[00:00:00] Christian Dameff, MD: Hi again, I'm Dr. Christian Dameff, Emergency Medicine Physician and Medical Director for Cybersecurity. In this episode, we'll be discussing how they do it. How it is that malicious hackers actually get into systems and do damage and what type of damage they cause, whether stealing information, disrupting operations, or corrupting data.
[00:00:27] This episode will help familiarize you with a range of techniques and motivations behind cyber threats, so you are better able to anticipate risky situations and prepare yourself and your organization to avoid them. First, how do malicious hackers break into systems? Often, it's as simple as asking nicely to be let in, and they find a willing individual who's happy to oblige.
[00:00:51] Let's talk about something called social engineering. Social engineering is the use of deception to manipulate well-meaning individuals into divulging confidential information, or that person's personal information, that may be used for fraudulent purposes. Examples of social engineering can be seen nearly every day. Sometimes it's a phone call, or a recording, or a live person pretends to be an IRS agent or a bill collector and tries to persuade you that you're in some type of financial trouble. Of course, they can make that trouble go away, as long as you pay them some money or give them valuable personal information like Social Security numbers.
[00:01:28] Online, the most popular type of social engineering is phishing, in which an attacker attempts to simply manipulate you via email. In a phishing attack, cyber criminals use susceptive emails to phish for information or access, often asking you to download a harmless looking attachment or click on an innocent appearing website. When you do, in a snap, dangerous software known as malware is downloaded, compromising not just your computer and the files on it, but potentially your whole organization.
[00:02:06] Other common phishing scams lure people into falling for traps that are designed to trick you into revealing financial information. Blogging credentials or other sensitive data. Phishing emails typically pressure you to act quickly, without thinking. They play upon your strong emotions, such as curiosity, fear, or greed. And they depend on us having lowered our guard and decreasing our vigilance. Sometimes we might inadvertently share our password with other employees who have access to our accounts. They're not authorized for that. That could sometimes be called an insider threat. And we need to recognize that employees in your organization can be the access point to cyber mischief, whether it's through unwitting error or malicious intent. Never share your password and report someone if you observe suspicious behavior around your IT assets.
[00:02:51] As you can see, the opportunities for scams and tricks are vast, and we're just getting started. Take social media. You may receive an invitation on LinkedIn to interview with a fake company that is really only after your personal information. Facebook has been used to send phishing messages via its messaging app.
[00:03:09] Have you heard of website spoofing? You get an email urging you to click on a link to a seemingly legitimate website to get more information. Then it asks you to fill out some type of online form, but it's a fake website that looks just like the real one. If you double check on the web address on the top, you will recognize if it's real or fake. Other times, you might type in your favorite shopping website, but your browser has been corrupted, and when you type in that web address, the browser redirects you to a fake website and it downloads malware onto your computer. One estimate suggests that 90% of breaches include some component of social engineering.
[00:03:46] So it's important to be aware of the various components to best protect yourself and your organization. So why are malicious hackers doing this? And what happens when they succeed with an attack? With most attacks against health care the motivation is money. You've already learned how ransomware is often easy money for criminals. They get into your network, encrypt all of it. Scramble it, if you will. All the data and systems that manage operations, scheduling, patient records, medical devices, and financial administrative programs. You will only get these systems back online, or at least that's what the hackers promise, if you pay a hefty ransom.
[00:04:27] Remember, in Episode 3, we talked about the debilitating impact such a ransomware attack can have on a health care system. In addition to cold, hard cash, Personal information and health data can be extremely valuable, sometimes worth 10 times more than credit card information. Identity theft is a continuous and growing problem, fueled by the ability of cybercriminals to extract social security numbers, credit card numbers, or even medical licensing information to social engineering attacks.
[00:04:57] Aside from tanking your credit and opening new accounts under your name, these ill-gotten gains may result in fraudulent health insurance claims, or the use of medical credentials to obtain illicit prescription drugs. Sometimes, criminals disrupt operations out of a grievance or political activism. They may delete data from your health system or deface an organization's website to disrupt operations and cause reputational harm.
[00:05:23] These bad actors may hijack thousands of unsuspecting personal computers with software viruses, turning these devices into zombie hordes that can simultaneously overwhelm websites or networks. In an onslaught called a denial of service attack. Some cyber criminals do not care that health care is a life and death operation. They're just interested in getting paid. This is why we have to take care of our patients through our actions. We must be careful all the time. We must learn good cybersecurity habits, then we can protect against malicious hackers. This way, you can continue focusing on the incredible work of saving lives.
[00:06:04] Coming up, we'll tell you what you need to know about medical device cybersecurity.
Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.