One of the most dangerous myths about malware is that hackers aren't targeting smaller healthcare entities, says security researcher Lysa Myers.
"It doesn't matter how small your clinic is, or how under-powered your machine is, or if you're doing good work taking care of people - attackers just see a potential payday," she says in an interview with Information Security Media Group. "A lot of the time, the way they identify vulnerable machines is an automated scan. It's a very impersonal thing."
Smaller healthcare organizations can be even more attractive targets than larger ones for attackers deploying malware for schemes involving identity theft and fraud, she contends. That's because having a steady stream of smaller batches of stolen personal information can actually be more lucrative than flooding the market with a large batch of data stolen from a bigger organization, she says.
To help in the battle against malware, it's critical that smaller organizations regularly monitor network traffic so that they can better spot anomalies that could indicate a malware attack, she notes. Also, two-factor authentication, network segregation and encryption can help limit the impact of a malware-fueled breach, especially if credentials are stolen, she says.
It's also vital to educate users about phishing to help prevent them from falling victim to malware scams, she says. That includes instructing users to notify the IT team about suspicious emails "so that they can catalog and keep a record about the kinds of attacks that are going on."
In the interview (see audio link below photo), Myers also discusses:
- Other tips for improving prevention, detection and mitigation of malware attacks;
- Advice for organizations running medical devices and other equipment with older operating systems that are no longer supported by vendors;
- The risk of a widespread disruption in healthcare caused by a malware attack, similar to the power outage in the Ukraine (see How to Block Ukraine Style Hacker Attacks).
As a researcher at ESET, a security software firm, Myers focuses on providing practical analysis and advice on security trends. She previously worked at anti-virus research labs finding and analyzing new malware, and in the third-party testing industry evaluating the effectiveness of security products.