The profile of the cybercriminal is changing, and Hollywood is keeping up. If you watch the show Mr. Robot on USA Network, you see an example of a group of hackers who call themselves “hacktivists” and focus on taking down a large corporation through cybersecurity engineering and hacking. Their motivations are less about stealing money and information but rather bringing about the demise of a corporation they see as corrupt.
We know that criminal cyberattacks are on the rise across industries, but especially in healthcare. Healthcare is an attractive target for “traditional” criminal cyberattacks because of the valuable information healthcare organizations store. However, as ransomware and malware attacks are driven by new motivations, like we see happening in Mr. Robot, how must healthcare organizations adjust to protect themselves against evolving cybersecurity threats?
Healthcare could benefit from updating their risk assessments to account for these evolving hacker groups and motivations. To better understand these kinds of attacks, let’s rewind two years and take a look at the well-known hack of the major entertainment company, Sony Pictures.
Overview of the Sony Hack
In November 2014, a group identified as the “Guardians of Peace” leaked confidential information it hacked from Sony Pictures Entertainment. The leak included personal information about Sony employees, emails and even movies that had not yet been released to the public. Federal investigations revealed that the Guardians of Peace were sponsored by North Korea, allegedly in retaliation of the not-yet-released Sony comedy, The Interview. North Korea has never claimed responsibility for the attack.
The hack was conducted using malware, but the exact nature of the attack is still unknown. The Guardians of Peace claim they had access to the internal systems at Sony for at least a year before the attack, and U.S. investigators say the hackers spent at least two months copying critical files.
The Rise of a New Kind of Criminal Attack
The idea that North Korea sponsored the Sony hack because of The Interview is supported by the number of threats the Guardians of Peace made surrounding the film, specifically to movie theaters that planned to show it. Because of the threats, many movie theater chains announced they would not screen The Interview, and eventually Sony pulled the national release of the film. Sony eventually decided to release the film digitally and also allowed select independent theaters to screen the film.
What’s the Real Damage?
The Interview went on to be Sony’s most successful digital release, grossing $40 million in digital rentals. Sony suffered some reputational damage from information revealed in leaked emails, but the hack has not resulted in irreparable damage for the company. Although, some high-ranking Sony officials were asked to step down due to content revealed in the leaked emails. However, the real victims of the hack are the individual employees who suffered the consequences of having their most personal information stolen – and Sony has a lot of employees. As an example, a reported 47,000 unique Social Security numbers were stolen.
Why Does This Matter to Healthcare?
Criminal cyberattacks in healthcare are on the rise. According to the Ponemon Institute, criminal cyberattacks are now the leading cause of security breaches in healthcare. What we can learn from Sony is that the nature of these criminal attacks is evolving. As a result, healthcare organizations need to continue to evolve the way they protect themselves, their employees and their patients.
Hopefully your organization will never be the target of a cyberattack sponsored by a nation-state, but here are a few tips to help protect yourself from an attack of any size and motivation.
Movie Releases are Fun! Releases of Your Most Sensitive Data are Not
The Sony hack revealed a lot of sensitive and private information that the company would have probably preferred to keep quiet. Not to mention those 47,000 SSNs. The best way to minimize the fallout from a data breach is to understand the data you have saved on your networks. Keep the data you need and get rid of that data you don’t (but make sure you know how to properly dispose of data first).
To determine the data you need to keep and the data you can discard, make sure your organization follows a data retention policy. A data retention policy documents how long data can and must be kept, and accounts for the retention periods for different types of data. If your organization doesn’t have a data retention policy, establish one. It might require time and effort to get a policy established, but it is more than worth it. This article nicely summarizes the considerations you will need to make when writing your own data retention policy. Also keep in mind to review applicable federal and state requirements for properly retaining and disposing of data.
For the data that you do need to keep, make sure you isolate it with tight controls. For example, if your organization stores cardholder data for payment plans or automatic payments, make sure you leverage encryption to keep this data protected, even in the event of a breach. As an added security measure, encrypt your backups, too.
Conduct an “Interview” of Your Business Partners…and Their Business Partners
Think about your business partners. What businesses are they also involved in? Who else might they be supporting? With the Sony hack, the Guardians of Peace targeted a powerful, multinational company that has the ability to influence a large audience with the movies and messaging it produces. Do any of your business partners fit this description? How about your partners’ partners?
The profile of the cybercriminal has changed. It’s not just the solo hacker working alone. Hacker groups – like the Guardians of Peace – work together and often with a mission statement to take down organizations they disagree with. Even smaller organizations have the ability to upset hacker groups.
Know who you do business with. Make sure your business partners have the necessary security and compliance programs to make you feel comfortable enough to work with them. With the number of criminal cyberattacks on the rise, it’s important to work with partners you trust.
Go Ahead, Splurge on That Large Popcorn
When it comes to security, it’s the extras that matter. You can further protect your organization by installing anti-malware software, which can protect against infections caused by many types of malware. In the event of a breach, you should be sure to apply any patches/updates in a timely manner.
Employee education is important, too. Offer training for your staff to make sure they understand the different risks facing your organization and their role in preventing security breaches. Education is important for all members of your organization, not just employees managing billing and payments. I think employee education can be your strongest weapon against security threats, which is why I’ve covered it in a previous Security Corner.
Finally, a proper incident response policy will help your staff know how to react in the event of a security emergency. You can find a checklist of the things your incident response policy needs here.
The high-profile nature and widespread media coverage of the Sony hack has helped it become one of the most infamous cyberattacks in recent history. However, just because your organization or your partners aren’t as large as Sony, doesn’t mean you shouldn’t take the proper precautions to prevent against security risks of all kinds.