Cybersecurity training for the healthcare industry


Overview

In 2020, hospitals, healthcare providers and medical facilities were struggling to handle not only the influx of patients suffering from Covid-19, but also a surge of ransomware attacks, as criminals (including state-sponsored groups) exploited the crisis to hit the sector.

Month after month, there are many successful cyberattacks on the healthcare industry. Cybersecurity breaches that expose sensitive data from thousands of people are especially important, as the privacy rules have become a nightmare for healthcare providers.

Social engineering, malware attacks, computer theft, unauthorized access to sensitive information (medical history, treatment of patients etc.) and ransomware, are only some of the challenges. WannaCry ransomware, for example, crippled parts of the U.K.’s National Health Service for many days.

After a successful attack, the damage to brand reputation of the healthcare provider is very important.

Healthcare providers must have sufficient defense mechanisms in place, and must be able to provide evidence about that. Cybersecurity awareness and training for healthcare practitioners, doctors and personnel is an important step, as even the best systems cannot protect the industry, when the persons having authorized access do not understand the risks and the modus operandi of the attackers.

Cybersecurity was not historically a major component of healthcare management. Month after month the industry is evolving into an increasingly digital environment, and in today’s threat landscape, healthcare organizations have cybersecurity professionals on staff, establish security policies and procedures, follow corporate governance best practices, ensure C-suite support and board involvement in understanding risks and countermeasures, and train all persons that have access to sensitive data.

A very significant priority is to ensure that each user who has access to sensitive data is well-trained and able to use data efficiently for the appropriate purpose. Cybersecurity leads to inconvenience by design. Only when users understand the risks and the need for countermeasures, they do not cut corners and they follow the policies and the procedures.

We always tailor our training programs to meet specific requirements. You may contact us to discuss your needs.


Modules of the tailor-made training

Introduction.

- Important developments in the healthcare industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- March 2016, 21st Century Oncology reveals that 2.2 million patients’ personal information may have been stolen, including patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.

- September 2020, a ransomware attack to Universal Health Systems caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries.

- May 2022, hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island, affecting health services.

- January 2022, a hacking group breached several German pharma and tech firms. According to the German government, it was primarily an attempt to steal intellectual property.

- January 2022, hackers breached systems belonging to the International Committee of the Red Cross, gaining access to data on more than 500,000 people and disrupting their services around the world.

- March 2021, intelligence services targeted the European Medicines Agency, stealing documents relating to COVID-19 vaccines and medicines.

- December 2020, hackers accessed data related to the COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted COVID-19 vaccine developer AstraZeneca by posing as recruiters and sending the company’s employees fake job offers that included malware.

- May 2018, attackers used Facebook Messenger to distribute spyware to targets in the Middle East, Afghanistan, and India in an attempt to compromise government officials, medical professionals, and others.

- April 2019, pharmaceutical company Bayer announced it had prevented an attack targeting sensitive intellectual property.

- February 2013 - Community Health Systems, Inc. was notified by Fortra, LLC, a third party vendor, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of data.

- How could all these attacks succeed? Can we prevent challenges like the above?


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the healthcare industry.

- Professional criminals and information warriors.

- Cyber attacks against doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the healthcare industry?


What must be protected?

- Best practices for managers, employees, doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Cyber Hygiene.

- The online analogue of personal hygiene.

- Personal devices.

- Untrusted storage devices.


Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

- March 2016, 21st Century Oncology attack.

- September 2020, Universal Health Systems attack.

- May 2022, Greenland’s healthcare system attack.

- January 2022, German pharma and tech firms attack.

- January 2022, International Committee of the Red Cross attack.

- March 2021, European Medicines Agency.

- December 2020, COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted AstraZeneca by posing as recruiters.

- May 2018, Facebook Messenger to distribute spyware to medical professionals.

- April 2019, Bayer announced it had prevented an attack targeting sensitive intellectual property.

- February 2013 - Community Health Systems, Inc. was notified by Fortra, LLC, a third party vendor, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of data.

- What has happened? Why has it happened? Which were the consequences? How could it be avoided? What can we learn from that?


Closing remarks and questions.


Target Audience

The program is beneficial to all persons working for the healthcare industry (medical care, administration, research, sales, and consulting). It has been designed for doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.


Duration

One hour to one day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Delivery format of the training program

a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.

b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.

c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Cyber Risk GmbH, some of our clients