Embracing next technology healthcare without adequate preparation will only open new risk avenues and threat vectors for healthcare cyber attacks. Technology is perceived as a solution to address operational inefficiencies within the healthcare industry and to expand the reach of high quality healthcare services to remote regions. But the risks are mounting.
Vulnerable Devices for Critical Medical Practices
The proliferation of smart technologies will encompass the healthcare industry in coming years. Digital devices such as smart pacemakers and insulin pumps are used widely today, and the next generation of smart technologies will cover a variety of critical cardiovascular, respiratory, and neurological medical practices. However, next technology healthcare devices aren’t immune to sophisticated attacks. In control of malicious actors, vulnerable smart medical devices can deliver the killer blow to patients instead of maintaining stable health.
Cloud Vulnerabilities for Healthcare Cyber Attacks
Cloud connectivity is critical to access patient information anywhere-anytime, a promise that’s driving transition to the cloud for healthcare institutions. PHI data is effectively stored in off-site data centers beyond the control of healthcare providers originally in charge of maintaining patient data privacy and security. Any vulnerability in their cloud networks is an open invitation for hackers to compromise sensitive patient information.
Unlike cloud vendors subject to stringent compliance regulations, patients themselves are unable to secure IoT-connected medical devices at home. A malware infected dialysis machine could be part
of a DDoS attack intended to bring down the entire network infrastructure of a hospital. Since IoT devices come from multiple vendors, through different processes and offer different technologies, it’s not entirely possible to maintain a consistent standard and control around healthcare cyber attacks and IoT device security.
Next Technology Healthcare Cyber Attacks to Mobile Apps
Healthcare providers adopting telemedicine practices using smartphone health apps may not realize or control the personally identifiable information shared with third-party advertisers. These apps run on mobile platforms vulnerable to security threats, especially when the OS is not updated to apply the latest available security patches.
Considering the general lack of security awareness among patients using outdated mobile app and OS versions, and fall prey to mundane social engineering ploys, the industry has a long way to go before considering mobile apps as secure channels to offer effective firewalls and security against healthcare cyver attacks.
Do you think the next technology healthcare industry is ready to take a deep dive into cyber security adoption without adequate preparation and fixing loopholes that exist within the technology itself?
Recruiting expertise in medical devices and electronic health records
Need an executive search consultant with deep knowledge and contacts in the medical field? NextGen has identified and recruited key personnel ranging from principal / chief engineers in software development, systems design, and embedded wireless to directors and VPs in sales, business development, and technology to president of business unit for medical device manufacturers, electronic health records developers, clinical integration, and bio medical research and development.
Ransomware is distributed as a social engineering ploy via email, malicious links and malvertizing, among other techniques. A proactive ransomware mitigation strategy for EMR is needed as once a user falls prey to these human exploits, ransomware is downloaded to the victim’s computer to begin the malicious process.
The virus attempts to connect with encryption-key servers, takes hold of public encryption keys and uses various encryption algorithms to encrypt mission-critical data on the network.
This data typically includes file formats of PDF, JPG, and Microsoft Office extensions. Basic OS recovery and reboot systems are disabled. The compromised data is moved, renamed, encrypted, and renamed again to ensure the required data cannot be queried using actual file names when ransomware is executed, which is when ransom is demanded via Bitcoin or other digital money transfer services. At execution, the start-up screen and several basic features are also locked until this payment is processed.
Why a Proactive Ransomware Mitigation Strategy for EMR Matters
Despite the prevalent security awareness, phishing schemes and drive-by-downloads remain one of the most effective techniques to deliver ransomware payloads onto target computers. To combat ransomware, a proactive ransomware mitigation strategy is to set up systematic corporate security training programs to prevent ransomware payload delivery onto your EHR systems in the first place.
Employ expert social pen-testers to phish your own staff. Emulate real-world exploits but do no ream harm to your organization or employees. Establish gamification-based rewarding programs to encourage dedicated adoption of security best practices. And yes, prior executive approval will be required to prevent awkward situations.
Secondly, it’s best to perform social penetration testing procedures on a separate, isolated network infrastructure such that sensitive data remains inaccessible and uncompromised. This strategy will essentially build the most effective line of defense against ransomware: the human firewall.
Advanced phishing attacks are known to bypass standard spam filtering standards set up by email clients. Another part of a proactive ransomware mitigation strategy for EMR is to establish strong spam filtering techniques such as blacklisting and whitelisting email and IP addresses, and real-time blackhole lists that are maintained by third-party security providers. Use content-based filters to ward off malicious content that’s most relevant to your organization.
Email validation systems such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) can prevent phishing emails from reaching your workforce. Establish strong administrative and access controls to prevent unauthorized and unintended downloads of executable files via email or the Web – even legitimate website could be compromised to deliver ransomware as downloadable content.
Strict controls that allow the absolute least user privileges to appropriate users will reduce the proportion of workforce who can inadvertently facilitate ransomware delivery to the corporate IT network. This approach will prevent anomalous and unauthorized downloads, installations, data transfer, editing and encryption from taking place.
Furthermore, streamline the updating, patching and validation processes for every tool used in the EHR systems. Most of the ransomware attacks exploit known vulnerabilities that remain unpatched. Standardizing mass rollout of updates across all systems is a time-consuming and cumbersome process if the operating systems and software are installed on local hard drives.
Organizations that maintain such systems take months and sometimes years before evaluating, authorizing and installing updates individually on each computer. On the other hand, organizations that maintain virtualized and cloud-based environments for the delivery of desktop OS and electronic heath records solutions can automate and streamline the process of software updates.
Although these measures drastically reduce the chances of successful malware delivery to your systems, your organization should be prepared to tackle the threat of ransomware infection and prevent execution of malicious programs. For instance, another proactive ransomware mitigation strategy is to limit user privileges and controls to install software against targeted file extensions.
If an installation is critical, the process should be flagged and transferred to a sandbox environment for detailed security assessment. Unauthorized changes to medical devices, files and data sharing should be blocked to prevent potential ransomware processes from executing.
Proactive Ransomware Mitigation Strategy for EMR Advanced Security
Deploy advanced security solutions that would detect anomalous processes, raise the alarm and cut-off compromised systems from the network to prevent the malware from spreading. Maintain an efficient backup recovery system that performs data backup in real-time and can be used to retrieve mission-critical data in a matter of minutes, as required. Consider using differential backup techniques that preserve the only the new changes performed to data that’s already backed up.
The minds behind ransomware attacks intend to hold this data to hostage so that victims are left with no option but to process the payments. If you can access this data using alternate means within acceptable schedule, the ransomware attack is rendered useless and you can eventually get security and IT experts to clean up the infected systems.
Finally, a sound proactive ransomware mitigation strategy for EMR is to coordinate with your security solutions providers and federal agencies to report possible ransomware attacks – they may already have relevant information and could be able to crack down on the perpetrators with the additional reporting, thereby preventing future attacks from the same sources.
Need help recruiting Cyber Security Professionals for HL7 or EMR Development?
NextGen Executive Search as successfully recruited and placed software developers, analysts, firewall and firmware design, sales, and product management for clinical integration, healthcare patient records management vendors, including medical device manufacturers for over 20 years.
Healthcare industry unprepared for cyber attacks as the cybercrime threat landscape for medical devices and electronic health records is evolving at unprecedented rates. The malicious intent of financially motivated or state-sponsored cyber-criminals was best served by victimizing financial institutions, power infrastructure and the business sector. The sheer wealth of profitable consumer information stored within the servers and IT networks powering these industry segments attracted attacker interests for decades. At the same time, these industries are investing vast resources to strengthen their security posture. Cybercriminals pursuing easier targets are aiming for the healthcare industry instead, where a similarly vast deluge of sensitive personally identifiable information powers increasingly digitized healthcare services from less-secure network infrastructure.
Inherent Loopholes as Healthcare Industry Unprepared for Cyber Attacks
Healthcare institutions excel in medical practices but are inherently prone to security attacks. 2017 might have seen only a limited number of successful attacks, but make no mistake that the healthcare industry unprepared for cyber attacks is a very real threat, and here’s why:The future of healthcare centers is paperless medical practices. Digital patient information stored in network-connected servers is a recipe for disaster unless strong security defense capabilities are in place to ward off sophisticated cyber-attacks. And that’s precisely the problem with the healthcare industry unprepared for technology adoption.
While the government and the industry is pushing to embrace Electronic Health Record (EHR) systems, the same attention is not given to invest in strong security solutions, technologies, and processes across the widening industry of healthcare institutions, hospitals, surgery centers and EMR/EHR management providers.
Equating Compliance to Security: Global regulatory authorities enforce strict laws to ensure security of digital health records and electronic systems used in the healthcare industry. However, these laws are designed to establish and maintain a minimum standard of security capabilities and practices. The risks could be far worse and varied. Therefore, the healthcare industry unprepared for cyber attacks by maintaining compliance standards such as HIPAA do not translate into strong security capabilities.
Lack of Security Awareness: A significant proportion of life-threatening spearphishing and ransomware attacks are designed to exploit the human element. Random clicks to malicious links by unsuspecting workforce in the healthcare industry cost millions of dollars in damages. Inadequate workforce education and training on maintaining security of digitized records and new healthcare technologies is prevalent in the industry considering the simple root causes of these costly attacks.
Lack of Resources: Many healthcare institutions do not operate on the same IT security budget in comparison with financial and business organizations. A recent conducted by The Ponemon Institute finds healthcare organizations rate their ability to defend against cyber-attacks at a meager 4.9 out of 10.
Outsourcing May Alleviate Healthcare Industry Unprepared for Cyber Attacks
Healthcare institutes work to excel in the services they have to offer, and tend to outsource critical healthcare IT operations. These IT service providers are subject to strict regulations including HIPAA, whereas healthcare organizations cannot accurately assess the risk of business associates or ensure security of Protected Health Information (PHI) shared with them.
When the United States’ military stealth tech bomber was rumored and then when it made a public debut, it was the first-time advanced stealth technology was a reality instead of something out of a science fiction novel.
Even as the US was working on the tech to hide the profile of the bomber, work was underway on how to detect it. Since unmanned aerial vehicles (UAVs) are now an internal part of the world’s major militaries, stealth tech is integral to these aircraft. Again, the US is leading the pack, but China, France and Great Britain are also making major strides with China closing the gap rapidly.
Where concealment is concerned with military matters the top things that must be hidden are:
- Signals: radio, electrical or laser
Staying as quiet as possible is critical as next generation long-wave infrared search-and-track sensors worries some analysts about the engine and propeller noise. Anyone who’s ever heard a small civilian drone knows the buzz. Helicopter pilots say they do not fly but beat the air into submission and create a lot of noise at the same time. Prop and jet-driven UAVs are sound machines.
The private sector is making strides in killing propellor noise. While the Rowe brothers creation, a shroud around the prop, is designed for drones in the movie industry, the sound-killing tech can easily translate across to UAV applications with a few tweaks. Another company has tweaked the propeller blade to get a noise reduction.
Silencing the jets on UAV may also take a page from the civilian world. Georgia Tech and Lockheed Martin are tackling the jet noise issue on several fronts. NASA is investing heavily into a new generation of supersonic passenger planes that promise “60 to 65 decibels per boom (at least as heard from the ground).” A normal conversation is 60-70 decibels at 3-5 feet.
Heating Things Up in Military Stealth Tech
Combustion is hot. Electrical motors cut way back on the heat produced, but batteries add weight which reduces flight time. One solution being explored by some is a combination UAV. It runs off a fueled engine until it closes in on a target, then switches to battery operation. This cuts the heat signature and the noise when noise-reduction measures are also included. Mission accomplished, it eases away and restarts the engine to either recharge the batteries for another run or the ride home.
It may appear that sacrificing stealth to move is a trade-off that must happen. Not precisely. A UAV must fly, but it the body of the UAV does not have to change shape. In a conventional aircraft, ailerons move. These dictate how a plane turns, climbs and descends by changing the shape of the wind foil (wing or rudder). The blades on a stealth helicopter are often a giveaway.A new military stealth tech drone from BAE Systems in MAGMA in-flight trials has no moving external parts. As Popular Mechanics reports, ‘Control surfaces can also affect an airplane’s carefully shaped stealth profile, as the fin-like device moves upward or downward, momentarily making the aircraft slightly more visible to radar.”A slight advantage is all that’s needed to get a lock and take measures against the incoming craft.
See Me Now
Hiding by color is the oldest form of stealth around; think stripes on a tiger. Mirrors that reflect the surroundings are great for hiding, depending on the surroundings. But cloaking tech vis a vi Harry Potter invisibility cloak or a Klingon cloaking technology may not be as silly as it sounds. It is a step closer to reality. This kind of tech has the possibility of blocking everything but sound; muffling technology will take care of that.
Electrical and Radio
Hiding transmission signals is very difficult to do. Radio waves, even a tight beam, are going to spread. Using code, rapid frequency jumping and burst communications are ways around eavesdropping. Laser communication is the best we can do right now to avoid detection. Since lasers spread very little, intercepting means being in the direct line of transmission, which then becomes easy to detect because of signal degradation or transmission delays.
The arms race does not have a finish line. As soon as a new advancement comes online, someone is hard at work trying to defeat it. The South China Morning Post says the military there has a “T-ray,” terahertz radiation, radar that penetrates anti-detection coatings on manned and UAVs. This is not new tech, but a modification of existing technology. T-rays are used in industrial applications to spot defects in layered metals.
As Defence Aviation says, the key to defeating the military stealth tech may be as simple as incorporating a whole suite of detection systems into one array. While a UAV may beat one, two or three of the detection methods, that means it must compromise on something else. “The U.S. Navy and Lockheed are already working in these areas of stealth technology thereby creating the need to develop even more sophisticated sensors that cue radars about the invisible blackbirds that roam our skies,” the website says.Retired USAF officers Maj. Gen. Mark Barrett and Col. Mace Carpenter sought to answer in a report, “Survivability in the Digital Age: The Imperative for Stealth,” produced by the Mitchell Institute for Aerospace Studies. “Over the long run, the U.S. will engage opponents who field increasing numbers of powerful digital multi-band radars,” the authors wrote.
The Future in Military Stealth Tech
To see what tomorrow can bring, look to science fiction. What was pure speculation 50 years ago is now held in your hand, so you can watch funny cat videos downloaded from a server on the other side of the planet. The race for better military stealth tech can be in two camps.
Cloaking technologies which are already underway and anti-gravity. Conspiracy theory websites are full of stories of government work on anti-gravy devices but have little in the way of concrete proof of the claims.
So is anti-gravity going to be a thing? No one knows. But it is being researched. Get past the “how could it work” to “what could it do” and the implications are stunning. We already know gravity can bend light so using the tech to thwart detection systems should be even simpler.
However, making anti-gravity happen is many years off, if ever. Newer military stealth tech aircraft are on the horizon in the USAF B-21 and the Navy’s X-47B UAV.
Comprehensive pre-employment background checks are an absolute necessity. Your time is a valuable commodity. When you consider taking on a high-touch candidate destined for executive placement it is of even greater importance, as the time you spend performing comprehensive background checks may be considerable. Above all, you don’t want to lose on your investment.
Knowing what potential dangers lurk before you put a lot of effort into somebody makes good business sense. If it were a business acquisition, you would be performing the same sort of due diligence on the company you intend to purchase, so why not apply this to your human assets also?
Conducting comprehensive pre-employment background checks prior to in-person interviews is one of the surest ways to confirm that your candidate is representing themselves with verity — your brand reputation and the company’s future depends on it. When it is a leadership, management or customer-facing role, it is even more important to know exactly who is sitting on the other side of that desk. In this age of lawsuits and litigation, being armed with verified, up-to-the-minute information is your best protection.
Performing comprehensive pre-employment background checks before you hire is important. Performing a background check during the course of the recruiting process is just as crucial. The more you know about a candidate, the better you will be able to predict their success or lack of it.
Making sure you are placing the right person in the right position is so much more than just job experience and having the appropriate demeanor: ensuring that your candidate will meet all expectations and does not present a danger to you, the on-boarding company, their brand or their staff assures a return on your investment. It also gives you a stronger platform to work from when negotiating the deal. If you are committed to presenting the best candidate for the job, having a thorough background check in place is not just an option – it is a necessity.
Most HR departments, hiring managers, and recruiters ask their candidate to supply several references. Let’s be honest – these are peers, friends, and by and large 50% are therefore biased. Retained executive search firms like NextGen dig up and cold call references we find who are past internal customers the candidate interfaced with, vendors, external customers, and those who reported to him/her, as well as his/her former superiors. These names we dig up are caught off guard, are honest, and really do help to provide an accurate balance of professional references in comprehensive background checks.
Define comprehensive pre-employment background checks
SSN trace, search and validation: This verifies your candidate’s identity. A social security number is specific to the state and city where it was obtained, and can tell you a great deal about an individual, such as their residential history. A verified SSN can also help to verify other information that the background check might reveal.
County criminal record searches: This will reveal if they have been in trouble locally.
Current and previous residences: Frequent moves can be a harbinger of trouble to come, revealing transiency or any kind of trouble in holding down a residence.
National criminal file: This is a validated result that is cross-referenced to known addresses. Care must be taken to verify this information against a known quantity, such as an individual’s SSN. There are likely thousands of William Smith’s in the world, for example.
Federal criminal record searches (last 7 years): Any federal criminal offence will appear here. Federal offences are far more serious, and include many ‘white-collar’ crimes such as fraud.
Federal civil records searches (current and previous residences): this will illuminate problems with money, handling money, securities and bad debt–very important in hiring for fiduciary positions. It will also reveal past marriages or any civil proceeding that the candidate has been involved with.
OFAC terror watch/sex offender check: It probably goes without saying, a history that includes terrorism, violent crime or a sex offence has the potential to cause a great deal of harm to your company, your customers and your workforce.
Education verification (2 highest degrees): Education verification to prove your candidate’s claims.
Employment verification (last 3 employers): Verifying past employment, positions held and more proof of claims.
Professional character references (past superiors, direct reports, internal/external customers as applicable): How your candidate interacts with others should be of great interest to you. This is the trickiest part as most HR departments lack the skills to conduct job references pertaining to those whom the candidate interfaces with. It’s not just the interactions, but the mentor and coaching capability, listening skills, ability of the candidate to sell their ideas, examples of conflict resolution, and teamwork.
Social media reputation reports: Many people reveal their true character online in ways they never would to your face. It’s not about the kids, the cottage or the kittens, but if your candidate is a drunk or has a tendency to bad-mouth their employers or even worse – their customers – online, you’ll want to know.
PEER credit report: A PEER credit report takes an individual’s personal credit, residential and employment history into account and is a little more detailed than a standard background check. The PEER report is more a gauge of dependability than credit worthiness, and does not result in a credit inquiry for the candidate. Use for C-Suite level, VP and fiduciary roles.
‘Ban the Box’ laws impacts comprehensive background checks
In states or municipalities where a ‘ban-the-box’ law is in place, access to your candidate’s criminal history in comprehensive background checks could be limited until later on in the hiring process. You might think that this legislation has limited influence with regard to executive search and placement, but it still has the potential to lead you down a blind alley every once in a while. You might, for instance, spend a great deal of time on a candidate during the on-boarding process only to find that there were some legal or ethical issues that you just cannot afford to take a chance on.
The legislation itself applies to federal government job applications, some private contractors and companies operating in specific regions that have adopted the policy. While it is arguably a useful and constructive way to level the playing field, it could still impede your process when hiring mid-level to senior management.
Since the legislation can be enforced at the state, county or municipal level, it is important to find out what the laws are in your area, and understand what you can and can’t legally ask up front.
Most ban-the-box laws do not prohibit an up-front comprehensive pre-employment background checks, but some do require the employer to wait until after the first interview or even later in the hiring process.
Running comprehensive pre-employment background checks
Your HR department can check references and social media, but a verified background check ensures the information you obtain is bona-fide and that the person whose life you are looking into is actually the one you intended. Additionally, there is a lot of information that cannot be uncovered in a limited search.
Some data can only be accessed by a licensed firm that specializes in comprehensive pre-employment background checks. Such companies have the experience to get you what you need in an expedient manner, and will help to prevent you from looking at personal data that might put you in violation of state or federal law. If you are in doubt, consult your legal department first. Most states require that you obtain a written consent from the candidate prior to conducting a search. You should also expect to provide a copy of that search to the subject in addition to any related communications or recommendations.
Above all, look at a broad spectrum of information. Don’t just look at the negative, and don’t focus too closely on any one thing. The sum total of your candidate’s data should tell a story – hopefully a good one – that will help you decide how best to proceed.