News & Events

Cybersecurity 101: Protecting the Medical Practice in an Evolving Threat Landscape

By Kemper W. Brown, Jr., CISSP

I recently gave an IT security presentation at a fall conference for medical managers of physician practices in Western North Carolina. As the only speaker on the topic of technology, my goal was to help medical managers stay on top of IT security best practices and the current threat landscape.

View My Cybersecurity 101 Presentation Slides

The Malware Menace

Today, it’s not just large corporations (and infamous breach victims) like Target and Sony who are at risk of breaches or cyber attacks; it’s everyone. The perpetrators aren’t so much setting their sights on one company and trying to get in as they are automating their systems to find and exploit vulnerabilities and execute phishing schemes. What’s so scary is that small practices and organizations now also find themselves in the crosshairs. Security measures have had to catch up to the growth of ransomware, yet every company can be at risk. Taking preventative action and following up with 24/7/365 support by experts is key to ensuring your clients’ information doesn’t fall into the wrong hands.

Over the last year and a half, for example, many small to medium-sized clinics and surgery centers have found themselves victims to breaches, ransomware, or crypto type attacks. A group of hackers known as TheDarkOverlord has pirated hundreds of thousands of digital medical and dental records across the country. These ransomware schemes encrypt or lock medical records or other critical files, and demand a ransom in bitcoin for regained access. Medical records are highly valuable on what is known as the “dark web,” and crime groups pay top dollar for hacked personal identifiable information.

How Do You Avoid Becoming a Victim?

We recommend that you protect your practice through:

  • Annual HIPAA Security Assessments
  • Layered Security
  • Robust Data Backup Solution
  • Security Awareness Training

An annual HIPAA Security Assessment is not only a requirements of HIPAA/HITECH compliance, but is also a best practice for protecting systems and evaluating vulnerabilities.

Layered security is also recommended because you want to have multiple defenses in place (e.g. firewalls, updated patching, consistent antivirus across all endpoints). This approach includes perimeter defense, which can call for a firewall with deep-inspection capability (protecting the outside of your network), as well as internal defenses such as intelligent spam filtering, vulnerability patching, password policies, and antivirus/antimalware support.

Robust data backup solutions with onsite and offsite copies are also critical to a strong data protection plan. If something happens to the servers, you have it backed up on your site; if something happens to the building, you have it stored off site. When you need to restore something, having confidence that your files are there and usable is key. Data backup is also the best protection against ransomware and crypto type threats.

Security Awareness Training

Yet, in today’s world, having a strong firewall, backup, and antivirus software is no longer enough. Unfortunately, the majority of breaches that occur today are the result of social engineering or unsuspecting employees opening a malicious email or clicking a harmful link.

Do you think this could happen to someone on your team? If you set up a simulated attack, would anyone fall for it?

In the weeks after an actual cyber theft of customer assets in 2015, financial institution JPMorgan sent a fake phishing email to their employees to test their reaction. According to the Wall Street Journal, 20% of staff opened it. If this had been real, it would’ve been disastrous for the bank’s networks. Remember, it only takes one person opening that email for the entire system to become infected.

Phishing emails have gotten more sophisticated over time. It may be less obvious that these emails are malware. The idea is that we can train users to identify malicious and phishing emails.

I recommend that your entire team undergo security awareness training (we do it for our own organization). This training can take many forms including fake phishing emails, training videos, and even alerting our clients to real malicious emails that have been sent. The idea is to better prepare users for real-world situations.

What to do After a Data Breach

Experiencing a data breach can be an extremely scary scenario and like in any emergency how an organization responds is critical. First off, document, document, document. Next, contact critical IT personnel and isolate affected systems from the network, do NOT power off breached systems. At this point, begin analysis, and respond according to organization WISP (Written Information Security Policy).

As any practice manager or organizational stakeholder in a breach scenario, you need to be able to answer these questions:

  • Who is responsible for the breach?
  • External hackers?
  • Internal personnel?
  • When did the breach occur?
  • How did the breach occur?
  • Were servers or systems hacked?
  • Did an employee unlawfully access the information?
  • Was protected health information compromised?

There will also be a point when it may be advisable to engage legal counsel and IT security professionals to help with response and prevention of further harm.

How Do I Report a Data Breach?

There are laws (state and federal) that dictate the responsibilities of businesses whose data has been breached, whether it was employee data, or client/patient data. Contact professional legal counsel who can assist with a notification plan and provide proper communication and documentation related to the breach.

They’ll be Back

A breach or even a close call (like opening a phishing email) can attract other attacks. Post-breach it’s important to:

  • Conduct a thorough security audit to identify any additional risks
  • Remediate all identified risks
  • Establish proper protections and protocols for future threats

Moving Forward: The IT Assessment & Beyond

You’re likely wondering, Are we really protected? Do we have layered security posture? Do we have enough training for our staff?

One solution for peace of mind includes an IT assessment to establish baseline knowledge of your technology infrastructure and uncover any potential vulnerabilities. The Electronic Office will develop a comprehensive overview of your current systems and prepare recommendations based on industry best practices.

The Electronic Office delivers worry-free, trouble-free security for your organization’s network. We offer installation, configuration, monitoring, patch management, and continuous updates to ensure robust protection against today’s advanced IT threats. We provide around-­the-­clock monitoring, management, and remediation. Our knowledgeable security support team is available 24/7/365 to address problems quickly. As business needs change, our team will work to fine­-tune your security plan. With our expertise and support, you can rest easy knowing your network systems—and your business—are secure.

Share this post

Company News: Our Commitment to the Lifesaving Work of Mission Health

At Electronic Office, we strive to be a good neighbor in our hometown of Asheville, NC. One way that we show our commitment is through charitable giving. Our relationship with Mission Health has been going strong for more than 30 years because we have seen the enormous positive impact they have on the people of Western North Carolina. We were recently honored at Mission’s Mountains of Hope event and by a visit and presentation by Mission Health’s CIO Jon Brown.

Electronic Office Mission Health award

Mission’s State-of-the-Art Virtual Care Centers

Because of our region’s mountainous terrain, rural physician shortages, and other disparities and barriers, many families and communities are isolated from reliable healthcare. Mission Health is poised to launch a transformative network of Virtual Care Centers, which would help hospitals and health systems utilize physicians more efficiently, connect specialists to rural physicians or hospitals, and improve patient access to care. Virtual care will help:

  1. Prevent disease
  2. Educate our community
  3. Assist in the management of chronic diseases prevalent in the WNC population
  4. Expand care sites to patient homes
  5. Improve access to primary and specialty providers across WNC
  6. Drive healthcare value-improvement through consumer connectivity
  7. Disseminate discoveries for the benefit of care improvement across the nation

Our Investment in Mission’s Success

This year, the employees of Electronic Office made a five-year commitment to support Mission Health. Our gift directly supports the Virtual Care Centers of the Center for Advanced Virtual Care. These state-of-the-art Virtual Care Centers will ensure that WNC residents have access to healthcare services when and where they need them.

Thank You, Mission Health!

We applaud Mission Health on their vision and action. We believe in these innovative solutions to enhance timely and convenient access to healthcare for the rural communities of WNC. Thank you, Mission Health! We are honored to support you.

Share this post

IT Industry News Round-up December 2017 Edition

In this round-up, we focus on important information on cybersecurity and protecting your data. We also take a look at the growing trends in Information Technology to combat threats to privacy. With 2017 coming to a close, we look ahead at expert predictions of what’s likely to come and how we (and our systems) can best be prepared.

cyber security it

When a Data Backup isn’t Enough: Ways to Protect Against Ransomware

After a ransomware attack or any kind of data breach, the companies with good back-ups and a well-tested restore process are typically the ones who can bounce back most quickly. Cybercriminals are escalating their efforts, however, beyond infecting single workstations. Many are aiming to destroy backup processes and tools as well.

In his article Ransomware Will Target Backups, Rod Mathews, Senior VP & General Manager of Data Protection Business for Barracuda, offers four recommendations to help companies protect their backups against ransomware attacks. These efforts will keep backups at the top of the list of ransomware defenses and will reduce the risk of losing data in the event of an attack.

Read the full article.

Online Security Myths

Do you live under the impression that your Mac is bulletproof against intrusions and malware? That protection software makes your computer slow? That hackers won’t bother attacking your computer because you’re just one person out of billions. If so, keep reading—these three myths and others are causing big problems. Don’t let a lack of knowledge leave your data vulnerable. In 8 Myths About Online Security, F-Secure dispels these online security myths.

Read the full article.

Cyber Security Predictions for 2018

2018 is right around the corner. In this Information Age article by Mike McKee, CEO of insider threat management company ObserveIT, offers his predictions regarding cybersecurity in 2018. In his forecast, he says that social engineering tactics by cybercriminals will continue to pick up speed. One way of combating human error is through education and awareness training. Next year, companies will be investing more time and effort in training their workforce. Will you?

Read the full article.

Electronic Office IT Security Services

Wondering how your own business’ IT posture compares to IT best practices? Worried that you may be open to risk? At Electronic Office, we offer IT Assessments that identify your company’s IT strengths, weaknesses, risks, and provide a series of recommendations to remediate the weaknesses and risks. We recommend that every company solicit an IT assessment every two years—even if you already have someone managing your IT. Think of it as an independent audit.

Our goal with an IT Assessment is to provide all the necessary information to your team so you can know where you stand and what steps you can take to remediate any weaknesses and risks.

Share this post

Four Things Small and Mid-Size Businesses Need to Profit from the Digital Transformation

The digital age continues to deepen its impact on businesses of every size. Large companies are routinely challenged by smaller, more innovative competitors. Organizations that have dominated their industries for decades risk being displaced virtually overnight by data-powered business models. And the right technology makes all the difference.

For many smaller companies, traditional ways of managing data make it hard to capitalize on the digital transformation. Simply storing large amounts of data locally can be prohibitively expensive, and implementing the tools to make sense of it adds a new layer of challenges. Microsoft offers a look at the 4 basic things you need to consider when building the data foundation of your digital business transformation.

Share this post

ABCCM Event Attendees

Electronic Office Sponsors Local Benefit

On Friday evening, Electronic Office staff and friends attended “Transformation Celebration,” an Asheville Buncombe Community Christian Ministry (ABCCM) benefit to raise funds to support Buncombe County residents in need. ABCCM provides transitional housing to men, women and children, as well as free medical clinics, crisis centers and jail outreach. The evening included a silent auction, food, and live entertainment. Thanks to ABCCM for allowing us to be part of such a great event and worthy cause.

Share this post