As time goes by, we keep hearing more horror stories of organisations being hit with cyber-attacks, costing hundreds of thousands of pounds and becoming increasingly difficult to rectify. At the start of the pandemic, cybercrime rates increased by 667%.
The past year has seen the largest increase of Phishing, Smishing and Social Engineering attacks on record. Suffering a breach can be crippling for any organisation that isn’t cyber secure.
Care homes continue to be high-value targets for criminals, making it incredibly important to ensure that you are well equipped to prevent any kind of cyber-attack from affecting you.
The important thing to remember about the cybercrime industry is that nothing is off-limits. No matter the good that organisations such as care homes bring to society, they will always be worthy targets for cybercriminals who pay little regard to the consequences of their actions.
Why Would a Cybercriminal Target a Care Home?
1. Sensitive Data
Care homes hold a lot of sensitive PII (personally identifiable information) on residents and their kin, such as health records, financial and contact information. This kind of data is highly valuable in the world of cybercrime as it can be sold for profit and can be used to form highly targeted phishing attacks, equalling higher success rates and profit.
2. Financial Gain
Any business or charity that is funded or generates revenue is a worthwhile target for cybercriminals.
3. Less Secure
Typically, cybersecurity is seen as less of a priority in care homes due to lack of funds and other more important areas.
4. Outdated IT
Technology such as servers and operating systems are typically out of date, therefore are left unpatched and can be easily accessed by criminals through known methods of exploitation.
5. Residents
Sometimes care homes are targeted to gain access to their residents. Typically, senior residents are likely to lose more to cyber-attacks than any other age group.
What are the Current Cyber Threats Affecting Care Homes?
Ransomware
Without doubt, the largest threat that continues to ravage care homes is Ransomware. Ransomware is a specific type of Malware (malicious software) that encrypts your files and demands a ransom to be paid to regain access. Often the ransom continues to rise and there is no guarantee that all of your files will be returned if it is paid.
Care homes are particularly favourable targets as they prove to be less able to stop sophisticated attacks, such as Ransomware. 1In a report carried out across January and February this year by reputable cyber security leaders; Sophos, the healthcare sector proved to score above the cross-sector average of cybercriminals succeeding in encrypting data (65% compared to the cross-sector average of 54%) and below average in stopping attacks before data is encrypted (28% compared to the cross-sector average of 39%).
Of course, a Ransomware attack is only successful for the criminal if the ransom is paid. Sophos reported that 34% of healthcare establishments paid to get their data back.
Removing Ransomware and restoring files is one of the most difficult tasks in cybersecurity today. Though it is wise to ensure you have a number of regular backups, it is not recommended to solely rely upon this to solve the problem. The cost of downtime alone far outweighs the cost to prevent these attacks from happening in the first place.
Targeted Phishing (Spear Phishing)
Phishing emails have evolved. The threat no longer lies with spam or generic scams such as competition prizes and banking emails. Highly targeted phishing emails known as spear phishing are the most popular modern threat. This is where criminals do background research to find compelling details such as familiar names, email addresses and content that is relevant to you as an individual. They then target you with seemingly legitimate phishing emails to either farm sensitive information or gain access to the care home’s critical IT systems.
Examples include emails impersonating board members, perhaps asking you to open or click a link to view and important document, emails from the local council announcing a fake road closure nearby that would affect your route to work or emails impersonating residents and their families.
Residents can also be targeted. 2A recent scam saw some residents in Scotland being offered £500 in compensation from the government around Coronavirus.
Clicking a malicious link or attachment in a phishing email can be all it takes for an attack to be successful. This could initiate the download of Malware or send the victim to a phishing website used to harvest information such as login credentials or finance details.
SMSishing (SMS Phishing)
Similar to phishing emails, SMSishing attacks have exponentially increased over the past 12-24 months. This is where criminals use text messages as their attack vector to send short but effective messages to individuals, looking to trick them into clicking a malicious link or providing sensitive information. Other messaging apps such as WhatsApp are also now being exploited to deliver these types of attacks.
If your care home workers have work-purpose mobile devices or if they have access to your IT systems via their personal devices (such as email access), this can be a huge risk as falling victim to a personal attack could allow cybercriminals access to your critical files and applications.
Social Engineering
If it isn’t a phishing email or text message that you are receiving, it is likely to be a phone call. Criminals are prepared to go to these lengths to force an employee to divulge information if you are being targeted. This method is responsible for some of the largest data breaches in modern history, such as the attack suffered by Twitter in 2020.
Social engineering attacks share similarities with Phishing and Smishing attacks in that impersonation tactics are usually employed to lead the victim into a false sense of security.
Again, this could be a criminal impersonating one of your IT providers, informing you of an issue with your account and requesting your login credentials so they can fix it or they could be impersonating a funder or partner, requesting payment to be made.
What Measures can you Take to Protect your Care Home and Residents from Targeted Cybercrime?
A layered approach to cybersecurity is without doubt the best way to build the best possible defence against cybercrime.
1. Cover your Employees First
Security technology is essential, though the importance of ensuring staff members are regularly trained and kept vigilant towards the latest threats can sometimes go overlooked. Cyber Security Awareness provide a unique, fully managed service which raises staff awareness towards targeted cybercrime, trains them with the latest tools and techniques necessary to prevent an attack from formulating and most importantly, keep them vigilant with regular simulated phishing tests and remedial training to ensure the same mistakes are not being made.
An effective training and testing service is the number one way to reduce the risk of falling victim to cybercrime.
2. Understand where your Vulnerabilities are
Vulnerability exposure should be the first consideration in your care home’s security strategy, as without it, everything else you have in place won’t protect you.
Understand where your current vulnerabilities are with a Vulnerability Assessment and test how robust your cyber security posture is with Penetration Testing.
3. Secure the Most Common Attack Vector, Email
Invest in a good email security platform to start filtering out spam and malicious emails. We recommend Vipre, Mimecast and ProofPoint as high-level solutions.
4. Deploy Multi-Factor Authentication (MFA)
Having multiple steps of authentication across your care home network and applications is a simple and effective way to prevent unwanted attackers from gaining access.
5. Prevent Harmful Files from Executing
Use a ‘next-generation’ endpoint solution to prevent devices from executing Malware. This is an essential solution to prevent Ransomware from affecting your care home.
6. Have an Incident Response Plan Ready for When you Need it
Prevention should always be key, though your care home should also have an incident response plan ready in case the worst is to happen. We offer free incident response to any care home that suffers a breach.
Conclusion
Cyber security is an ongoing process of adapting and evolving to protect against the latest threats. The gap between new advanced threats and cyber security technology has closed significantly in the past 5 years with the introduction of ‘next-generation’ services and solutions. Though the underlying message is that technology should not be solely relied upon to keep a care home secure. It is as much the employee’s responsibility to be cyber-aware and vigilant as it is the technological measures you put in place to protect the care home from falling victim to an attack.
Footnote:
