By Kemper W. Brown, Jr., CISSP
I recently gave an IT security presentation at a fall conference for medical managers of physician practices in Western North Carolina. As the only speaker on the topic of technology, my goal was to help medical managers stay on top of IT security best practices and the current threat landscape.
View My Cybersecurity 101 Presentation Slides
The Malware Menace
Today, it’s not just large corporations (and infamous breach victims) like Target and Sony who are at risk of breaches or cyber attacks; it’s everyone. The perpetrators aren’t so much setting their sights on one company and trying to get in as they are automating their systems to find and exploit vulnerabilities and execute phishing schemes. What’s so scary is that small practices and organizations now also find themselves in the crosshairs. Security measures have had to catch up to the growth of ransomware, yet every company can be at risk. Taking preventative action and following up with 24/7/365 support by experts is key to ensuring your clients’ information doesn’t fall into the wrong hands.
Over the last year and a half, for example, many small to medium-sized clinics and surgery centers have found themselves victims to breaches, ransomware, or crypto type attacks. A group of hackers known as TheDarkOverlord has pirated hundreds of thousands of digital medical and dental records across the country. These ransomware schemes encrypt or lock medical records or other critical files, and demand a ransom in bitcoin for regained access. Medical records are highly valuable on what is known as the “dark web,” and crime groups pay top dollar for hacked personal identifiable information.
How Do You Avoid Becoming a Victim?
We recommend that you protect your practice through:
- Annual HIPAA Security Assessments
- Layered Security
- Robust Data Backup Solution
- Security Awareness Training
An annual HIPAA Security Assessment is not only a requirements of HIPAA/HITECH compliance, but is also a best practice for protecting systems and evaluating vulnerabilities.
Layered security is also recommended because you want to have multiple defenses in place (e.g. firewalls, updated patching, consistent antivirus across all endpoints). This approach includes perimeter defense, which can call for a firewall with deep-inspection capability (protecting the outside of your network), as well as internal defenses such as intelligent spam filtering, vulnerability patching, password policies, and antivirus/antimalware support.
Robust data backup solutions with onsite and offsite copies are also critical to a strong data protection plan. If something happens to the servers, you have it backed up on your site; if something happens to the building, you have it stored off site. When you need to restore something, having confidence that your files are there and usable is key. Data backup is also the best protection against ransomware and crypto type threats.
Security Awareness Training
Yet, in today’s world, having a strong firewall, backup, and antivirus software is no longer enough. Unfortunately, the majority of breaches that occur today are the result of social engineering or unsuspecting employees opening a malicious email or clicking a harmful link.
Do you think this could happen to someone on your team? If you set up a simulated attack, would anyone fall for it?
In the weeks after an actual cyber theft of customer assets in 2015, financial institution JPMorgan sent a fake phishing email to their employees to test their reaction. According to the Wall Street Journal, 20% of staff opened it. If this had been real, it would’ve been disastrous for the bank’s networks. Remember, it only takes one person opening that email for the entire system to become infected.
Phishing emails have gotten more sophisticated over time. It may be less obvious that these emails are malware. The idea is that we can train users to identify malicious and phishing emails.
I recommend that your entire team undergo security awareness training (we do it for our own organization). This training can take many forms including fake phishing emails, training videos, and even alerting our clients to real malicious emails that have been sent. The idea is to better prepare users for real-world situations.
What to do After a Data Breach
Experiencing a data breach can be an extremely scary scenario and like in any emergency how an organization responds is critical. First off, document, document, document. Next, contact critical IT personnel and isolate affected systems from the network, do NOT power off breached systems. At this point, begin analysis, and respond according to organization WISP (Written Information Security Policy).
As any practice manager or organizational stakeholder in a breach scenario, you need to be able to answer these questions:
- Who is responsible for the breach?
- External hackers?
- Internal personnel?
- When did the breach occur?
- How did the breach occur?
- Were servers or systems hacked?
- Did an employee unlawfully access the information?
- Was protected health information compromised?
There will also be a point when it may be advisable to engage legal counsel and IT security professionals to help with response and prevention of further harm.
How Do I Report a Data Breach?
There are laws (state and federal) that dictate the responsibilities of businesses whose data has been breached, whether it was employee data, or client/patient data. Contact professional legal counsel who can assist with a notification plan and provide proper communication and documentation related to the breach.
They’ll be Back
A breach or even a close call (like opening a phishing email) can attract other attacks. Post-breach it’s important to:
- Conduct a thorough security audit to identify any additional risks
- Remediate all identified risks
- Establish proper protections and protocols for future threats
Moving Forward: The IT Assessment & Beyond
You’re likely wondering, Are we really protected? Do we have layered security posture? Do we have enough training for our staff?
One solution for peace of mind includes an IT assessment to establish baseline knowledge of your technology infrastructure and uncover any potential vulnerabilities. The Electronic Office will develop a comprehensive overview of your current systems and prepare recommendations based on industry best practices.
The Electronic Office delivers worry-free, trouble-free security for your organization’s network. We offer installation, configuration, monitoring, patch management, and continuous updates to ensure robust protection against today’s advanced IT threats. We provide around-the-clock monitoring, management, and remediation. Our knowledgeable security support team is available 24/7/365 to address problems quickly. As business needs change, our team will work to fine-tune your security plan. With our expertise and support, you can rest easy knowing your network systems—and your business—are secure.