- May 24, 2022
- Posted by: Andrew Zellers
- Category: Legal & Compliance
Threat vectors, or attack vectors, are the avenues of breach hackers and cybercriminals use to access forbidden information. In healthcare, hackers will steal medical records for their personal gain, so it’s essential to block these vectors. In this post, we will go in-depth to help you and your team understand the threat and protect your patients.
Cybercrime attacks are on the rise
When the COVID-19 pandemic began in early 2020, it became immediately apparent that in-person appointments were riskier than before. To reduce the threat to healthcare professionals, healthcare became more digitized and remote. Unfortunately, this made the healthcare industry an even more enticing target for hackers and cybercriminals.
According to the Progenitus Breach Barometer 2021, health data breaches increased 30% in 2020 compared to 2019. Of the 758 breaches reported in 2020, data was only available for 609. These 609 breaches affected 40.7 million records.
The HIPAA Breach Notification Rule only requires covered entities to report breaches that affect more than 500 people immediately. All smaller breaches can be submitted annually to HHS. The Breach Barometer does not include these unreported breaches, implying that the numbers should be even higher.
According to Experion, these breaches are highly valuable for data vendors on the black market. They report medical records being worth up to $1,000 for a complete history. That’s the second most valuable personal document, behind passports.
The potential for fast profit could be likened to bank robbery, but at much lower risk. According to Capital Counselor, only 14% of bank robberies go unresolved. Hackers, on the other hand, have sophisticated measures to cover their tracks. Furthermore, hackers can be so discreet that they aren’t noticed for an average of 206 days
This is especially grim for healthcare, where major breaches likely mean HIPAA violations. Hacking isn’t just something that happens though, it takes great skill and knowledge to breach most systems.
We know that hackers are making it into these systems, but how are they doing it?
What is a threat vector?
A threat vector, or attack vector, is an avenue of weakness that’s likely to be attacked by a hacker. Imagine you are trying to break into a castle. You’d likely never make it in by chipping away at the outer wall, it’s easier to find a back door.
Hackers target the easiest point of entry possible. There are six primary points of accessing computer systems: network, users, email, web applications, remote access portals, and mobile devices.
Furthermore, there are two types of threat vectors: programming and social engineering.
Programming threat vectors are probably what you imagine when you hear the word “hacking.” These are the viruses, trojans, ransomware, and other weaponized types of code. These require skill and time to develop, and can especially blindside healthcare organizations if it’s a new type of attack.
Social engineering threat vectors target the individuals who have access to a system. Rather than using complicated code to break through the various firewalls and other security functions, hackers using social engineering threat vectors try to trick these individuals into disclosing their passwords.
With so many avenues of accessing sensitive information, it’s not enough to just have a secure website. You could have the most secure website in the world from a technical standpoint, but these measures could all mean nothing if employees are disgruntled or don’t have the “street smarts” of safe internet navigation.
If you’ve seen fake posts with a link promising wildly discounted name brand sunglasses, you’ve seen social engineering threat vectors. You may have easily seen through the ruse, but there are people who fall for these scams.
While some attack vectors are obvious as in this example, not all will be. Hackers are crafty, and their attack methods are constantly evolving.
Why do hackers target threat vectors?
Asking why hackers target threat vectors is like asking why burglars target doors and windows. The easiest way to enter a computer system or home is to go through an existing entrance. Hackers have more complicated methods of entry than finding a key under the doormat or smashing a window.
The driving force behind targeting these attack vectors is also like that of a burglar, money. While a burglar may steal jewelry, electronics, and other precious items to sell, hackers want data.
With a complete medical history valued upwards of $1,000 on the black market, it’s easy to understand the incentive. This value range means the 40.7+ million records breached in the United States in 2020 are worth a fortune.
Not all hackers who breach medical systems aim to sell medical records on the dark web, however. Ransomware attacks in 2020 cost healthcare organizations over $20.8 billion in 2020.
If you’re unfamiliar with ransomware, it’s a pretty simple yet effective option for hackers. Once they’ve accessed the computer system they wish to attack, they inject a code that encrypts all the server’s data.
Next, they send their ransom note, which averaged nearly $170,000 in 2020. Healthcare providers can’t just call it a wash, and there’s generally no way to track down the hacker. This means their only option is to pay up.
Payments are often demanded in cryptocurrencies to prevent tracking. Once the hacker receives payment, they decrypt the files and move on.
Ransomware affected over 18 million records in 2020, a 470% increase compared to 2019. As this trend continues upward, protecting threat vectors is increasingly important. To guard against attack vectors, you should understand how they are targeted.
How do hackers target threat vectors?
Hackers targeting protected health information have different methods of attack based on their type of threat vectors. Additionally, the reason for the attack impacts their method. In addition to programming vs social engineering, you should keep in mind passive vs active.
An active attack attempts to affect a system or system operations. A passive attack is harder to detect because it aims to gain information without affecting the system.
Regardless of the specifics, cyber-attacks are made against the aforementioned six primary points of accessing computer systems. These are network, users, email, web applications, remote access portals, and mobile devices.
For example, a ransomware attack against a healthcare provider would be an active attack because it makes the data inaccessible. This type of attack will generally work quickly to encrypt the data before it can be detected.
Injecting ransomware code can be either a programming or social engineering attack, based on the security of the website. If a skilled hacker manages to find a weakness on an organization’s website, they may try to breach it. Generally speaking, this should be rare thanks to the strict regulations imposed by the HIPAA Security Rule.
If the website is unbreachable with a programming attack, you may think half the battle has been won. Unfortunately, this is closer to just 5% of the battle.
According to the IBM Cyber Security Intelligence Index Report, “Human error was a major contributing cause in 95% of all breaches.” Mitigating human error is essential for preventing most attacks, which means healthcare organizations must push internet safety.
Unfortunately, internet safety skills are not universal, and even the most tech-savvy can make mistakes. This means that poor security practices by members of your organization can provide a new avenue of attack.
Social Engineering Attacks and Your Staff
Because such a large majority of system breaches are caused by human error, it’s important to promote a security culture. This means you need to change your staff’s internet behavior to be as safe as possible. In this section, we’ll cover some of the key tips for preventing hackers from accessing your system through your staff.
Back up your files to a HIPAA-compliant cloud service or alternate server regularly. While this won’t prevent hackers from breaching your system, it will reduce downtime in the case of ransomware infection.
Change your passwords regularly, and create unique passwords for each website and account. While it’s tempting to use just a couple of different passwords for the ease of memory, it jeopardizes all your accounts. This goes doubly for email addresses, which can provide an avenue into most other accounts via password recovery.
Use two-factor authentication (2FA) to strengthen account security. 2FA requires a user to enter a one-time code at login to help ensure the correct user is signing in. This is generally accomplished by either an SMS message or Google Authenticator. With 2FA, hackers are powerless even with your password.
Be careful what links you click from emails. Double-check email addresses before clicking on links you receive. Be extremely cautious if you do not recognize the sender or if you are not expecting to receive a link. A fake link could inject ransomware, keyloggers, trojans, and all sorts of nasty viruses.
Follow your instincts, but always err on the side of caution. If an offer sounds too good to be true, it probably is. If a website looks suspicious, navigate away. Hackers can’t perform social engineering attacks without user interaction, so it’s essential to actively avoid putting your data at risk.
Responding to a cyber attack
The first step of responding to a cyber attack is becoming aware of the cyber attack. With aggressive active attacks, it’s easy to tell when there’s an issue. When a virus is designed to lurk in a system to either provide the hacker an easy access point or export data over time, it can be difficult to notice it without constant vigilance.
Your IT staff should be running regular scans to root out any malicious or corrupted files. If there’s a breach of protected health information caused by a virus, performing your due diligence will help minimize penalties. In many cases, however, files can be compromised the minute a hacker gains access to the system they’re in.
Despite firewalls, antivirus software, and other safeguards, healthcare organizations are being attacked constantly. Let’s talk about what you can and must do if malware reaches the system.
First, make sure your team feels comfortable reporting their mistakes. It’s bad for an employee to open a fraudulent link, but it’s worse for them to try to hide it. The longer malware sits in a computer system, the more information it can steal.
Next, unless the attack is a ransomware attack, take the server offline to prevent the malware from spreading. If there’s reason to believe additional servers have been affected, it’s a good idea to take them offline too. This will give your IT team a chance to find and delete the malicious files.
If the attack is a ransomware attack and you will be paying the ransom, you should not delete it. There is a chance the decryption key must be administered by the ransomware, and deleting it would leave it encrypted.
Next, you must report the breach based on the regulations set by the Breach Notification Rule.
ChartRequest guards threat vectors
The main threat vector for most online activity is the user. ChartRequest aims to provide a streamlined, secure medical records exchange process. That’s why we’ve taken special measures to mitigate the attack vectors present throughout the release process.
With our health information management features, we allow administrators for an organization to allow or deny access to various aspects of the medical records exchange process. Allowing fewer accounts to view and interact with medical records reduces the chance of a breach disclosing medical information.
While some organizations will accept medical records requests submitted via email, this method requires downloading and storing the authorization form. This could be the perfect cover for a hacker with a string of malicious code. Just one click on the download link, and the system is at risk.
ChartRequest provides an avenue for the electronic exchange of medical records without the need to download and file authorization forms. Our automatic audit log also tracks every interaction with every single request, making it easy to see any unauthorized access.
Our account verification system further protects against attack vectors by removing the anonymity that hackers enjoy. Your team can also communicate with patients via the provider chat function built-in to each request. Unlike email, this can be done with the confidence that the right person is on the other end.
If you would like to help your team save even more administrative time and further reduce the chances of your users being targeted as an attack vector during the release of information, consider our Full-Service plan. Once upgraded, our team of HIPAA and security experts will handle the entire process so you don’t have to.
Want to see the differences between plans? Click here to see which one’s right for you!