OCR 'Cyber-Awareness' Effort: Will It Have an Impact?Experts Question Whether Initial Advice Targets the Most Pressing Threats
Federal regulators have kicked off a new "cyber-awareness initiative" by offering advice on how healthcare providers and their business associates can avoid becoming victims of ransomware attacks and phony tech support scams. In the months to come, the Department of Health and Human Services' Office for Civil Rights will offer additional advice on other cyberthreats and vulnerabilities that put patient data at great risk.
Some security experts say that although the new OCR initiative is a good step toward helping organizations address threats to patient data, providing advice on dealing with all phishing schemes should be the No. 1 priority because so many breaches have their origins in phishing.
"I would have preferred if they had focused more on overall phishing attacks instead of ransomware," says Phil Curran, CISO and privacy officer at New Jersey healthcare system Cooper Health. "The data from multiple reports, such as Verizon DBIR, IBM X-Force, and the after-action reports of the majority of breaches, point to phishing as the primary vector for infiltrating a company."
Devising better mitigation strategies for phishing attacks could go a long way in preventing ransomware attacks and other security incidents, says Dan Berger, CEO of the security consulting firm Redspin. "Phishing attacks in general are on the rise in healthcare, whether the guise is tech support or some other fake identity," he says. "We hear about isolated cases of ransomware, but more often, phishing is use to steal user credentials and then go after protected heath information. That is the big payload."
OCR, in a Feb. 2 statement announcing the awareness initiative, says its new educational effort aims to spotlight top cyber threats facing the healthcare sector, security measures that can be taken to decrease the risk of being impacted by these threats and how to reduce breaches of electronic protected health information.
"OCR has launched [the new] initiative to help our regulated community become more knowledgeable about the various security threats and vulnerabilities that currently exist in the healthcare sector," an OCR spokeswoman tells Information Security Media Group. "Ransomware and tech support scams are a good place to start, as these threats have been identified by [HHS]."
Every month, she says, HHS plans to "provide information on other threats and vulnerabilities identified by [HHS] as part of this initiative, discuss security measures that can be taken to decrease the possibility of being exposed by these threats and highlight best practices for reducing the risk of breaches of ePHI."
Security experts say better vigilance by covered entities and business associates in the battle against cyberthreats is essential. "Any effort to better inform covered entities and business associates about possible types of cyber threats and attack vectors is helpful," Redspin's Berger says.
"Both ransomware and tech support scams generally rely on some form of false pretense to gain a person's trust and then convince them to do something they shouldn't - [such as] click, download, enter data," he says. "These are tough to defend against, particularly as these schemes are getting more and more sophisticated."
The FBI says ransomware attacks, which can, for example, involve encrypting data and demanding a ransom to unlock it, have recently increased significantly, OCR notes. "Cybercriminals charge from hundreds to thousands of dollars to unlock the data, and have been collecting ransom payments using digital payments systems such as ... bitcoin," OCR says.
Cybersecurity researcher Billy Rios warns of the potential risks that ransomware and other malware can pose to the security and safety of medical devices.
"One thing that is dangerous is the folks that are using malware to get access to data ... are probably not in a position to determine whether or not the device could cause patient safety issues," he said in a recent interview with ISMG. "They just want a foothold into someone's network, and access to someone's data."
Tech Support Scams
In addition to warning about ransomware risks, OCR also used the kickoff of its cyber-awareness initiative to alert organizations about tech support scams, which cybercriminals sometimes use to trick users into falling for ransomware schemes.
"This scam involves a criminal posing as a computer support technician who makes an unsolicited call to trick a potential victim into believing his/her computer is infected with malware," OCR says. "A victim is then persuaded to visit websites to download malicious software that gives the criminal the capability to remotely access and control the victim's machine. Once the criminal has gained the victim's trust, the criminal charges hundreds of dollars for 'phony' assistance with malicious software removal or for the purchase of fraudulent support plans or software."
As part of its new awareness campaign, OCR offered advice for dealing with ransomware and tech support scams.
To mitigate the risks of ransomware attacks, OCR advises:
- Backing up data onto segmented networks or external devices and making sure backups are current;
- Ensuring software patches and anti-malware applications are current and updated;
- Installing pop-up blockers and ad-blocking software;
- Implementing browser filters and smart email practices.
To combat the threat of tech support scams, OCR advises training staff to:
- Never allow a third party to remotely access a computer if the caller's authenticity cannot be verified;
- Avoid downloading any unknown software;
- Record suspicious callers' information and report it to the organization's IT leaders and law enforcement.
"For those who suspect they are a victim of a tech support scam, immediately change passwords for all accounts, including email passwords and online banking accounts, and conduct a scan for malware," OCR advises. "In some cases, re-imaging the system would be the best option, to be sure that all malware has been removed."
Curran, CISO at Cooper Health, stresses it's important for organizations to educate employees on how to recognize fraudsters' emails and calls.
"When your employees can recognize an email or a phone call as being phony, that eliminates a primary source vector," he says. "Further, if you have a reporting mechanism where employees can report these incidents, you can respond to the event to mitigate a potential incident. You can, for example, add domains to a blacklist to prevent emails from coming in, you can start a scan of your email server to pull any instances of the email, you can send out warning notifications to employees, etc."
For additional resources related to ransomware remediation, OCR recommends organizations turn to the The Department of Homeland Security.
OCR also recommends the use of a new "scam tracker" website from the Better Business Bureau to report scams as well as track scams that have been reported in their area.