If a hacker asked you for permission to walk into your healthcare organization and steal all of the sensitive data stored on your systems, you wouldn’t open your doors and let him walk right in. However, the troubling reality is that this is exactly how most security threats enter the private servers of organizations, including healthcare organizations.
Many malwares leverage social engineering to manipulate people into unknowingly granting malicious software access to their data. Similar to the famous tale of the Trojan horse from ancient Greek tradition, ten years ago, Zeus malware was released and spread primarily by phishing scams and accidental or unconscious downloads (drive-by downloads), where a person clicks on a malicious link and enables the malware to enter their system. The Zeus malware has become one of the most prolific pieces of malicious software in the world. On its own, Zeus has afflicted millions of machines, but it has also spawned numerous similar pieces of malware built from its code.
Zeus works by creating a botnet – a network of corrupted machines that are controlled by the malware’s owner – which allows it to collect massive amounts of information and execute large-scale attacks from within an organization’s systems. Zeus also has the ability to target financial accounts by stealing banking credentials from machines it infects through a process called keylogging. Keylogging is when malware tracks when a user is on a banking website or any site where someone enters payment information and records the keystrokes used to log in. Keylogging enables the Zeus Trojan to get around the website’s security recording the login information before it is encrypted.
While Zeus first emerged ten years ago, it is still a serious security issue today. Earlier this month, it was discovered that a new variant of Zeus has emerged, which is custom-made to collect credit card information from point-of-sale terminals. So, if you’re a healthcare organization that accepts credit card payments at the point of sale, you could be at risk.
How do you defend against a Trojan horse like the Zeus malware? The city of Troy didn’t fair too well in the ancient Greek story because they were unsuspecting and unprepared. Instead, make sure your healthcare organization is on the offensive, and assemble your own Greek army of security precautions and controls to fend off Trojan horse threats.
Give Your Staff Knowledge like Athena
As the goddess of wisdom, Athena advised Greek heroes with her knowledge and calm temperament. Give your staff the power to protect against security risks by offering consistent education and training. Make sure everyone in your organization understands the dangers of social engineering and phishing scams. While some may be easy to detect (e.g., a Nigerian prince offering to give you his inheritance), more sophisticated scams (e.g., a request from your IT department for your username and password) are harder to identify. Train staff to be on the lookout for anything that seems suspicious – even the best-engineered scams often have a giveaway. Remind them that it’s better to be safe than sorry, and reporting something suspicious that turns out to be benign is okay. Much like going to the dermatologist to check on a suspicious-looking mole; usually the mole is benign but you’re still glad you checked because in case it did turn out to be more serious, it’s better to catch it early.
Use the Best Tools Like Hephaestus
Hephaestus carefully crafted all of the weapons for the gods in Olympus. Make sure your organization is leveraging the best tools and innovations to protect your systems from security threats. There are a lot of tools available to help organizations monitor emails and filter out phishing scams. Select a good spam and malware detection tool and integrate it into your email system. Look into options like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Host Intrusion Prevention Systems (HIPS) which can detect and prevent malicious activity. You should also make sure every device is equipped with anti-malware/anti-virus software and inform staff that they should always install new updates for their software to ensure the highest level of protection.
Secure the Transportation of Sensitive Data Like Hermes
The god of transitions and boundaries, Hermes protected and guided the Greek army during the Trojan War. For the protection of payment data flowing across your systems, it’s crucial to ensure that sensitive data can travel from point to point securely. Storing and exposing credit card information anywhere on your network will be the Achilles’ heel of your security program. Instead, encrypt cardholder data so it never touches your network unencrypted. For point-of-sale payments, leverage point-to-point encryption (P2PE) payment devices that encrypt data immediately so even malicious tactics like keylogging are ineffective. For online payments, use Secure Token to ensure sensitive payment data never touches your servers.
Bring Healthcare and Payment Together Like Hera
The goddess of marriage would think that bringing payment and healthcare data together on one platform is a great way to ensure higher levels of protection for your organization. A major problem healthcare organizations face is the number of different, often disconnected systems needed to collect, transfer, post and reconcile healthcare and payment information. The more systems you have running in your organization, the more vulnerability points you create. By combining healthcare and payment onto one platform, you can significantly reduce your risk of a breach, as well as reduce your PCI scope and compliance efforts.