Ten percent of health systems said they did not have rudimentary security controls like antivirus protection and firewalls, in HIMSS 2020 cybersecurity survey. With growing concern for cyberattacks, Ryan Witt, Managing Director and Resident CISO at Proofpoint, and Julie Hubbard, VP of Enterprise, IT, and Information Security at AMN Healthcare, addressed supply chain cybersecurity risks and Proofpoint's solution against phishing threats.
Conversations have sparked following cyberattack incidents at several health systems and new rules from the Biden Administration.
"I'm now seeing a change where people are starting to talk about security and patient safety in the same conversation... And they're now realizing they have to go hand in glove," she said.
Witt explained that healthcare has been under attack for years; while he wishes these latest breaches were the inflection point to spark change, he knows action could have started with the WannaCry ransomware attacks in 2017.
"I hope healthcare learns from it. I suspect maybe we have to go through this cycle a couple more times before we truly get it," he said.
With 53.7% of malicious URLs originating from legitimate file shares, attackers must infiltrate organizations and become increasingly sophisticated.
Attackers focus on security knowledge to determine vulnerabilities in network design or un-deployed patches, Witt explained. Additionally, there is an altered approach to phishing attacks that is fixated on social engineering. Those behind cyberattacks are willing to take their time; after breaking into file shares, they observe and navigate the network secretly to distinguish the best ways to attack.
Bad actors can be in networks an estimated six months before discovery, potentially even impersonating supply chain vendors to develop a connection. Then, when the time is right they will send a phishing email from a seemingly legitimate source.
"They're hanging out on one of your fellow chairs for six months. They are observing your activity. They're reserving your organization before they decide they want to strike," Witt said.
Supply chains are increasingly a target for cyberattacks and hackers because they present a higher financial incentive, according to Hubbard. By compromising one vendor, phishing attacks can be sent to unlock information of other systems. Additionally, supplier risk management is often a neglected area--something she has discovered through AMN Healthcare questionnaires from partnering companies.
According to Witt, another factor is that phishing attacks by nature are reliant on unsuspecting e-mails. For example, if an email comes from within the organization and penetrates a business associate, they can pretend to have a business relationship with others.
"That's all they need. As the old saying goes, they just need to be right one time. The defender has to be right every single time. Where that guard goes down, they have an ability to attack more aggressively," he said.
For successful phishing, hackers often befriend victims over time to build relationships. By the time they make their move, the request can seem natural.
"By the time that sort of email or request comes through, it appears to be natural because you think the person you're talking to works with the supplier you're working with. It appears to be a very natural sort of requested conversation. So in many cases, you just don't think anything of it, and you just do it," he explained.
According to Witt, as long as hackers have credentials, they can read emails. Thus, within the estimated six months of hidden activity, attackers hold a valuable foothold within an organization
"If somebody is in your network undetected for six months, this is essentially the equivalency of them living in the closet of your spare bedroom for six months and observing your family... You could imagine the impact that would be on your household. There's a similar impact happening to your institution," he said.
According to Witt, Proofpoint starts at the email gateway. Most attacks come from emails or other messaging channels, and a sophisticated gateway can block 90% to 95% of suspicious messages from users. Another critical security component is introducing DMARC capabilities for authentication for fraud defense.
Isolation is a valuable piece of technology to keep interactions in bigger supply chains within a containerized environment. According to Witt, this minimizes risks related to downloading documents, clicking on links, and using third-party cloud applications.
"Technology is an important part of the component. Training's also important, but you can't train your way out of this. I think your best sort of safeguard here is to make sure that as much of this traffic does not get through to users. So you're not forcing them to make a judgment call," he said.
While training is helpful, it won’t eliminate 100% of phishing attack success. According to Hubbard, Proofpoint helps their company by giving intelligence on how phishing attacks happen and who is targeted. This allows for customized training for high-risk individuals, increasing value and decreasing risks.
"Don't underestimate the power of what Proofpoint can bring to the table, which was very helpful to us about people that we would not have thought would have been targeted in our company. And they are, so now we're putting extra training in place to protect those individuals," she said.
According to Witt, there is strong insight and research into who is attacked on a personal and departmental level. By looking at departments, new controls can be put into place.
Last year, Proofpoint warned hospitals in the New York Metro about cyberattacks by the Hafez organization. With this information, they helped institutions put controls, training, and other procedures to mitigate attacks.
"We're not going to achieve the gold-standard cybersecurity for all parts of your organization. That's just not practical from a budget standpoint or from a resources standpoint. But if you can figure out what 10% of your organization is more vulnerable because of their job functions, then you can layer in extra controls and have a much more reasonable approach from a budgetary resources dashboard. I'm going to defend these particular places," he said.
The first step to building a foundation to protect against email attacks is starting with technology. According to Hubbard, Proofpoint gave a list of resources needed.
Another integral step is finding a partner to protect emails. AMN Healthcare worked with Proofpoint to slowly build their partnership.
"Now, it's actually easier for me [because] I have a lot of capabilities within one vendor," she explained.
With Proofpoint, they have a protected email gateway, insights on deflected attacks, built-in training, phishing campaign management, and other tools.
In five years from now, the best-case scenario is no longer having the same conversations. According to Witt, it is achievable and comes from investing in e-mail.
"It's not like other industries where we're waiting for roadmap developments to bring next-generation solutions to the marketplace. What healthcare needs to acquire is readily available today," he said.
According to Hubbard, a challenge of this process will be defending this front.
"There's going to be a new avenue; that’s going to be a new foothold. And the challenge of sitting in this chair is that they're not just coming at you from one angle. And even though that's the number one angle, you've got to keep your eyes on the ball," she said.