Brian Contos, the CISO of Verodin, and I recently sat down to talk about current cybersecurity trends in healthcare on the Cybersecurity Effectiveness Podcast. More specifically, we chatted about one of the most common points of exploitation I see in healthcare today: email.
(Check out the latest episode of the podcast, "A Higher Standard for Patient Safety," here.)
Brian and I discussed how email can be like a door and many organizations leave that door wide open for nefarious entities to walk in and introduce themselves. Either inadvertently or intentionally, email addresses are often left encoded in your organization’s publicly-facing webpages. This is a big problem.
Nefarious actors can easily create scripts or use purpose-build tools such as the Online Email Extractor to scan websites for email addresses. This is called scraping and can not only produce email addresses but phone numbers, job titles, and more. This information can then be used for everything from indirect phishing campaigns to very targeted whaling campaigns.
Brian and I talked about best practices around publicly-facing websites, especially in healthcare, where privacy and PII is top-of-mind for everyone. One simple step that an organization can take is to ensure that email addresses and other forms of sensitive data are not left exposed to the public.You can scan your own site for sensitive information – it’s easy to do. If sensitive information such as email addresses are found, they should be removed immediately so they can’t be used against you in an attack.
We also discussed some of the solutions that various healthcare organizations I’m working with are using to help them assist in blocking email phishing attacks. One tried-and-true example is an email gateway. I especially like email gateways that can intercept and scan incoming email to the network and work with traditional as well as cloud-based email systems. Many of the healthcare organizations I work with have a mix of cloud and on-premise solutions. It’s easier to manage both email types with one email security solution when you have a small team and not a ton of people to manage your security tools.
But all your security tools won’t matter if they aren’t working. Many organizations still have dozens to hundreds of security vendors deployed. There is a real need to validate that the security tools used are actually working – especially in healthcare where the security staff might be smaller – and the tools might be more limited than a similarly sized financial services company, for example.
That’s why I also like Security Instrumentation Platforms like the Verodin SIP. A SIP isn’t helping you look for malware; it’s making sure the tools you are using to look for malware are working. You aren’t using SIP to stop phishing attacks, you are using SIP to make sure the tools you deployed to stop phishing attacks last year is still stopping those attacks today.
Within healthcare, all your tools need to count by providing value, stopping bad things, alerting you of bad things, etc. You can’t afford to have deadweight shelf ware – there simply aren’t enough resources to have a security tool that’s not providing value. I have personally written tons of custom rules for products like Snort and FireEye over the years. While I’ve been in security for a long time, I’m still never 100 percent sure that the rules I wrote were catching all the things I was looking for. That’s why I like security instrumentation. Security instrumentation helps me validate that all that work I put in is delivering value.
About Tim Waldo:
Tim Waldo, SOC analyst at Fortified Health Security and former security consultant at Leidos, has a diverse background in Information Technology and Nursing. He has a degree in Software Engineering and a Masters of Science in Information Security from the University of Phoenix and Lewis University, respectively. Holding a CheckPoint Partner Sales certification and LPN License, his past roles include working as an analyst at Deloitte and Community Health Systems. When not engineering, Waldo spends his time as an instructor at Springs Wilderness Scuba.