Join TMLT cyber experts as they discuss the latest concerns for IT departments working in health care, including phishing, conducting vulnerability scans, two-factor authentication, and the continued importance of strong passwords.
Anthony Passalacqua, 0:11: Hello and welcome to this edition of TMLT's podcast TrendsMD: Answers for Health Care's Digital Trends. I'm your host, Tony Passalacqua. Today I have Juan from our IT department. And our topic today is a 2022 Cyber Update. Hello, Juan, how are you doing?
Juan Uribe, 0:26: Hey, Anthony. I've been doing okay. Yeah, just a lot of crazy stuff going on up there. But I'm doing okay.
Anthony Passalacqua, 0:32: Yeah. Well, welcome back to the office. This is our first recording in over two years in office. So, it's nice to see everyone's face again. So, let's just jump straight into this. So, one of the things that came up from my perspective is, I was reading through a bunch of emails over this last week and one of the specific emails that that caught my attention was something called the OCR update for cyber hygiene. And so, I figured that would be a really good topic for us to talk about. One of the biggest topics that I found very interesting in that was phishing. Juan, do you want to cover some basics of phishing?
Juan Uribe, 1:07: Yeah, I think it's really important to know, you know, what's phishing and why it's important to know phishing. So phishing, they're targeting people. So basically, those hackers, those bad actors, they're trying to get people's either passwords, bank account, something that has some value. And the way that they're doing it is by sending emails, they craft a email, that looks legit. And most of the times they say, well click on this link, you're gonna get free bitcoin, or you're gonna get free stuff. But remember, every time they say something that is free, think about twice. And also, when they are saying that you have to click it in order to get it, I will think about twice. And the easiest way to figure it out if it's a phishing email, is when they send you that link is that if you hover on it, you're gonna see like a crazy link, that it's not, it's not like easy to read, most of the times that link takes you to a different place where you have to put your credentials like password, username. So, I think people they need to understand that, sometimes it's really hard to identify them. But if you think twice about phishing emails, just take your time, and kind of read through and just read or trying to get the red flags. So that way, you cannot get hacked.
Anthony Passalacqua, 2:40: So there's kind of a couple of different things out there. There's phishing, there's whaling, and there's spearing, which is very interesting to me, because it identifies that phishing campaigns have been so successful in the past that they've identified that it's actually easy for them to target like a specific individual, which is what they would refer to as a spearing attack. That's where you identify someone in an organization, let's say, maybe someone who's easy, it could be like an admin, it could be a practice manager, or someone who has credentials that are going to allow them to gain access into a deeper part of their computer system. And the other one is called whaling, which is where you're actually going after a really like what they refer to as the big fish inside of the company. So, you know, one of your chief executive officers is like a good target that you usually see.
Juan Uribe, 3:28: Yeah. And also, I want to add a little comment there. Do you know most of the times when they're trying to get those big corporations, and what they do is that they get a small office where they know that they're going to be is going to be an easy target. And once they have access to that small office, they jump into a bigger fish. So that's how the hackers are thinking to get first with a small fish. And then they jump into that big one, like you were saying.
Anthony Passalacqua, 3:59: So, for any of our listeners out there, one of the things I want you to know about is we have done an entire series on phishing. So please look through our podcast series and look for our phishing tips and tricks. It's a really good podcast that kind of goes into more in depth conversation about how phishing looks and feels just like actually fishing. One of the other topics I wanted to cover is exploiting known vulnerabilities. So, it's really interesting to me because there's actually a specific website I've heard about that actually publishes known vulnerabilities so it works both to the advantage of cybersecurity experts as well as your cyber criminals.
Juan Uribe, 4:38: Yes, CISA. You're talking about CISA. So, this is an agency from the United States that basically, it sees all the issues that are happening in all the levels. Like Microsoft, like a lot of the big companies there, you know, give you an update of what to do, how you have to make changes. And I think it's really important to follow this agency, because it will give you pretty good information. It's kind of like the, like the top level of IT where you can find, you know, like, a lot of documents that that that they're gonna walk you through, and also that agency, they have everything in there, I think it's a great idea to take a look. And you know, if you can do updates on your systems, please do it. And now that we have a lot of stuff going on around the world, I think it's important to really take care of these hacking, phishing emails, and just be aware that people are there, trying to get into the systems.
Anthony Passalacqua, 5:45: So, one of the things I've noticed they have something called a CVE, or a critical vulnerability exploit. So, one of the things that I was kind of curious about is, as someone such as myself is just a basic individual knows just very little about computers, how would that work? Would I be able to go through like a computer and identify all these exploits by myself? Or is there any tools that you could use to help find vulnerabilities?
Juan Uribe, 6:09: Well, you have tools. You can find tools online, that they're gonna help you to crack down a password. They're kind of complex, is not that easy to use, but definitely people that just can go online, and get that tool and trying to crack passwords trying to get into new systems. I think a lot of the hackers, they just have so much time right now, just you know, working from home or doing like nothing the whole day. And they're just testing; they're just playing with everything that they can. And that's how they're getting into the systems. And like I was saying earlier, they might be targeting a small office. And then from there, they just jump into like a bigger office or a bigger fish. So, I think that is why it's important to be aware that phishing and hacking, it's happening and it's real. I always think that it doesn’t matter when is going to happen, but it's going to happen at some point. But if you don't really take care of lowering down the risk. I’d rather happens to me in 5-10 years, then tomorrow.
Anthony Passalacqua, 7:21: Yeah. And so, from the cyber security side, can they run vulnerability scans on your computer to see if any of those exploits have been found? And if so, have they been remediated?
Juan Uribe, 7:32: Yeah, you would be surprised. With a lot of tools that they're out there, you can find so much stuff. The only thing that you have to be is good at programming, good at using those tools, and just to have the mindset to say “I want to harm a company, I want to harm a user or a person.” I think those three factors, they can do a lot of damage to you or to your organization.
Anthony Passalacqua, 8:04: Juan, can you tell me a little bit about the tools that are necessary for cyber vulnerabilities or to try to identify any of your vulnerabilities?
Juan Uribe, 8:13: Yeah, there are a couple of tools out there that I don't really want to get into details. But you know, Kali Linux is kind of like the biggest tool that it's up there. And then you know, based on that tool, you will find more tools that is going to help you to do all those scanning. I know that you know more about this TMLT or some companies are offering through their policies. So, I don't know if you want to explain more about this.
Anthony Passalacqua, 8:40: Great question. Here at TMLT and LSA, one of the things that we can sometimes offer our policyholders is a vulnerability scan. It's sometimes included in on your policy. If you're not an LSA or TLMT policyholder, you can always double check with your own cyber security policy to see if that may be something that you can request. And if so, you can request a scan to identify some vulnerabilities and then pass that information on to either your IT team or your MSP or your MSSP depending on who you're coordinating your cyber security with.
Juan Uribe, 9:15: Yeah, so also, they can run some test penetration just to kind of see if you have something going on. I don't know how it really works on the insurance side of business that people are going to the insurance is going to pay for that test penetration, or you have to go with a specific company that does test penetration and say “Hey, I want to get tested in here,” and then you will find out all those issues that you might be having with your systems.
Anthony Passalacqua, 9:43: There is a slight difference between the vulnerability scan and what they call a pen test or a penetration test. A lot of the times your cyber insurance carrier, what they may do is they may perform a quick vulnerability scan on your system. The main goal of that is to identify, you know, potentially open ports, make sure you're patching, and everything's all updated. Those are some really basic things that they can, they can use. A pen test, though, those tend to be a little bit more invasive, and they're much more expensive. Typically, those are not covered, but the vulnerability scans, there is the potential that they could possibly be covered. The biggest thing for you to do is just a double check again, with either your cyber security team that you have, that you may have employed, or you know, double check your cyber policy to see if maybe that company will run that that specific scan for you.
Juan Uribe, 10:35: Yeah, and also just want to make a quick note here, that test penetrations are they call “white hackers.” So basically, those guys are the good ones. Those are the ones that are going to help you to understand what is really happening with your system. So, if you find somebody online, that they're gonna do a test penetration and you don't really trust them, I won't do that. I will really go with somebody that you trust them, and you have meetings with them before you run a test penetration, because you can open the door to so many things.
Anthony Passalacqua, 11:11: Yes, yeah. In some instances, what Juan is alluding to is that sometimes those hackers – “white hat hackers” - can start off as white hats. And then they can become kind of gray and then turn to what they refer to as a “black hat hacker,” which is the bad guys.
Juan Uribe, 11:28: Also, Anthony, I think we have another podcast that is talking about those hackers. So also, it's a good idea for people to go back and look for those podcasts and try to listen to them and understand how they work.
Anthony Passalacqua, 11:48: Yes, that was actually one of the first podcast we did, called the Basics of IT. So, if any of our listeners are interested, and you want to learn a little bit more about those white hats, black hats and gray hats, please go ahead and check out that podcast. Yeah. All right, Juan, so our last topic that we were talking about is weak cyber security practices. Can you kind of give me some examples of weak cyber security practices and then how to remediate some of those?
Juan Uribe, 12:15: Oh, yeah, I can get you so many, working in IT. Man. So, I always tell people to, to set it up accounts, either your personal accounts or if your company is using a two factor authenticator. Please use it. Like I say, most of the companies are using that. They pay for that service. But if you're using for a personal account, either your bank account, either your social media accounts, please use the two factor authenticator. I think that is really important to have that set up.
Anthony Passalacqua, 12:52: Can you give me kind of a few examples of how multi or MFA so multi-factor authentication works? Is it just do you have to put in a pin each time, or what are some of the different technologies you've seen?
Juan Uribe, 13:05: The way they set it up, these two-factor authenticator is when you have your account attached to your cell phone, and your cell phone has an application where you can either put out a token, you can use biometrics, you can use a push button where you accept that you're trying to get into your account, or you can decline. So, the basics of the two-factor authenticator is, you need to know your password, but also you need to know, or you have to have your cell phone in order to accept that you are getting into that specific website or your social media. So that's how it really works, that two-factor authenticator.
Anthony Passalacqua, 13:52: That sounds great. So, I mean, that sounds like it's a real expensive service.
Juan Uribe, 13:57: It is not expensive. You are going to find so many applications up there, that they're for free. Google, Google has one of those for free. I use those for free. I think it's a great idea when you're using two-factor authenticator because it's just adding another layer of security.
Anthony Passalacqua, 14:18: So that would be something great to add on to like, let's say your bank accounts, social media, emails…
Juan Uribe, 14:24: Everything. I think it's important to use that because hackers they just are looking for weakness. And if they find that basically you're saying, “Hey, here's my account, just go for it.” But, if you add another layer of security, it's gonna be a little bit tough for them.
Anthony Passalacqua, 14:41: Gotcha. Was it? What is there any other examples you can give us on how to strengthen your cyber security practices?
Juan Uribe, 14:48: So yeah. Other than two factor authenticators, I think that one of the things that you can do is to update your computer. If Microsoft or Windows are pushing updates, please do it. They're always pushing updates. And especially now, when we're saying earlier about CISA, they always send emails, like, please update this, please update that. So that's how they're making people aware that they need to push for updates.
Anthony Passalacqua, 15:19: So, should you just run all the updates, anytime one just comes across? I mean, I'm just thinking about this mostly from maybe like the corporate level.
Juan Uribe, 15:37: Well, if you have a personal computer, I would do it. But if it it’s your work computer, I will definitely contact your IT department and make sure that those updates that you're about to run, they are good. Because sometimes when you don't update, like for example, Windows 11, you might have some applications that is working with Windows 10. But if your IT department has not tested those applications that you have with Windows 11, it might not be compatible. So just be aware, that might be the case. So, contact your IT department, and try to get all the information from them. And if they're okay with it, yes, run all the updates on your work computer, but definitely your personal computer, do everything that they're telling you to do. Do updates.
Anthony Passalacqua, 16:19: So, the only other thing that I always come back to is passwords, right? So, I mean, with all this two-factor authentication or multi-factor authentication, is it really important to still have like a good strong password?
Juan Uribe, 16:32: Anthony, you’d be surprised. So many people use summer2022. And do you know how easy is to crack that password?
Anthony Passalacqua, 16:42: No. Go ahead and tell me.
Juan Uribe, 16:43: It's really easy. I mean, you can just guess, you can pick words from the dictionary. And it's going to be really easy to crack those passwords. So basically, what you do, or what I do is to use words, but I use either different characters, like, you know, lowercase or uppercase, numbers, different characters, that is going to be hard for hackers to crack down that password. Because if you're using gummybear2022 or summer2022, of course, everybody is going to be able to get that password. So just be aware that just because you have a password, that doesn't mean that you're secure. Now you have to think about a strong password.
Anthony Passalacqua, 17:38: It's funny, because one of the things that I did do as an experiment one weekend was to break into my own computer using what they call a brute force attack, which is essentially a program that will crunch through passwords. So, if you're using lowercase letters, and it's in the alphabet, like there are so many different programs out there that if it's in the English dictionary, if it's in a Spanish dictionary, if it's in a German dictionary, Indian dictionary, any of those, those are all completely hackable, because what they do is they use that as the basis, like so the absolute basic level for hacking. That's how come those are usually hacked in, like, what under five minutes or so, Juan?
Juan Uribe, 18:17: Yeah.
Anthony Passalacqua, 18:18: Yeah. So, it's interesting. That's why when you hear a lot of your IT personnel, they'll tell you, you know, one of the things you need to do is make sure not only do you use a strong password, and I would actually venture to say that the best thing you should use is something called a pass phrase, which is where you combine multiple words together inside your password. Because one of the other things that that program that I use to hack into my own computer system, the length of the password is actually something that can help to increase your strength. So, once you go over about 8 to 12 letters, it becomes significantly harder for those programs to hack that specific pass phrase.
Juan Uribe, 18:57: Also, when you're using consecutive letters or, or numbers, please don't use A, B, C, D, E, or 1234567. Because that is really easy. I think that's number one - Google for it. I think it's going to be the number one password. So please don't do that. Just do something that is more hard to crack down
Anthony Passalacqua, 19:21: Or sequential letters on your keyboard like Qwerty. People use that all the time and think, well, it's not a word. So, it has to work. Those are all easily identified as hackable passwords on any of your cyber security websites. So just a heads up, it's not just passwords, passphrases, but even sequential order on your keyboard is another thing that people are looking for.
Juan Uribe, 19:47: Yeah, and lastly, Anthony, you know, I think another thing that we almost missed is that, I think is really important to have in an organization is training, I think, you know, people, they need to be aware of what's going on, either your IT department or somebody that has a good experience with IT, I think it's a great idea when they give some training. Or you can buy some training online, and they can send, you know, like phishing emails just for training. But I think it's important to have that in your organization. So that way people are going to be aware of what's phishing, what to do if you get into a cyber-attack. I think it's really, really cool when companies do that. Because I always think it's not just for the company, I think you're learning this cyber security stuff that can apply to your personal computer, your personal life. And if your company is providing that, I think it's great.
Anthony Passalacqua, 20:52: So, one other question here. So, we've talked a lot about like, what other people can do to help you out. So those are the cyber security scans. We've talked about, you know, some things you can do for yourself, such as passwords and multi-factor authentication, is there anything that you can download to use to try to help out with cyber security that you can think of?
Juan Uribe, 21:12: Well, yes, there are a lot of applications like, antivirus that you can install on your computer and that will, that will put like an extra layer of security on your computer. Definitely. You have to kind of shop around and look around and see what is the best option for you. You know like some companies, they give you like a bundle for, you know, 100 something dollars for five computers. So, you have to kind of shop around. But I think it's important to have antivirus software on your computer. So that way, if you click on something or if you download something, antivirus is going to quarantine that file. And it's going to tell you, “Hey, this is spyware,” or “something is happening on your computer, and we can just delete and quarantine this file.” But yeah, definitely, it's important to have that on your computer. Because right now you don't know what people are sending to you. Like I was saying, like we were saying earlier, you know, phishing emails – “Click here” or “Download this.” Just be aware, people are trying to get into everything.
Anthony Passalacqua, 22:28: Just so, just for a lot of our listeners out there, we talk a lot about computers, because you know, that's the thing that we typically use in corporate environments. But a lot of this, like spyware, or malware, or total computer system security is another term I've seen out there that kind of combines all those different products together. They don't just cover computers, right? Juan, do they cover other items as well?
Juan Uribe, 22:52: Yeah, I think some of them they can, you can install on your cell phone. Remember, your cell phone is like a minicomputer, where you can see social media, you can even look into your bank account. So, everything has to be secure. And if you if you do the best practices, you should be good. So yeah, definitely, just get some sort of like a software that will help you with antivirus.
Anthony Passalacqua, 23:18: So, is there any one thing that you would want our listeners to leave with, Juan?
Juan Uribe, 23:22: Yes, I think please set up two-factor authenticator on your cell phone, for anything that is available. And also trying to learn as much as you can. You can read online, you can watch videos online. I know that sometimes it gets a little bit technical, but I think it will give you a better understanding of what's going on around the world and the states. But yeah, I think that will be the three things. Just look around with that CISA website; get into the two-factor authenticator; and get training, just trying to learn as much as you can about cyber security.
Anthony Passalacqua, 24:01: Thank you for listening to our podcast. If you're a policyholder, please feel free to contact us with any questions by calling 1-800-580-8658 or check out our resources at TMLT.org and clicking on our Resource Hub. Thank you, Juan.
Juan Uribe, 24:16: Yeah, see you later.