Dean Taylor, director of global cybersecurity operations for Keysight Technologies, recently spoke to MGMA about the imperative to ensure medical practice employees understand their role in ensuring cybersecurity as more workers shift to teleworking arrangements.
Q. What are the risks and vulnerabilities from more people teleworking during the pandemic?
A. When you're sitting in your office, when you're sitting at work, there are a number of layers of defense that your company has put in place to protect your company assets. … Because of COVID-19, [many people] are now working from home. So in a lot of cases, that means that they're outside of the corporate protections. With VPN solutions and those types of things in place, some of those protections are still there. But with things like split tunneling on VPNs, there's still more exposure for the endpoints, which is generally the largest attack surface that a company has, especially with mobile devices — laptops and those types of things — leaving the company and going out. That is definitely a concern.
Q. What other things should employers in healthcare look out for going forward?
A. We know that phishing attempts are going to be extremely high right now. …. The bad actors in the world are going to use [COVID-19] to try and compromise credentials. From a business continuity perspective, there's clearly a concern when it comes to staffing. ... Most teams right now are running pretty lean from an IT perspective, so it would not take a significant amount of infections across your team to dramatically under-staff your team. This is something that is very difficult to plan for.
Q. Can you briefly describe what a phishing attempt looks like?
A. A lot of people think that companies get hacked a lot now, and that is simply not the case. Most businesses’ security compromises do not come from attackers penetrating your network. … In most cases, breaches or compromises to a company's network come from a bad guy sending a mass email to a lot of people in your organization, and it only takes one or two of them to click on a link and that installs malware on their machine and harvests their credentials. ... Most of them are simply logging on with credentials that they've stolen via phishing. So phishing is definitely kind of the main attack vector that we are watching right now.
Q. As restrictions on telehealth services are lifted for healthcare providers, do you see medical providers as being more affected by security threats than other industries?
A. I actually don't believe that there's any one industry that is more is going to be more targeted than another. The motivation for a lot of these folks is monetary. If there's a way to monetize the payloads that they're bringing out of your network, [the threat is] going to be there. ... I honestly think that everyone is at equal risk. There's something to be said for if you have a larger footprint — for instance, if you're a Fortune 500 company or if you're in the news for having good stock performance — those are those are some some things that the bad guys are looking for.
Q. What advice would you give for preventing cyberattacks?
A. The single best answer is to be skeptical of anything that you get or see on the internet. I tell my family and friends, “there's nothing free on the internet.” And if something is actually free on the internet, you're the product. So be skeptical if you see an email that you don't know exactly what it is. Do not go to websites that you do not trust. At the end of the day, the best protection is simply being skeptical — being mindful of the fact that there are people out there that are looking to harvest your information and just not giving them the opportunity to do so. Companies and security teams are doing their best from a technology perspective to protect companies, and there's a lot of layered defense options that are in place. But at the end of the day, you're the one who has to protect yourself in a lot of these cases.
If you get someone who says, “we need you to verify your username and password before we can help you,” stop, because almost no company, no entity is going to ask you to do that via email. Stop, close the website, call them and ask to them, “Did you just ask me to do this?” Because in most cases, the answer is no. Because companies don't ask for username and passwords over the phone, because they have it. They don't need you to tell them what it is. They know what it is. If anything comes across like that, your best bet is just to simply stop what you're doing, hang up the phone and call the company direct and find out if they're trying to get ahold of you.
Q. What’s the best protection a business can take to reduce exposure as more workers shift to working from home?
A. A layered defense is a great way to go. ... From a teleworking perspective, people need to realize they are members of the cybersecurity team that their company has. … Everyone is responsible for the security of the company. It's not just the security team’s responsibility. … The single best thing we can do as individuals is just be mindful that there are bad people out there and they are trying to get your stuff, whether you think it's an important piece of data or not. Denying them that by being skeptical and being mindful is the best defense.