How to Prevent “Smash & Grab” Cyberattacks
Risto Kokkonen via Unsplash
“Smash & grab” robberies at retail stores often start with a stolen truck ramming through a storefront in the middle of the night. That’s why so many convenience stores have sturdy bollards out front to prevent such an attack. Unfortunately, smash & grab cyber incidents in healthcare are on the rise — and security fundamentals are the “bollards” you need to protect your digital environment.
For years, most healthcare breaches were leisurely. The threat actor would gain entry to an environment and hang around for six months to a year, sometimes longer. They would bide their time and wait. But about two years ago, things started to change. Threat actors today typically stick around for just 30-60 days, stealing what they can before launching a final attack such as ransomware.
The solution is to keep your most sensitive data out of the most obvious and easy-to-reach places — which in most cases are the network shared drives. Physicians, nurses, finance people — all kinds of employees — have access to these drives. But there are often very few controls placed on those drives, and sometimes they contain sensitive patient data. For example, I’ve seen cases where Covid-19 test data (including driver’s license info from drive-through testing) was dumped onto a shared drive for later entry into the EMR.
Anytime I get a call about a ransomware case or a situation where there’s possible data exfiltration, the first question I ask is: “Where’s your network shared drive?” And the answer is usually “Oh, they couldn’t have gotten to that.” But almost always, there’s evidence that the threat actor at least attempted to open that treasure box.
That’s why I’m a big fan of security fundamentals. The best way to prevent a smash & grab attack is to follow sound, fundamental cybersecurity principles. Log-in passwords should be complex, and there should be multi-factor authentication (MFA) on all your external resources. At a minimum, nobody should be able to get into your environment from outside without hitting some type of MFA or VPN requirement.
You should also have a reputable EDR platform, managed by a company that’s continuously monitoring it 24/7 to alert you when there’s something suspicious. This can potentially stop malicious payloads or unauthorized access from progressing if they do make it in. So it’s imperative to actively monitor your environment while remediating vulnerabilities.
Some healthcare organizations fail to do regular audits of their user base. It’s really important to disable accounts of employees who have left the organization in a timely manner so they’re not allowed to still log in. It takes a mature cybersecurity program with multiple layers of defenses to truly harden an infrastructure.
Here are some common excuses for not sticking to security fundamentals: “We only had enough in our budget to get a certain number of licenses, so we could only cover a percentage of our external perimeter.” Or maybe: “We were in the middle of implementing MFA on all our resources and we didn’t get to that one yet.” That was one of the root causes of the Change Healthcare breach. The company was in the process of auditing newly acquired assets to see if anything was missing from its standard security practices — and they got hit before that particular system could be audited.
With a smash & grab attack, the motivation is almost always financial. Sometimes a threat actor isn’t looking to steal patient data for resale on the black market. In the last year, there’s been a significant increase in incidents where cyber-criminals target a physician personally with the intent of gaining access to that doctor’s HR records in order to divert a paycheck from the doctor’s bank account to another account.
While cyber intruders intent on either corporate or state-sponsored espionage may hang around for months, if not years, most healthcare hackers today prefer to strike quickly and make a speedy exit. The best way to prevent smash & grab attacks is to safeguard shared drives and implement MFA protection in a timely manner.
