The Importance of Cybersecurity in the Healthcare Industry

The healthcare industry has been digitally transforming over the past few years, especially due to the global pandemic. With this increase in technology comes an increase in risk and greater difficulty protecting patient privacy. Healthcare providers already have many crucial components to manage such as patient privacy and care, as well as the numerous compliances and regulations. Now that cyber-attacks are on the rise, healthcare providers are also working to keep their data and systems secure, but cybercriminals are taking advantage of this busy time.

Cybersecurity is a bit different and more complicated when it comes to healthcare and medical data. There are more digital systems than we typically realize. Patients fill their prescriptions and schedule appointments online. Not to mention heating, ventilation, air conditioning, infusion pumps, and many other systems that can be compromised by cybercriminals. The impact of a ransomware attack on healthcare data will be a much larger than most other industries because the data is extremely sensitive, and lives depend on it.  

According to Deloitte experts, the primary concerns for the healthcare industry are phishing, man-in-the-middle attacks, attacks on network vulnerabilities, and ransomware. To combat these types of attacks, clinics need to incorporate employee cybersecurity training, so that employees are educated on digital hygiene and know how to spot a threat. Clinics should also focus on data usage control, by monitoring, blocking, and logging any malicious activity, as well as implementing strict access rights (based on least privilege). Additionally, with mobile phones, apps, and other devices being more commonly used by administrative personnel, it is crucial to monitor any remote devices and disable any nonessential accounts. Businesses in any industry should be incorporating MFA, regular backups, and regularly updating software.  

The healthcare industry is growing rapidly, and so are cyber threats. If clinics can execute these security measures and keep up with them, they will be in a much better place to withstand any threat that arises and keep their data and patients secure.    

Best Wishes, not Phishes this Holiday Season

Best Wishes, not Phishes this Holiday Season

The holidays are a huge time for buying and giving to loved ones. Unfortunately, this increase in purchasing means there is an increase in phishing and other holiday scams. Phishing is typically targeted towards consumers aiming to collect credentials, credit card or financial information, although companies are also affected since many employees now use their personal devices for business reasons.

The most common forms of scams this time of year are non-delivery; where you pay for something online and never receive it, or non-payment; where the product is being shipped but the seller is never paid. Some tips to avoid this: do not click any suspicious links or emails in attachments or on other platforms/websites and be wary of any websites asking you to update account information.

While you’ve all heard of phishing, don’t forget about smishing this holiday season. SMS phishing is only the first step in these types of attacks. Once the system has been successfully compromised, scammers can then install malware on the targeted devices. This enables them to control device functionality and makes you vulnerable to other attacks. To avoid this, be diligent in your research of any websites you purchase from and be wary of emails or text messages relating to purchases.

Especially during this holiday season look out for any suspicious text messages or emails and employ email filtering. Companies can reduce these threats by patching, using multi-factor authentication whenever possible and incorporating security awareness training to better spot scams. Be extra diligent this time of year, as hackers are becoming more sophisticated and making their scams look more legitimate.

Clients increasingly Asking about Vendor Cybersecurity Procedures 

Clients increasingly Asking about Vendor Cybersecurity Procedures 

With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.

In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:

  1. Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
  2. Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
  3. Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
  4. Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.

If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.

The Human Factors Behind the Robinhood Data Breach

The Human Factors Behind the Robinhood Data Breach

Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.

While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.

This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.

Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.

Ethics by Design

Ethics by Design

Every so often something comes along and disrupts the normal order of things, and out of that disruption a something new emerges. It’s certainly not a stretch to say that 2020 has brought plenty of disruptions with it, and according to a recent report by Gartner, businesses are starting “reset” how they operate and implement new strategies reliant on emerging, more sophisticated technologies. In the report, Gartner lists a number of predictions for what the future of business will look like. Perhaps the most startling prediction the report makes is the increase in workplace surveillance: “By 2025, 75% of conversations at work will be recorded and analyzed, enabling the discovery of added organizational value or risk.” Whether this prediction will turn out to be true is up for debate, however the tone of the report seems to imply there isn’t much we can do about it. The problem, of course, is that these changes don’t appear out of thin air. People create the change. This means, if Gartner’s prediction turns out to be true, we aren’t completely helpless and could even play a role in building new technologies based on the values and ethics people share. Just like there is a movement in cybersecurity to create technologies that are based on privacy by design, as we begin moving towards a new future, we also need to focus on creating technology based on an ethics by design that promotes the well-being and rights of individual

While the idea of having every conversation and interaction you have at work recorded and analyzed probably doesn’t sound to appealing to employees, Gartner’s report highlights the possible benefits this will have for businesses. As Magnus Revang, research vice president at Gartner, explained to Tech Republic, “By analyzing these communications, organizations could identify sources of innovation and coaching throughout a company.” This may certainly be true. In fact, organizations could even use this data to help improve the workplace for employees.

Of course, if we’ve learned anything in the past decade, the technology that is used for good can also be used for bad. And Revang recognizes the risk involved with this shift. “I definitely think there [are] companies that are going to use technology like this and misuse it, and step over the line of what you would call ethical or moral.” When used correctly, however, Revang belives the benefits of the this technology will outweigh any possible risks.

The problem with this argument, however, is that it assumes the problem is not with the technology itself, but the people who use it. According to Tech Republic, Revang believes “technology is inherently neutral, however the way an organization chooses to deploy and use a technology is another consideration.” What this way of thinking doesn’t consider, however, is that technology is built by people — people who are certainly far from neutral. As Joan Donovan, a social science researcher at Harvard University, recently put it, the technology we build encodes “a vision of society and the economy.”

Humans are flawed, and technology is stained with our flaws before it is even operationalized. So, when looking towards the future of technology in business, without designing these new innovations with an ethics in mind, our underlining biases and flaws will play a big role in the consequences this technology will have for our everyday lives. This has huge implications in every facet of society, and unfortunately, our ethical oversight structures are very weak to mitigate these threats.

There’s talk about privacy by design principles and there are AI-bias frameworks being developed. But, in order to create technologies that support our better angels and not our worse impulses, we need experts across all fields and sectors to work together in order to understand and develop ethics by design principles that can help build technologies that are not only useful, but that reflect the values and ideals for a more just and equitable society.