Staying One Step Ahead of Cyber-Criminals

Good morning!

Last week three hospitals in Alabama were attacked by a “cyber-criminal” who hacked into their computer systems.  The attack left the hospital staff unable to use their computers – including their electronic health records – until management paid a “ransom” to the perpetrator.

The attack was terribly disruptive.  The hospitals were able to continue caring for patients who had already been admitted, but had to essentially close to all but the most critically ill new patients.  In these illegal incidents, only after a ransom is paid to the hacker is access to their systems returned to the hospitals.

These kind of ransomware attacks are increasing.  A cybersecurity firm that tracks such incidents reports that in the first nine months of this year, at least 621 government entities, health care providers, school districts and colleges were the victims of a ransomware attack.  Hospitals, in particular, are a popular target, in part because they have become so dependent on computer systems and they usually have the means to pay the ransom. 

At UMMC, we have had our own brushes with individuals and groups that mean to do us harm.  The most recent was a “phishing” attack in which a “bad actor” posing as someone within our organization asked employees to verify their network credentials.  The request seemed legitimate; so much so that a handful of our employees volunteered information.  Fortunately, the scheme was reported to our information security team and it was able to act relatively quickly to minimize the threat.

Since October is National Cyber Security Awareness Month, I asked our staff in the Division of Information Systems (DIS) and the Office of Information Security (OIS) to update me on our current posture with respect to cyber threats.  They cited a number of improvements to our defenses, including:

• Protection of our Electronic Health Record. Access to Epic is limited by defined security templates and can only be accessed remotely through our Citrix portal.  This helps protect the Epic environment from the kinds of malware that could be propagated from a typical PC.  Also, most of the workstations used to access Epic are Wyse devices that are write-protected, which prevents modification or deletion of the data.
  
  
• Infrastructure Security Controls. DIS has elaborate firewall, web-filtering and intrusion-detection systems  that help protect UMMC from external attacks.  Legitimate internet connections that contain malware are most often thwarted by our next-generation antivirus software.  These systems are monitored by DIS administrators and engineers, and by a third-party security operations center 24 hours a day, seven days a week.  Although it may seem like an extra step, two-factor authentication when accessing the network remotely has been the best protection – even when accounts may have been compromised.  In the absence of that second method of authentication, the bad actor cannot act.
  
  
• Incident Response. When potential threats are discovered, information security analysts and DIS administrators and engineers are alerted to take immediate action.  The DIS Help Desk and area support staff also play critical roles in identifying issues and acting quickly to assure the appropriate actions are taken.

It’s important to remember, however, that no matter how elaborate our security measures may be, UMMC still depends on employees and students as the most important defense against the loss of sensitive data or the compromise of our systems that damages our ability to serve our patients or other customers.  With that in mind, below are some important “Dos and Don’ts” when it comes to information security: 

Do:

• Always take a few moments before replying to an email – especially when it is from an unknown sender or the request is unexpected. Even if it appears the source is someone working here or is known personally to you, that does not mean the message is legitimate.
• Hover. Hovering over sender name(s) with your cursor reveals the actual sender email address.  Often, scammers use legitimate names or populate the name space with the correct email address, but the actual address behind it is something else.  For example, instead of umc.edu, the actual address may be umc.myhackerserver.ca.  The same is true of links within an email.  The text may say something legitimate or use an icon that is familiar, but hover over the link to disclose the actual internet address.
  
  
• Call. If an email seems odd or is asking for something that involves logging in or sending unusual information, call the sender to confirm the request is legitimate.
  
  
• Report. Anytime an email seems suspicious, always forward it as an attachment to abuse@umc.edu and then delete the email.  If you realize you may have fallen prey to a scam, contact the DIS Help Desk immediately to report a possible security incident.  Responding to a crisis early is typically associated with better outcomes.

Don’t:

• Share passwords. It is not only unsafe, but it’s against UMMC policy to share your password with anyone, and it’s against policy for anyone to ask you to disclose it.  Remember that neither DIS nor any other department will ask you to provide your password in order to assist you.
  
  
• Recycle passwords. As tempting as it may be, don’t use easily guessable words – like the seasons of the year or names of months as a part of the password.  Also, don’t use the same word with different numbers each time your password is changed.  These are easy to guess and easier to compromise.
  
  
• Write passwords down. It is risky to do so, and it’s also against UMMC policy.

Bottom line, the headaches and hassles we sometimes experience in dealing with our computers are a small price to pay to keep our data safe and maintain our ability to function.  It’s unfortunate that there are so many bad actors out there looking to profit from cybercrimes, but that just means we have to be all the more vigilant.  For that reason, look for the release of a mandatory Information Security Awareness course soon.