FBI Special Agent: Call Cyber Operations Center when attacks occur

BOSTON – The FBI’s Bill McDermott engaged attendees Tuesday morning at the 2022 HIMSS Cybersecurity Forum with an energetic – and warm – overview of cybersecurity vulnerabilities specific to healthcare and how the FBI can help.

“What happens if I pick up the phone and I call you and I say it’s Bill McDermott from the FBI? You are going to hang up,” he said and was rewarded with a laugh.

“What are the most dangerous words you can ever hear? ‘I’m from the government and I’m here to help. But now you know I actually am.”

The FBI has prevented cyber attacks, such as when one Nebraska hospital detected malware on a server and the agency stepped in to help isolate it and prevent patient data from being compromised.

Top cyber threats to healthcare organizations

Most of the threats McDermott reviewed – business email compromise and ransomware, to name two – are often realized with spoofing and spear phishing.

“It’s that human error; that’s where the risk comes from,” he said.

With personal information, breaches are easier to fix, he said it’s the protected health information that opens the door to extortion and blackmail.

With business email compromise, the average loss is $80,000. A successful bank robbery, by comparison, yields an average of $3,816.

Given that that strategy offers the “biggest bang for the buck,” McDermott said bad actors will set up email forwarding to get the information they want, and it is easy for them to do. They’ll set up free WiFi at a public place like a coffee shop and get into an email account through a cell phone.

“If it’s new to you it might not be new to us.”

FBI Special Agent William McDermott

BEC can result in funds being diverted away from healthcare. The bad actor will impersonate a vendor over email and request payment, which an unsuspecting company representative might end up paying to a bank account the bad actor controls.

Last month, the Department of Justice announced the first coordinated action against individuals using business email compromise and money laundering schemes to target healthcare payers, which the FBI helped to investigate. The robust roster of investigating agencies uncovered $11.1 million diverted to 10 individuals.

However, when ransomware hits, it is the “worst day,” McDermott acknowledged.

One of the first things bad actors will do with their malware is go looking for an organization’s cyber insurance policy in order to learn their coverage amount, he said. Then, they could start trading data before the lockdown even happens, and when the ransom hits, they’ll ask for the amount listed in the organization’s coverage.

But when the ransomware hits, an organization’s cyber response will dictate when and who to reach out to.

“You have to have a playbook – do what the playbook says. We want to be notified,” he said.

Threat response and misconceptions

Each of the FBI’s field offices has the subject matter expertise in specific variants, and your case may be investigated by a field office in another state, McDermott said.

“Our role in the event, and we can assist: if it’s new to you it might not be new to us,” and the agency might have the decryption key that they can give you over the phone, he said.

There are thousands of variants, but when a healthcare organization can drill down and focus on one event or one attack vector, it’s easier for the FBI to help, he added. 

The biggest misconception that organizations have is how the FBI will deploy to the cybercrime scene, he said. The movies depict it dramatically, but the response is more likely a telephone call.

“We are definitely not showing up in FBI raincoats because that would victimize the victim,” he said.

He also said that organizations can sometimes be hesitant to report because they don’t want the information out there, but the FBI is not going to re-victimize an organization that calls after a cyber attack, nor are they going to announce it.

The second misconception is that if an organization lets the FBI in, they’ll start looking for another violation.

“Those people, they’re there because you are the victim of a crime. We are not going to re-victimize you,” McDermott said.

He also encouraged a reporting network and employee buy-in. With insider risks, which should be part of an organization’s cyber response playbook, organizations must watch for anomalies in employee behaviors.

CISA, he said, is a great resource as well as the FBI’s InfraGard program. CyWatch also provides a distribution list with helpful information.

While you can call the FBI, and they will always answer the phone, the response will be very matter-of-fact, said McDermott.

“You won’t get that warm hug that you’ll get if you call me,” he said, encouraging attendees to email him.

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS publication.

Source: Read Full Article