This was the painful lesson learned by Chicago’s preeminent Lurie Children’s Hospital, which recently fell victim to a massive cyberattack that left them incapacitated for over two weeks. Lurie was left without access to their systems, patient data, and with large amounts of data being put up for sale by the cybercrime group who executed the attack.

The Lurie cyberattack is just a recent example of an increase in attacks against healthcare providers in the last five years. They join other companies, such as Common Spirit Health and Change Healthcare, which in 2022 and early-2024 respetively suffered major cybersecurity incidents. Common Spirit Health, which operates over 140 hospitals across 1,000 sites in 20 states, suffered a loss of over $150 million. Change Healthcare, a subsidiary of UnitedHealth Group, announced that it had been hit with a cyberattack this past February. Thousands of healthcare providers around the country were unable to process patient service elibitlity, billing, and the attack may have leaked patients’ personal information.

When big cyberattacks like these hit the news, people frequently wonder how the attacks happen, and how they can can protect themself or their business. The first line of defense is knowledge: learn who is committing cybercrime, what risks you have, and steps you can take to prevent becoming a victim of cybercrime.

Who is committing cybercrime?

We bucket the cybercriminals into three categories: Hackers, Organized Crime, and State Actors. These parties all have different motives and targets, as shown in the table below:

Most cybercrime is committed by organized crime rings. This is not the Sopranos, nor is it some criminal gang that operates out of a warehouse in a seedy part of town. These entities are run like a business and may even have call centers in developing countries with low-cost labor markets. However, their methods of attack are very similar in that they are constantly looking for the weakest link of entry to your system environment. Their attacks utilize a huge array of methods including phishing, phone calls, exploiting a third-party with access, brute forcing passwords, flyers with QR codes, or even a random USB left on the ground in a parking lot; anything that they can use to gain access either physically or remotely. Like a person at the front door, once you let them in, they can begin their work.

What risks do I have?

You or your company’s risk profile will vary depending upon who you are or your line of business. Much like an aloof person who is expensively dressed is an easy mark for a pickpocket, a company dealing in healthcare or financial transactions that doesn’t take the right precautions will be at greater risk of cybercrime. This is why it is important to categorize the criminal intent as we did earlier because a person or a company can potentially be targeted by one or more of the threat actors listed.

There are a variety of factors that can affect your risk profile to a cyberattack. Some of these include:

1. Data & Information – What types of data/information do you use to conduct business? Any business that holds personal information is at risk. However, criminals prefer to target those with highly valuable information that is easy to obtain. For example, a non-profit with the personal information of high-net-worth donors could be a valuable target for criminals because non-profits are typically perceived to spend little on security and IT staffing.
2. Employee and/or Contractor Turnover – Does your business have high employee turnover, or seasonal employees? Do you rely on many third-party contractors? Companies often say they have written policies for employee data access standards and controls over terminations, but they often don’t consistently follow these procedures or steps are missed in the process when someone leaves the organization. Hospitals and professional services firms often use a lot of contractors who often have access to various systems which are not always disabled when they leave.
3. Multiple access points to your network – Any system user can be considered an access point to the network. Also, the number of physical locations where a person can gain access increases your risk.
4. An older or less technical workforce – A human is always the weakest link to the security of any environment. An organization is particularly susceptible to attack if it doesn’t continuously educate and test its employee base on phishing scams, ransomware attacks, and other online scams.
5. A highly remote and mobile workforce – Since the pandemic, more companies have increased the size of their remote workforce. Further complicating this is staff who additionally operate internationally. A remote workforce can dramatically increase the risk of attack depending on the security measures you have in place for remote access. 

How can I prevent cybercrime?

No system is perfectly secure, but you can take steps to reduce the probability of becoming a victim of cybercrime, as well as minimize any potential damage or downtime. The first and most important thing is knowing your risk. Our article highlights the Lurie Hospital incident because it is a prime and current example of an organization which either didn’t properly assess their risk or did not take the steps to minimize the risk. Time spent upfront knowing and assessing risk, then implementing procedures and testing could save you weeks of downtime and more importantly millions in losses and legal liability.

1. Assess your risk on a regular basis – At a minimum, assess your risk annually and if your organization is going through rapid changes in people, locations, or expansion, you may want to assess your risk more frequently. Additionally, keep in mind that your risk assessment is not solely technical. You should consider employee and contractor turnover, access points, procedures, and enforcement. It is also important to obtain a risk assessment from an outside party to be more objective.
2. Develop strong procedures/controls – Many companies have policies, but these are only as good as the paper they are written on if they are not properly enforced through procedures and controls, which may be automated, such as locking a person out of the system when conditions are met. It’s especially important to maintain procedures and controls around granting system access and effectively terminating a person’s access when their role or responsibilities change.
3. Train your employees on phishing, ransomware, and other online scams – Your employees are typically the weakest link in any system environment. You need to create a culture centered on safety and security. This can be accomplished through the implementation of several online training tools, but training should not be a one-time occurrence. Training should be on-going and followed up with testing and awareness. This will create a strong environment of continuous improvement.
4. Backup, Detect, Isolate, Cut-off, Clean, and Restore – Most cyberattacks target system environments which are rich in data or operate in an organization which may be an easy target and can pay a ransom. Naturally, having backups of your data and information is a bedrock essential. However, beyond simply maintaining that backup data, you also need to have the resources to restore those backups to begin operating again. In addition, the backups should be more than just the data but also the software applications and potentially hardware to run everything. Companies often fail at the recovery aspect because they never implement or test their recovery plan, or do not have the necessary resources. Once the fundamental Business Continuity and Disaster Recovery (“BCDR”) plan is in place and consistently updated, the next level of security is activity detecting threats and eliminating them. Detection is important because malicious software can reside on a user’s device for a period of time before its destructive payload is deployed.

Cyber security is more than technology. It is an approach which incorporates risk, procedures, controls, technology, and testing to create a complete secure environment. The outcomes of an attack can be downtime, financial loss, and, sometimes even death itself. Making sure you’ve taken the necessary steps to protect yourself and your organization is essential.

Sagin provides 24/7 IT Managed Services domestically, with either complete outsourcing or a partial/hybrid model. With high inflation, rising labor costs, and scarcity of resources, why manage your IT functions internally? We can provide you with free benchmarking and assessment to see if outsourcing your IT is right for you. You can contact us at: info@saginllc.com or +1.312.281.0290