Senior Care Leaders Should Be Aware of Common Vulnerabilities
In addition to phishing and stolen or compromised credentials, other notable causes of data breaches include misconfiguration, business email compromise, zero-day vulnerabilities, unpatched known vulnerabilities and malicious insiders. And while malicious insiders account for only a small percentage of attack vectors (7%, according to the IBM report), it is the costliest form of attack, with an average cost of $4.99 million.
Organizations are especially vulnerable when they don’t prioritize staff training, said Steven VanderVelde, director of senior living partnerships at ProviNET Solutions. He explained that many organizations simply give up when faced with artificial intelligence-powered social engineering initiatives. Others have an absence of phishing awareness or incident reporting in their organization that adds to a culture of vulnerability.
“The mindset of ‘it’s going to happen anyway’ or ‘it’s not my responsibility’ is something we see a lot,” he said.
Gleinig added that if staff aren’t aware of the types of threats they’re facing, then it will be hard for an organization to identify those threats and mitigate them.
AI-generated phishing emails remove the language barrier for bad actors and rapidly increase the speed at which they can draft and send phishing attempts. When an employee clicks the link in one of these emails, they may be taken to an AI-generated site that looks professional and legitimate. AI can also be used to generate deepfakes as part of a social engineering exploit to get people to send money or hand over credentials.
EXPLORE: Getting identity management right is crucial for healthcare security.
“AI technology is so accessible that you don’t have to be a computer whiz to use deepfake tools,” says VanderVelde. “It’s scary to think about how accessible this is.”
John DiMaggio, CEO at BlueOrange Compliance, a company that provides ethical hacking services, explained that most attacks are financially motivated, while others are focused on gaining access to sensitive information. Bad actors do this by getting an employee to give them their password, guessing a password, finding a password on the dark web, or taking advantage of system configuration settings. Hackers are also aware of which known vulnerabilities don’t yet have patches available and how to take advantage of those weak spots.
Once they are in a senior care organization’s network, they can gain domain admin — an automatically created security group in Active Directory that is like a master key to a house — and traverse the network to attain valuable data or to plant ransomware.
“One stat I’ve encountered in my career is 90%, which is the percentage of times that white-hat hackers get domain admin,” said DiMaggio. “It’s easy to do, so make sure your defenses are up.”
“Remember, that’s also 90% of people who actually decide to do a penetration test,” added Gleinig.
How to Better Protect Senior Care Organizations from Cyberthreats
A big part of preventing cyberthreats comes down to creating a culture of security and implementing best practices, such as not using shared drives, not sending important information to a personal email account, not sharing login credentials, having nonsecure bring-your-own-device policies and weak password policies. Gleinig told the audience that employees shouldn’t be using the same passwords at work that they’re using at home.
He also warned senior care professionals against leaving medical records or other sensitive information up on a computer screen that’s visible from a doorway or window.
“There are things we see and accept in a senior living setting that if seen in an acute setting would end up with a lawsuit,” said Gleinig. “We have to have the same exact mentality as acute-care organizations because we’re held to the same standard. Just because we’re in a tiny community bubble doesn’t mean there aren’t people who shouldn’t have access to that information.”
Organizations should create a culture where anyone can report anything. Gleinig said that the sooner people report a suspicious email or that they clicked on a suspicious link, the better. He also emphasized the importance of continuous education about how each role can engage in cybersecurity. DiMaggio added that there should be special training for the finance team since its role is associated with money and requires specialized training.