By Christophe Van de Weyer, CEO, Telesign
LinkedIn: Christophe Van de Weyer
LinkedIn: Telesign
Fifty-eight percent of consumers are more fearful of becoming a victim of fraud now than they were two years ago, according to The 2024 Trust Index Report.
It’s no surprise considering the world’s critical digital infrastructure — especially healthcare — is under attack by state-affiliated groups operating overseas. This is a serious, underreported issue that deserves more attention.
Fortunately, there are steps that healthcare companies, and those in other sectors, can take to bolster the defense of their data and operations.
Case in point: on February 21, UnitedHealth Group was the target of a devastating cyber-attack. The ransomware attack was carried out by the Russia-based group ALPHV, also known as BlackCat. It was specifically focused on their subsidiary, Change Healthcare, which handles 14 billion clinical, financial, and operational transactions annually.
The attack disrupted the financial operations of 94% of hospitals nationwide, with estimated losses totaling approximately $1 billion. In addition, the criminals who carried out the attack, according to CBS news, stole “more than six terabytes of data, including ‘sensitive’ medical records.” Some or all of that data may have ended up on the dark web.
United Healthcare admitted that stolen credentials — and the lack of multifactor authentication (MFA) — led to the successful intrusion into their company.
Unfortunately, this is far from the first digital assault on our healthcare system. For example, in November, Tri-City Medical Center in San Diego had to divert ambulances and patients to other facilities after a cyberattack. As Data Breach Today reported, it was “among a rash of similarly disruptive ransomware and other cyber incidents that have been relentlessly hitting healthcare sector entities, including regional hospitals, in recent years, months and weeks.”
Some hospitals have had to shut down permanently and others have been pushed into financial jeopardy due to the increased onslaught of digital intrusions. Yet these disturbing developments struggle to break through in the national media. Most Americans and policymakers appear unaware of the extent of the threat to the medical care our families depend on.
So, what should the managers of these vital digital infrastructures do about the increased assaults on their critical services? Let me start with what we shouldn’t do: cut cybersecurity spending. I was alarmed by reports last year that almost half of businesses were planning to cut cybersecurity headcount in 2024. Let’s be clear: now is the time to bolster, not cut, our defenses from cyber crime. Not just in healthcare, but across the entire economy. Nearly 90% of consumers report being victims of fraud, and organizations report losing 5% of revenues each year, which amounts to billions of dollars lost annually.
To address the rising tide of digital crime, healthcare and other organizations should start with far better training for IT departments. Criminals are incredibly savvy. They find success by calling IT desks to request passwords and device resets. They call armed with rudimentary information, culled from the Internet, that allows them to pose as a legitimate employee. They use it to persuade IT staff members to violate company policy and reset login safeguards. Once inside, a cyber-criminal can cause tens of millions of dollars in damage. These costs can be accompanied by stock-value plunges, reputational harm, and regulatory scrutiny. That’s why companies need to ensure that all IT team members know how to follow your policies to the letter. Further, they must trust they have your backing when employees (or cyber-criminals posing as employees) complain about the enforcement of those policies. Looking beyond IT departments, every employee in every organization needs better training on the latest forms of digital fraud. Why? Fraudsters think of any employee as a potential entry point into an organization’s digital infrastructure.
Organizations also need to embrace multifactor authentication (MFA) as a default standard. What that means is that anyone logging in or transacting must not only have a password, but second or third “factors,” such as a mobile phone, biometric scan, or physical key to be used in concert with that password. This way, when one factor fails – such as the use of a password purchased on the dark web – the other factors provide additional safeguards. Each of us is already well-familiar with MFA, which is most frequently used in high-stakes settings, such as logging into a bank account. Its use must be broadened to safeguard against attacks, such as the one that devastated United Healthcare.
Those who wish to do harm to free countries — by targeting healthcare and other critical infrastructure — and those who seek to profit from digital intrusions — will continue to adapt. Unfortunately, there is no silver bullet to stop every attack. But we can do far better at protecting against them. We need to invest in, not cut cybersecurity protections. We must better train IT and other personnel. And we must adopt MFA as the automatic standard at all digital entry points. The stakes are high and the time to act is now.