Being a Human Firewall: Cybersecurity in Health (Michelle Middleton)

By Michelle Middleton

2nd Year Health Management Intern

Publication date: 24 March 2022

In October 2019, multiple Victorian health services suffered ransomware cyberattacks, taking crucial systems offline and interrupting services (1). Compared to some, they got off lightly.

Cyber attacks can lead to life-support equipment such as ventilators becoming non-functional, medical devices malfunctioning and hospital critical systems such as water cooling rendered useless – all of which can cause fatal outcomes. If patient information is corrupted, diagnoses and allergies could be missed, leading to potentially dangerous care. If chemotherapy protocols are impacted – as they were in an attack at a Vermont Hospital in 2020 – this can result in poorer patient outcomes due to delayed treatment (2-5).

Health service cyberattacks disable the three domains of data security: data confidentiality, data integrity, and the availability of service (6).

According to the World Economic Forum, there has been over a 350% increase in cybercrime (malware and ransomware) during the pandemic, as more of the population works remotely, and there is an increased reliance on digital systems and technology to deliver services. 95% of cybersecurity issues can be traced to human error (7).

Cybercriminals prey on human vulnerabilities: targeting the curious, the complacent, and the time-poor. Hence the most effective method at preventing cybercrime is to become a human firewall (8).

A human firewall is the human actions taken to prevent cyber-attacks. The great thing is the practices of being a human firewall can be applied to enhance digital security in your personal life, too (8). Such actions might be:

Changing default passwords on home internet devices (9)

The default passwords are well-known by hackers, who can access the network in seconds, using it to hack your devices.

Not joining free public Wi-fi without a Virtual Private Network (VPN) service (9)

Free public Wi-Fi can contain snooping software, meaning your data and activities are insecure. This also applies to Wi-Fi in restaurants, cafes, and other public spaces. Here, cybercriminals can setup fake Wi-Fi networks that mimic the name of the location, which are then used to track everything you’re doing on the internet at the time: from usernames and passwords, to banking details. If you must use a public Wi-Fi service, ensure it is password protected, and the network you’re joining does in fact belong to who you think it does.

Being aware of shoulder surfers in public (9)

Anyone hovering over your shoulder looking at your mobile device or computer screen could gain access to important personal information, which could then be used in later phishing attempts, to install malware, or hack accounts. This could be anywhere from cafés to public transport. Using privacy filters (polarized sheets of plastic seated directly in front of the screen), so only those directly in front of the screen can see its contents is an easy way to protect against shoulder surfers. Privacy filters are available for desktops, laptops, and mobile devices.

Not allowing strangers to piggyback or tailgate into places of work (9)

If someone follows an authorized user (such as an employee) into a protected system (such as a swipe card-accessed workplace), they can gain access to protected areas and potentially plant rogue devices that could contribute to a cyberattack. An excuse of the bad actor might be that they have forgotten their identification, or if they have one, that it doesn’t work. It’s not impolite to ask the stranger to contact security if they are having trouble accessing an area and are attempting to use you to gain access.

Not inserting an unknown USB device into your computer (9)

Sometimes criminals leave USBs or other hardware such as charger cables lying in public spaces which contain malware that can corrupt systems. They rely on curiosity of people to check what’s on the device, which leads to them ultimately infecting their devices with whatever the criminal has installed on the device. If you find such a device in the workplace, hand it to security or IT, and avoid inserting it into a work or personal device.

Being aware of red flags of phishing emails (9)

Phishing emails are form of social engineering attack, whose aim is to get the recipient to take an action – usually clicking on a link, opening an attachment, or providing sensitive information. It’s the most common way cyberattacks are initiated in healthcare systems (9,10). By being aware of the ‘red flags,’ you reduce the chance of becoming a phishing attack victim. Common red flags (9) are:

  • An unexpected email requesting you to take an action: clicking a link, opening an attachment, or sending sensitive information to someone.
  • Spelling and/or grammar mistakes, including of trade and brand names.
  • A sense of urgency: for example, threatening closure of an account if action is not taken. Most reputable institutions such as banks will not ask for personal information via email, nor will they suspend your account if details are not provided by such a method within a certain period.
  • The link-to address is to a different website than what’s displayed in the hyperlink in the message. Hovering over the hyperlink before clicking will identify this.
  • The message is cc’d to people you don’t know or is from someone you don’t know.
  • A mismatch between the email subject line and the content of the message.
  • If it’s too good to be true, it usually is (for example, an email stating you’ve won a lottery).

Of course, the above is not an exhaustive list of ways to avoid succumbing to cyber-crime, nor is it an isolated practice. To maintain effectiveness, repetition and salience is important. German psychologist Hermann Ebbinghaus effectively showed what happens to our learning via the ‘forgetting curve’. This demonstrates how new knowledge fades over time, and how this can be mitigated to an extent by repeating information. This is even more effective when the same information is repeated across different mediums or platforms(11).

A great way to reinforce the learnings of being a human firewall is through iterative and repetitive training, such as phishing simulations. This is where mock phishing emails are sent to employees of an organization, for example, with the option to ‘report phish’ through an Outlook add-in if a phishing email is suspected. If an individual wrongly clicks on the mock phishing email, they are advised of their error and directed to refresher training(9,10).

With the ever-increasing number of attempted cyberattacks, no-one can afford to become complacent when it comes to cyber-protection.

References

  1. ABC Radio Melbourne. Victorian hospitals across Gippsland, Geelong and Warrnambool hit by ransomware attack [Internet]. Australia: ABC Radio; 2019. Available from: Victorian hospitals across Gippsland, Geelong and Warrnambool hit by ransomware attack – ABC News (Australian Broadcasting Corporation)
  2. Abdel-Rahman, O. Impact of timeliness of adjuvant chemotherapy and radiotherapy on the outcomes of breast cancer; a pooled analysis of three clinical trials. Breast (Edinburgh) 2018; 38, 175-180. https://doi.org/10.1016/j.breast.2018.01.010
  3. Ashok Kumar, P., Paulraj, S., Wang, D., Huang, D., & Sivapiragasam, A. Associated factors and outcomes of delaying adjuvant chemotherapy in breast cancer by biologic subtypes: a National Cancer Database study. Journal of cancer research and clinical oncology. 2021. https://doi.org/10.1007/s00432-021-03525-6
  4. Croke, L. Cyberattacks in health care can threaten patient safety. AORN journal, 2020; 112(4), P5-P5. https://doi.org/10.1002/aorn.13226
  5. Barry, E., & Perlroth, N. Patients of a Vermont Hospital Are Left ‘in the Dark’ After a Cyberattack [Internet].2020. Retrieved 05/04/2021, from https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html
  6. Griffith University. 11: Topic Security, privacy ethical issues and consumer informatics. Griffith University 2021. Retrieved 2021, April 10 from https://bblearn.griffith.edu.au/webapps/blackboard/content/listContent.jsp?course_id=_90310_1&content_id=_5780288_1
  7. World Economic Forum. The Global Risks Report 2022 17th Edition Insight Report. World Economic Forum. 2022. Retrieved 2022, January 26 from Global Risks Report 2022 | World Economic Forum (weforum.org)
  8. KnowBe4. What does a “Human Firewall” look like, anyway?’[Internet]. KnowBe4 2022. Retrieved 2022, Jan 26 from What does a “Human Firewall” look like, anyway? (knowbe4.com)
  9. KnowBe4. Security Awareness Training [Multimedia module]. KnowBe4 2022. Available at: Security Awareness Training | KnowBe4
  10. He, W., & Zhang, Z. Enterprise cybersecurity training and awareness programs: Recommendations for success. Journal of organizational computing and electronic commerce, 2019; 29(4), 249-257. https://doi.org/10.1080/10919392.2019.1611528
  11. Van Oppen, L. Why Repetition is Essential for Effective Communication [Internet]. Netpresenter. 2020. Retrieved 2022, January 26 from Why Repetition is Essential for Communication – netpresenter.com

Views are those of the individual authors and not those of ACHSM or management interns’ host organisations or employers.