BOSTON – The FBI’s Bill McDermott engaged attendees Tuesday morning at the 2022 HIMSS Cybersecurity Forum with an energetic – and warm – overview of cybersecurity vulnerabilities specific to healthcare, and how the FBI can help.
“What happens if I pick up the phone, and I call you, and I say it’s Bill McDermott from the FBI? You are going to hang up,” he said and was rewarded with a laugh.
“What are the most dangerous words you can ever hear? ‘I’m from the government and I’m here to help.’ But now you know I actually am.”
The FBI has prevented cyberattacks, such as one in Nebraska where a hospital detected malware on a server. The agency stepped in to help isolate it and prevent patient data from being compromised.
Top cyber threats to healthcare organizations
Most of the threats McDermott reviewed – such as business-email compromises and ransomware – are often realized via spoofing and spear phishing.
“It’s that human error. That’s where the risk comes from,” he said.
With personal information, breaches are easier to fix. He said it’s the protected health information that opens the door to extortion and blackmail.
With business-email compromises the average loss is $80,000. A successful bank robbery, by comparison, yields an average of $3,816.
Given that that strategy offers the “biggest bang for the buck,” McDermott said bad actors will set up email forwarding to get the information they want, and it is easy for them to do. They’ll set up free WiFi at a public place like a coffee shop and get into an email account through a cell phone.
BEC can result in funds being diverted away from healthcare. The bad actor will impersonate a vendor over email and request payment, which an unsuspecting company representative might end up sending to a bank account the bad actor controls.
Last month, the Department of Justice announced the first coordinated action against individuals using business-email compromises and money-laundering schemes to target healthcare payers. The FBI had helped investigate these cases. The roster of investigating agencies uncovered $11.1 million that was diverted to 10 individuals.
However, when ransomware hits, it is the “worst day,” McDermott acknowledged.
One of the first things bad actors will do with their malware is go looking for an organization’s cyber insurance policy in order to learn their coverage amount, he said. They can start trading data before any lockdown happens. When the ransom hits, they’ll ask for the amount listed in the organization’s coverage.
But when the ransomware hits, an organization’s cyber response will dictate when and who to reach out to.
“You have to have a playbook, do what the playbook says. We want to be notified,” he said.
Threat response and misconceptions
Each of the FBI’s field offices has the subject matter expertise in specific variants, and your case may be investigated by a field office in another state, McDermott said.
“Our role in the event, and we can assist: If it’s new to you, it might not be new to us,” and the agency might have the decryption key that they can give you over the phone, he said.
There are thousands of variants, but when a healthcare organization can drill down and focus on one event or one attack vector it’s easier for the FBI to help, he added.
The biggest misconception that organizations have is how the FBI will deploy to the cybercrime scene, he said. The movies depict it dramatically, but the response is more likely a telephone call.
“We are definitely not showing up in FBI raincoats because that would victimize the victim,” he said.
He also said that organizations can sometimes be hesitant to report, because they don’t want the information out there. But the FBI is not going to re-victimize an organization that calls after a cyberattack, nor are they going to announce it.
The second misconception is that if an organization lets the FBI in, they’ll start looking for another violation.
“Those people, they’re there because you are the victim of a crime. We are not going to re-victimize you,” McDermott said.
He also encouraged a reporting network and employee buy-in. With insider risks, which should be part of an organization’s cyber response playbook, organizations must watch for anomalies in employee behaviors.
CISA, he said, is a great resource, as well as the FBI’s InfraGard program. CyWatch also provides a distribution list with helpful information.
While you can call the FBI, and they will always answer the phone, the response will be very matter-of-fact, said McDermott.
“You won’t get that warm hug that you’ll get if you call me,” he said, encouraging attendees to email him.