Cybersecurity training for the healthcare industry
Overview
In 2020, hospitals, healthcare providers and medical facilities were struggling to handle not only the influx of patients suffering from Covid-19, but also a surge of ransomware attacks, as criminals (including state-sponsored groups) exploited the crisis to hit the sector.
Month after month, there are many successful cyberattacks on the healthcare industry. Cybersecurity breaches that expose sensitive data from thousands of people are especially important, as the privacy rules have become a nightmare for healthcare providers.
Social engineering, malware attacks, computer theft, unauthorized access to sensitive information (medical history, treatment of patients etc.) and ransomware, are only some of the challenges. WannaCry ransomware, for example, crippled parts of the U.K.’s National Health Service for many days.
After a successful attack, the damage to brand reputation of the healthcare provider is very important.
Healthcare providers must have sufficient defense mechanisms in place, and must be able to provide evidence about that. Cybersecurity awareness and training for healthcare practitioners, doctors and personnel is an important step, as even the best systems cannot protect the industry, when the persons having authorized access do not understand the risks and the modus operandi of the attackers.
Cybersecurity was not historically a major component of healthcare management. Month after month the industry is evolving into an increasingly digital environment, and in today’s threat landscape, healthcare organizations have cybersecurity professionals on staff, establish security policies and procedures, follow corporate governance best practices, ensure C-suite support and board involvement in understanding risks and countermeasures, and train all persons that have access to sensitive data.
A very significant priority is to ensure that each user who has access to sensitive data is well-trained and able to use data efficiently for the appropriate purpose. Cybersecurity leads to inconvenience by design. Only when users understand the risks and the need for countermeasures, they do not cut corners and they follow the policies and the procedures.
We always tailor our training programs to meet specific requirements. You may contact us to discuss your needs.
Target Audience
The program is beneficial to all persons working for the healthcare industry (medical care, administration, research, sales, and consulting). It has been designed for doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.
Duration
One hour to one day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.
Instructor
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
Modules of the tailor-made training
Introduction.
- Important developments in the healthcare industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).
- Understanding the challenges.
An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.
- March 2016, 21st Century Oncology reveals that 2.2 million patients’ personal information may have been stolen, including patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.
- September 2020, a ransomware attack to Universal Health Systems caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries.
- May 2022, hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island, affecting health services.
- January 2022, a hacking group breached several German pharma and tech firms. According to the German government, it was primarily an attempt to steal intellectual property.
- January 2022, hackers breached systems belonging to the International Committee of the Red Cross, gaining access to data on more than 500,000 people and disrupting their services around the world.
- March 2021, intelligence services targeted the European Medicines Agency, stealing documents relating to COVID-19 vaccines and medicines.
- December 2020, hackers accessed data related to the COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.
- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.
- November 2020, hackers targeted COVID-19 vaccine developer AstraZeneca by posing as recruiters and sending the company’s employees fake job offers that included malware.
- May 2018, atatckers used Facebook Messenger to distribute spyware to targets in the Middle East, Afghanistan, and India in an attempt to compromise government officials, medical professionals, and others.
- April 2019, pharmaceutical company Bayer announced it had prevented an attack targeting sensitive intellectual property.
- How could all these attacks succeed? Can we prevent challenges like the above?
Who is the “attacker”?
- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.
- Hacktivists and the healthcare industry.
- Professional criminals and information warriors.
- Cyber attacks against doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.
How do the adversaries plan and execute the attack?
- Step 1 – Collecting information about persons and systems.
- Step 2 – Identifying possible targets and victims.
- Step 3 – Evaluation, recruitment, and testing.
- Step 4 - Privilege escalation.
- Step 5 – Identifying important clients and VIPs.
- Step 6 – Critical infrastructure.
Employees and their weaknesses and vulnerabilities.
- Employee collusion with external parties.
- Blackmailing employees: The art and the science.
- Romance fraudsters and webcam blackmail: Which is the risk for the healthcare industry?
What do we need? How can it be exploited?
- a. Speed and convenience.
It is difficult to balance speed, convenience, and security.
- b. Effective and efficient web site, medical computers and systems, mobile tracking, and monitoring of health devices.
Examples of challenges and risks.
- c. Great customer service.
Example - how it can be exploited.
- d. A nice facility and great housekeeping.
Example - “The cleaning staff’s hack”.
- e. Food, drinks, and entertainment.
Point-of-sale (POS) fraud and challenges.
Credit card cloning.
- f. Internet access.
Honeypots, rogue access points, man-in-the middle attack.
- g. Security.
Unauthorized access is a major problem, and social engineering is a great tool for attackers.
- h. Privacy.
The healthcare industry is considered one of the most vulnerable to data threats.
- i. Money (if they can sue the health provider for negligence).
What must be protected?
- Best practices for managers, employees, doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.
- What to do, what to avoid.
- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.
Malware.
- Trojan Horses and free programs, games, and utilities.
- Ransomware.
Social Engineering.
- Reverse Social Engineering.
- Common social engineering techniques
- 1. Pretexting.
- 2. Baiting.
- 3. Something for something.
- 4. Tailgating.
Phishing attacks.
- Spear-phishing.
- Clone phishing.
- Whaling – phishing for executives.
- Smishing and Vishing Attacks.
Cyber Hygiene.
- The online analogue of personal hygiene.
- Personal devices.
- Untrusted storage devices.
Case studies.
We will discuss the mistakes and the consequences in one or more of the following case studies:
- March 2016, 21st Century Oncology attack.
- September 2020, Universal Health Systems attack.
- May 2022, Greenland’s healthcare system attack.
- January 2022, German pharma and tech firms attack.
- January 2022, International Committee of the Red Cross attack.
- March 2021, European Medicines Agency.
- December 2020, COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.
- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.
- November 2020, hackers targeted AstraZeneca by posing as recruiters.
- May 2018, Facebook Messenger to distribute spyware to medical professionals.
- April 2019, Bayer announced it had prevented an attack targeting sensitive intellectual property.
- What has happened? Why has it happened? Which were the consequences? How could it be avoided? What can we learn from that?
Closing remarks and questions.
For more information, you may contact us.
Terms and conditions
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
Cyber Security Training
Cyber security is ofter boring for employees. We can make it exciting.
