks (IBM, 2019). Knowing the various ways cyber criminals attempt to gain access to your account logins and passwords, download malicious software to your computers and network devices, and ultimately separate you (or your business) from your hard-earned money, can help keep you cyber secure, and the online world a safer place.

Phishing Tips to Keep You Safe

Think, don’t click! Slow down and really examine a suspicious email or text. Here are some red flags to look for:

  • Bad Spelling. If there are obvious spelling mistakes or grammar errors, delete the message.
  • Hover Over It! Even though a link may appear to be real, hover over it to reveal the link’s actual destination.
  • Greetings! If the salutation is “valued customer” or “Hello, friend!” and not your name, chances are good it is a phishing attempt.
  • Request for Information. Your bank already has your information, so there is no need for them to ask you for it.
  • Threats. “Your account has been suspended” or “payment required” are red flags.
  • Attachments. Never open an attachment from someone you don’t know, or that you aren’t expecting.
  • Email Address. If the email address is from an email service and not a legitimate business email address, take no action.

Feel free to use and distribute the accompanying infographic, “Let’s Go Phishing! A Guide to Phishing Attacks” to raise awareness of phishing with your coworkers, colleagues, friends or family.

As cyberattacks and successful breaches, particularly via ransomware, continue to increase, it’s no longer a question of “if ” an organization will be a victim, but “when.” And it is important to note that organizations can be sued for data breaches. There are cases that seem to offer a legal precedent for individuals to sue businesses that have not put the proper security protections in place to prevent data containing personal information from being accessed.

A cyberattack or data breach can be devastating. Not only does the breached organization suffer the cost of remediating the damage done by the attack and perhaps paying a ransom to recover stolen data, but being temporarily inoperable can cause lost sales, in addition to the incalculable reputational damage the organization will experience. The latest estimate of downtime to a business because of a cyberattack is 21 days.

Add to that a potential one-two punch of lawsuits and regulatory sanctions targeting the breached organization, and it adds up to a profoundly negative impact on its long-term viability.

Responsible organizations that maintain personal information commit themselves to protect their network systems through dedicated or outsourced cybersecurity teams, robust security tools and continuous staff training. But breaches will happen, no matter how diligent an organization is with its cybersecurity.

Safeguard #3: Take Advantage of State Level Safe Harbors

To incentivize organizations to be proactive with their cybersecurity, several states have introduced data breach litigation “safe harbor” laws that provide an affirmative defense to liability caused by data breaches. To be eligible for safe harbor protection, an organization must protect its data by implementing and maintaining cybersecurity programs that meet industry-recognized standards and be able to show reason-able compliance with them at the time of the breach.

Which cybersecurity frameworks are typically recognized for meeting safe harbor requirements?

Standards that are acceptable include:

Businesses already regulated by the following frameworks must reasonably conform to them and do not need to add the additional burden of complying with another standard:

Exactly what does “reasonably conform” mean?

The definition of “reasonably conform” is partially satisfied by adhering to the above-mentioned industry-recognized security frameworks but also takes into account: 1) the size and complexity of the organization; 2) the nature and scope of its activities; 3) the sensitivity of protected information; and 4) the cost and availability of tools to improve data security and reduce vulnerabilities.

Is cybersecurity safe harbor absolute?

No. If an organization was aware of a threat or vulnerability and did not act in a reasonable time to fix the issue and it resulted in a data breach, safe harbor cannot be used as a defense.

Safe harbor is a legal remedy for cyber-responsible organizations that provides them an affirmative defense to liability caused by data breaches if they implement and maintain a cybersecurity program that meets an industry-recognized standard and can show compliance at the time of the attack.

No one wants to spend significant money, time and resources on defending against a cyberattack. However, the reality of today’s world requires that such measures be part of an organization’s overall business plan. Such attacks will happen, and their consequences can be catastrophic. Implementing an adequate defense, through appropriate infrastructure and protocols, is no longer an option. It is an overriding priority.

Kathryn (Kate) Hickner, Esq. is an attorney at Brennan, Manna & Diamond, LLC, Cleveland, where she is a Partner in the firm’s national health law practice. Additional information regarding Kate’s background and experience can be found at https://www.bmdllc.com/team/kathryn-e-hickner/. Kate can be reached at kehickner@bmdllc.com and 216.417.0844.

Chuck Mackey is a Security Principal responsible for helping client organizations assess, develop, and implement effective Cybersecurity and Risk Management programs. This includes performing risk mitigation assessments, developing cybersecurity roadmaps, developing policies, and aiding organizations in the implementation of strong Governance, Risk, and Compliance (GRC) programs. Additionally, Chuck works directly with clients to develop, assess, and implement Business Continuity Management and Disaster Recovery programs. He brings multiple decades of experience in IT and IT Security working in a variety of industry verticals, including non-profit, healthcare, financial services, and manufacturing. Chuck has also held senior roles in IT, IT Security, and Data Protection. He can be reached at cmackey@FortressSRM.com.

Please see our new Privacy Policy