Pentatonix…I Mean, Hallelujah Penetration Test

By: Kenlyn T. Gretz, Ridiculously Nice President and CEO

An email arrives in your inbox with an attachment. It is from a partner that your healthcare organization does business with.  The attachment is generically named “report.xlsx” with the subject line “Your Request” and it is signed by Jeff Barker from, Warner Health Care Solutions.  You think to yourself, “Hmmm, I think we used a company named Warner a few years back.  Is this something our CFO informed me I would be getting an email on?   Should I open the attachment?  Should I reply to the email?”

October was Cybersecurity month and the more you are aware, the better!  The saying at Americollect is “think before you click” and we train our team on the importance. The email described above is often the start of a ransomware encryption engine that starts encrypting your documents and files in all of your healthcare computer file directories. Then a “hacker” will ask for money. This has been in the news recently and is occurring to healthcare systems around the United States. The FBI’s response has been, “Just pay the ransomed.”

The attachment discussed above had an embedded .exe file which runs when the attachment is opened. It may not display a “I Got You!”  The “report.xlsx” file may simply be blank, you close it down and delete email.  “Oh Good, nothing bad happened” – but it did. In the background the ransomware is spreading through your system encrypting every document it can find in every folder!  Five hours later, your IT Department calls you and asks, “Did you open an email that was suspicious earlier today?”

In January of 2016, Americollect received a 470 question document from the State of Massachusetts asking us about our security controls. As our IT started working through the questions, we realized we could “tighten” our security even more. So we started with the Duo Authentication for Citrix logins (Duo authentication for Citrix logins), sophisticated intrusion detection systems, stronger web filers, more complex password requirements, phishing testing, co-worker cyber security training and penetration test on internal, and external network access points. Additional resources were spent on this, because I would rather spend it on increasing our cybersecurity than paying some ransomware pirate or super expensive cybersecurity insurance.

We have had a few clients ask us about cyber insurance. Cyber insurance pays for the cost of notifying consumers if there is a data breach.  In my mind, this is too late, the damage is done.  It is kind of like preventive healthcare. Wouldn’t you rather spend money on getting healthy versus spending money on being ill? Require your vendors to prove their security with audits and certifications. This is where the money should be spent, protecting.

We hired an outside penetration test firm from Tampa, Florida named KirkpatrickPrice. KirkpatrickPrice has years of experience in this field and did a thorough job. They have “white hats” who, for simple terms, try to “break-in” to your networks. They also try to access as if they are already inside the network (co-workers) and try to break in to areas they don’t have access to. Our Network Administrator, Alex Hartlaub, explains that “white hats” are hackers for the good guys. Alex worked with the team to administrate the test and to review areas of improvement once the test was completed.  After thorough examination, we had a report which showed 11 areas of improvement.

In all cases, the “white hats” were not able to access any data.  The 11 areas of improvement were resolved within two weeks! We plan to continue to do the penetration tests to make sure we are ahead of all of the “hackers” who are continuously trying new things. Our client’s data is too important to risk a breach or hacking.

Take cybersecurity issues, hacking, data breach, and ransomware seriously and staying ahead of the attacks. Double check, even triple check, with your vendors to ensure they are doing everything possible to keep your patients information secure!

It's only fair to share...Share on FacebookShare on Google+Share on LinkedInEmail this to someone