“Doctors just don’t care much about cybersecurity. They have other, more important, things to worry about. They expect the technology and security people to deal with those problems. Besides, we can’t control them anyway. Most of them don’t work for us.”
As I travel around the U.S. leading information security awareness seminars for Security Mentor, I hear comments like this all the time from security professionals.
Or, “Lawyers are just too busy. Every second is precious and must be billed to a client. We can’t include them in security awareness training. Everyone else at the firm is fine – but we leave them alone.”
But is change in the air for doctors and lawyers regarding cybersecurity practices? Could these respected professionals take part in next-generation security awareness training?
As a result of a ransomware pandemic that has hit hospitals recently and the infamous Panama Papers that were released earlier this year, hospitals and law firms all over America are reassessing how they protect sensitive data. The likelihood of new attention focused on security topics for doctors and lawyers is higher than ever before.
Background on Recent Security Incidents
Over the past two months, new ransomware cases have dramatically changed the online security landscape for hospitals. As described in this Ransomware Emergency article:
The Henderson, Ky.-based Methodist Hospital was “operating in an ‘internal state of emergency’ after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.”
In addition, Hollywood Presbyterian Hospital was held hostage by hackers who initially wanted 9,000 bitcoin, but ended up settling for much less to unencrypt their critical data.
The FBI issued a press release warning in March about the growing threat of ransomware. Here is an excerpt:
The FBI strongly encourages you to protect your computer from ransomware by:
- To prevent the loss of essential files due to a ransomware infection, it is recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline. Ransomware will encrypt any drive that is visible to the computer, including back-ups.
- Filter out e-mails with .exe attachments and set your computer to show hidden file extensions. Ransomware is often delivered as a file with more than one file extension such as example.pdf.exe.
- Make sure you have updated antivirus software on your computer.
- Enable automated patches for your operating system and web browser.
- Have strong passwords and don’t use the same passwords for everything.
- Use a pop-up blocker.
- Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
Meanwhile, the massive release of documents called the Panama Papers wreaked havoc to international clients of Mossack Fonseca. Every law firm in the world is on high-alert and reexamining their process following this high-profile situation that has led to senior political leaders resigning their positions.
The daily headlines which focused on the Panama Papers have already revealed that thousands of companies had offshore accounts to avoid paying taxes. Beyond the embarrassing details revealed, many questions are being asked about the information security practices utilized at Mossack Fonseca and the security flaws involved.
Fallout for Hospitals and Law Firms
Will these new developments lead to new priorities for doctors and lawyers? Can financial losses or the damage to the reputation of a health system or law firm lead to a new sense of urgency to update accepted security practices and even codes of conduct with hospital data? Will regulatory bodies mandate more training for these two distinguished professions that have largely opted out of serious cybersecurity training up until now?
Only time will tell, but experts in the field see the importance of cybersecurity growing in the coming years as these bold attacks mount.
Mark Ford, U.S. National Cyber Risk leader for Deloitte Life Sciences and Health Care, agrees: "This new rash of ransomware attacks is catching a lot of attention by many of my provider clients. There will be a near-term response and willingness for practitioners to take part in cybersecurity training.
However, Ford also warns: “After the attention dies down, they will revert to the same risky behaviors, if… the executives don't make cybersecurity education and awareness training a strategic priority. You must have a corporate culture that manages cybersecurity as a top tier business risk from the top down. Many of my client CEOs and management teams are willing to participate in phishing testing. They lead by example."
Are There Positive Hospital Examples To Model?
Beaumont Health System in Michigan did not wait for new mandates or targeted ransomware attacks to train their staff on better security practices and good cyber hygiene at home and work. Beaumont is already leading the way by providing comprehensive security awareness training for their 35,000 staff, including doctors and nurses, across statewide facilities.
According to Scott Larsen, the Security Operations Manager at Beaumont: “Employee awareness is the single most important factor in protecting against cybersecurity threats today. By investing our security awareness education program we have seen an increased awareness along with a positive response from our clinical and administrative personnel, even applying what they have learned in their home environments.”
Where to Next?
Most global security firms predicted a dramatic increase in ransomware at the beginning of the year, and events so far in 2016 have basically followed that script. I expect to see more attention on the resiliency of business processes for companies of all sizes moving forward.
There is no doubt that hospitals and law firms are now paying more attention to security practices. The question that remains is whether more lawyers and doctors will get, and follow, the memo.
About the Author: Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, and author. Lohrmann currently serves as the Chief Security Officer (CSO) and Chief Strategist for security awareness training company Security Mentor, Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers, and executives in the public and private sectors. You can follow Lohrmann on Twitter at @govcso and follow him at Security Mentor on Twitter at @SecurityMentor.