The business world was roiled earlier this year when a finance worker in Hong Kong was duped into handing over $25.6 million (200 million Hong Kong Dollars) after he joined a video call that he believed his chief financial officer invited him to.
But that costly error could have been easily avoided. Joey Johnson, chief information security officer of Premise Health, a provider of healthcare services on-site, said there’s a simple way to spot deepfake technology – in this case, one meant to be interactive. Johnson spoke at a cybersecurity panel discussion at the ENGAGE at HLTH, MedCity News’ partner programming at HLTH on Sunday.
Let’s get to the scam first.
According to news reports, earlier this year, Arup, a London-based engineering and architecture firm alerted Hong Kong police that a local employee had been conned by a deepfake video involving the company’s CFO. The elaborate scam began by emails from the chief financial officer based in the U.K asking that person to approve a secret transaction. When the employee ignored that request, the email from the CFO asked him to join a video call with other staff members.
When the employee joined the call, he was relieved to find his CFO and other staff members on the call. He, thereafter, approved 15 wire transfers across multiple bank accounts amounting to $25.6 million as requested by his boss. Turns out that the video call was populated my multiple deepfake videos of actual employees of the company including the CFO’s.
How to spot the deepfake
Such sophisticated scams are entirely possible with AI technology, that Johnson described as a technology like fire — both good (able to cook your food) and bad (it can also burn you).
Johnson explained that he has told his wife and children that his digital persona might easily be hijacked for nefarious reasons given that he speaks widely at conferences. In other words, both his voice and his image are easily obtained.
“You might see a video of me. You might hear me. It’s gonna be my voice. It’s gonna look like me. It’s gonna sound like me. It’s gonna be whatever,” he told the audience at HLTH.
So how can they be sure it is Johnson that is speaking to them through video?
“So we need to create a safe word for the family. It can be anything you want, but maybe some memory from a vacation … so that you can say, ‘Hey, Dad, what’s the safe word?’ Because the adversary is not going to know that. No amount of AI is going to give them that answer. So that’s something you can use personally. It’s also something that we implement professionally within our organization to try to protect certain things.”
Johson’s co-panelist Chris Bowen, founder and chief information security officer at ClearDATA, a company that helps healthcare organizations to assess data vulnerabilities and protect it agreed that a simple precaution like that is all that can be needed to spot bad actors.
He shared some other pieces of advice.
Undertake Security Assessments Organization Wide
The challenge with large healthcare entities is that sometimes they have thousands of apps on their systems and many different vendors that they have to manage. Assessing all that and knowing what risks one can take is absolutely essential.
“What kind of data is this vendor going to touch? I think I’ve probably done several hundred security risk assessments in the early part of our company, and that criticality analysis is so important because you have to understand of all of your assets, which ones are the most important to you to run as a company, to protect that data,” Bowen said.
Knowing is half the battle in this regard.
“One little slip up with an MFA and look what happened, right?” Bowen said, referring to the Change Healthcare cybersecurity breach that brought the healthcare system to its knees. “I agree with you, [Johnson] on, let’s illuminate the risk. Let’s let’s shine the light. And the more light that we can shine [the more we can] find the monsters that are under the bed.”
Be thorough and deliberate
Knowing your risks is crucial but being thorough about how much cyber insurance you need to buy and what will be covered is no less important.
“It’s really sad that if you miss something on your questionnaire for your application, you may not be covered, and that may be something that just kind of fell off the CMDB [configuration management database], the database that shows you what all your assets are. Well, if you miss one, insurance companies have a good way out…,” he warned.
Still while it’s important to understand where your data is and how to protect it, the reality is that you cannot cover it all, he said.
{Categories} _Category: Inspiration{/Categories}
{URL}https://medcitynews.com/2024/10/how-to-spot-deepfakes-and-other-cybersecurity-panel-takeaways-from-hlth/{/URL}
{Author}Arundhati Parmar{/Author}
{Image}https://medcitynews.com/wp-content/uploads/sites/7/2024/10/IMG_1557-scaled.jpg{/Image}
{Keywords}Artificial Intelligence,BioPharma,Consumer / Employer,Daily,Devices & Diagnostics,Health Tech,Payers,Physicians,Providers,biopharma nl,Change Healthcare,cybersecurity,data breaches,data privacy,HIPAA{/Keywords}
{Source}Inspiration{/Source}
{Thumb}{/Thumb}