“It can’t happen to me.”
“Why would they want to hack my practice? I have no valuable information.”
“I’m a small practice with only a few doctors.”
“How can they even find me?”
All these questions have one thing in common; all those who fell victim to a Cyber Attack asked themselves these same questions.
The U.S. Department of Health and Human Services maintains a website of all data breaches reported and currently under investigation by the Office for Civil Rights. In the past 24 months, there have been 397 breaches reported and investigated with a total potential loss of greater than 15 million patient records. It should be noted that many of the breaches were caused by Hacking or an IT Incident.
As healthcare professionals, you have a personal responsibility to your patients’ outside of any Legal obligation. You must do everything in your power to safeguard your patients’ personal and health information. Doctors do so many things to maintain their patients’ trust; a lax Cyber Security posture, leading to a breach, can quickly destroy that trust.
Hackers have existed since the early days of computers and the number of hackers will continue to rise in the future, with their sophistication levels increasing exponentially. IBM CEO, Ginni Rometty has said cybercrime is today’s greatest threat to global business. Devices can be connected to a global network, which means the creation of a giant hive of people, places, and things. Bad people exist, and they want access to your information, so they can have access to your money.
There are many different types of attack vectors in today’s complex interconnected world of computers that would enable a hacker to potential compromise your system. A few examples of the types of tools being utilized by modern day hackers are:
- Phishing – the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.
- Spear Phishing, more serious than Phishing – the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. Example a team member receives an email that appears to be from the doctor or an administrator
- Social Engineering – the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Example a team member receives a phone call from someone pretending to be from your practice management software company.
- Malware – software that is intended to damage or disable computers and computer systems.
- Trojan horse, or Trojan – is any malicious computer program which misleads users of its true intent.
- Brute Force – a trial and error method used by hackers to “guess” your password, this can also be done with the assistance of a computer program
As you can see from the list above, hackers employ many types of methods to infiltrate computer systems. However, there are steps you can take to reduce the chances of the hacker’s success rate and improve your Dental Practices’ Cyber Security Posture:
- Passwords – It is important to have a strong password policy and process in place. All users must be required to have their own unique, complex password. Examples of complex passwords might be: d0gsaremybestfr13nds or ePYHc~dS*)8$+V-‘, avoid using common passwords like 1234, abcd, password1 or even things like children’s names or birthdates. Passwords should never be shared or written down. Changing of passwords at normal frequencies, i.e. every 90 days, and requiring users not to re-use the same password for a specific amount of time.
- Two-Factor Authentication – Utilizing your cell phone’s text messaging feature to authenticate your identity. For example, when you log into your email account for the first time or from a new computer, the email system will send you a text message with a passcode in it. You then enter the passcode into your login screen. This way if a hacker had compromised your username and password, they hopefully do not also have access to your phone. In this case, it makes it extremely difficult for a hacker to access your account due to the two factor authentication.
- Software Updates – Out of date and obsolete software is a hacker’s playground. Known vulnerabilities for these types of systems are readily available on the dark web. To significantly reduce your practices’ risk, it is important to patch and update all systems, in accordance with the manufacturers’ guidelines. Systems that have become EOL (End of Life), should be upgraded and the old systems removed from your network. For example, your PC may not be setup to automatically download and install Windows updates. These leaves you vulnerable to an attack.
- Backups – The key to successfully recovering from a Cyber Attack is having a solid backup strategy. Having your backups be encrypted and stored off-site, in a secure environment, is the foundation for an effective backup plan. It is also necessary to periodically verify the validity and completeness of your practices’ backups.
- Disaster Recovery – Many practices believe having a backup means they have a disaster recovery plan. Don’t be fooled by this popular misconception. A disaster recovery plan is defined as a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. Such a plan, ordinarily documented in written form, specifies procedures an organization is to follow in the event of a disaster. Having a successful backup is an integral part of the plan, but also mapping out other steps needed to bring the practice back to full capacity.
- Documentation – To avoid any confusion about your practice’s policies and procedures, it is always best practice to document everything. A good rule of thumb is, if it isn’t written it doesn’t exist. In addition to writing all of this down, it is important to validate on a periodic basis that your staff members are adhering to them.
- Staff Training – Training your staff is one of the most important parts of a well-rounded Cyber Security Plan. The landscape of IT and IT Security is ever-evolving, and we, as humans, must make sure we are constantly aware of the changing rules. Hackers look for the weakest link in the chain, and a properly trained staff member significantly strengthens the human link. Under the HIPAA Security rule, practices must implement a cybersecurity awareness program that teaches staff how to identify and mitigate risks associated with using the internet.
- Vulnerability Scanning – is an inspection of the potential points of exploit on a computer or network to identify security holes. Think of this as someone coming to your home and verifying all your windows and doors are locked and identifying any weakness in your home’s infrastructure. This should be done by an Independent Qualified Cyber Security Organization, not your IT company, who can then work with your local IT company to close the “doors and windows”.
- IT Support – Choose an IT partner who has experience working with organizations like yours and is well versed in common best practices for securing your infrastructure. The more progressive IT companies work in conjunction with Cybersecurity companies to harden and secure your network.
While the enemy may get stronger and tougher as time progresses, you can be proactive in protecting your practice and your patients’ trust. If you follow the rings of trust below and have a complete well-rounded Cyber Security Program, you can improve your posture, follow the HIPAA security rule and minimize loss of patient trust.
Article written by and submitted courtesy of Black Talon Security. For more information on Cyber Security for your Practice, contact Black Talon Security at firstname.lastname@example.org or by calling 1-800-683-3797