There’s been a lot of debate in the medical community over the need for cybersecurity in recent years. The Health Care industry continues to push requirements that stifle the health care process. Simultaneously, news outlets are sensationalizing cybersecurity with “hysteria marketing” in an attempt to garner a bigger national audience. As we have seen in recent months, the controversy over the threat of cyberattacks in Hawaii was settled when we all learned how a cyberattack on Hawaii Radiology Associates brought Hawaii’s entire radiology industry to its knees.
Hi, I’m Ryan Yanagihara. An IT professional of 22 years, business owner and Hawaii native. Over the last 6 years I’ve been assisting organizations throughout the Big Island recover from and deter cyberattacks. In this post I’m going to share with you a distillation of our experiences and list the 10 ways you can improve your organizations cybersecurity IMMEDIATELY. Before I dive into what could potentially save your medical practice from downtime, data breaches and federal fines, I’d like to discuss what cybersecurity is and some common misconceptions about cybersecurity.
What is a Cyberattack?
“Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information .” (CISA.gov)
The Computers and mobile devices you use everyday to store or access information are a target for Cyberattacks. Personal information that can be sold or ransomed in a vast criminal network serves as one of many lucrative and rewarding motives for cyber criminals. Information systems storing patient records are considered a high valued target by cyber criminals. If captured, these records can financially sustain their escapade of digital terrorism indefinitely. Cybersecurity is the practice of ensuring information systems are adequately protected against these threats of a digital nature.
Business leaders I connect with can sometimes confuse Cybersecurity with sophisticated burglar alarm systems accessed through their smartphone. In other cases, anti-virus software seems to be a common denominator as a sole deterrent against sophisticated cyberattacks. With regards to HIPAA compliance, Health Care Providers are often satisfied with their cybersecurity measures so long as their EMR software is HIPAA compliant.
Cyberattacks can range from your garden variety “phishing scams” where the attacker cleverly convinces the victim to unwittingly disclose information via email, phone call, or sms text. To the more sophisticated attacks utilizing thousands of compromised systems across the globe to compromise the operations of a single target. While this may sound like technical wizardry, the everyday user can access free information available on the web, and learn the trade of Cyber Crime. This free access to information is one contributing factor to the proliferation of cyber threat actors across the globe. With a few software tools and a basic understanding of the internet, one curious teenager can easily initiate a cyberattack on a target thousands of miles away, completely undetected.
What is the Objective of a Cyberattack?
The goal of these attacks can vary. Threat actors can range from your typical “script kiddie” looking to prove their technical teenage prowess to their friends. To multi-national crime syndicates, operating in a coordinated effort to pilfer vast amounts of data for a big payout. Governments, Militia groups, hacker communities, and the occasional ‘lone wolf’ with a massive IQ, are all on the growing list of typical threat actors responsible for some of the biggest cyberattacks in recent memory.
Misconception #1: HIPAA compliance guarantee’s security.
The Health Information Portability and Accountability Act (HIPAA) defines guidelines for security policies as they pertain to the confidentiality of Electronic Patient Health Information (ePHI). While it does not specify how these policies are implemented in modern health care, or what specific hardware or software security controls to use. It is the responsibility of the IT and Cybersecurity industry to establish standard operating procedures that deliver both compliance and security.
As you may know, EMR software vendors ensure their products are HIPAA compliant. If you are currently using EMR software to manage your practice. Then you may be under the impression that your EMR software’s compliance also ensures your Medical Practice is both compliant and secure.
HIPAA Compliance assessments are performed against an entire organization: Network infrastructure, employee vetting, access procedures and documentation all play a role in an ongoing process of assessment and compliance. Your EMR provider guarantee’s HIPAA compliance of their product to ensure their end of liability coverage. 1) It does not guarantee that your organization is in full compliance 2) It does not ensure implementation of relevant security measures across the entire organization.
Misconception #2: The devices you use at home are adequate for work.
- Writing passwords on post-its.
- The off-the-shelf wireless router from Costco.
- The second hand laptop you share with your kids.
- Saving all of your important data to a USB hard drive.
- Using the free subscription to McAfee that came with your PC.
- Old Server’s that haven’t received a security patch since 2011.
If you find that your approach to managing your office network sounds a bit like this. Your organization falls into the category of high-risk of cyberattack.
While serving as an inexpensive and quick way to get your business up and running. Treating your office network like your home network is what Cyberattackers are counting on. Name-brand consumer grade hardware and software purchased from retail outlets are at most risk of cyberattack due to their popularity and lack of security controls. IT professionals and Cybersecurity analysts try to avoid the use of these products as they are often the subject of widespread (nationwide) cyberattacks that affect hundreds of thousands of devices in a matter of hours.
Misconception #3: Cybersecurity is a break/fix process.
Cyberattackers are vigilant in their efforts to invent new ways to gain unauthorized access to your data. Keeping systems secure is an ongoing task of continuous management. Device monitoring, patch management, endpoint protection and access management all play a significant role in ensuring adequate security and compliance for your organization month after month. Waiting until something breaks can be costly considering the consequence could mean the loss of all company data. Performing monthly or quarterly assessments of your information systems ensures your organization is both secure and compliant.
At a Glance: A Typical Method of Cyberattack
Now that you are a little more familiar with what Cybersecurity is and is not. Let’s take a look at an example cyberattack where a medical practice using cloud based EMR software serves as an attack vector for a much larger target:
A member of staff receives an email from what appears to be the Manager or CEO explaining difficulties they are having with logging in to the EMR Cloud Portal. The “Manager” asks if they could be provided with their login information as they may have forgotten it. As it turns out, “The Manager” is our threat actor. The attacker compromised the organizations email services and posed as the CEO to mislead this staff member. The attacker tricked this staff member in disclosing a username and password granting the attacker full access to patient health records.
After signing in to the EMR portal, the attacker begins monitoring the interaction between the web server hosting your patient data and the computer they signed in from. Using this information, they identify a vulnerability in the security of the database server hosting your patient data. They also discovered that this vulnerability exists for every other practice hosted by your EMR software provider. Within a few days, the attacker manages to gain access to hundreds of medical practices hosted by your EMR software provider, amounting to thousands of patient medical records. All from one email. And, not once did the attacker utilize a detectable computer virus to gain entry.
Cyberattacks are as much a science as they are an art form. Cyber criminals take satisfaction in elegantly penetrating systems regarded as highly secure. While the media reports on cyberattacks that result in stolen assets or malicious destruction. The most successful attacks often go completely unreported and undetected. While the skill required to effect this kind of attack is considerable. Implementing some basic security controls can complicate the attempts of a cyber attacker trying to gain unauthorized access to your data. Your systems do not need to be impenetrable. Just secure enough for the attacker to give up and look elsewhere.
The 10 ways you can enhance your organization’s cybersecurity right now!
10) Employee training:
Admittedly, even for someone who has accumulated more than 2 decades of technical expertise. Without the right tools, it can be difficult keeping up with the aggressive posture threat actors maintain month after month. Employees with little to no technical training present a high degree of risk to an organization considering these attacks become increasingly sophisticated over time. Attempts to gain unauthorized access to your data come in many forms and often involve baiting users into unwittingly perform actions that allow the attacker to gain entry to your system.
The practice of sending fraudulent information such as texts, emails and automated phone calls in an attempt to elicit personal information from the user is called “Phishing”. Users authorized to access confidential information can be tricked into installing software that appears legitimate. While seemingly innocuous, these actions ultimately result in the attacker gaining administrative access to your system.
Some common forms of Phishing involve a combination of social engineering and inserting malicious links into web ads or emails that appear legitimate. Web ads or emails with malicious links send the user to a web page that loads a popup disguised as a legitimate message window. When the user attempts to close or interact with the window, they are prompted with another message baiting the user to click a link that allows them access to your system.
9) Identity and Access Management:
Delegating access to company resources can seem like a simple task: Password protect key resources and assign user accounts to employees according to levels of security clearance. As some medical practices may have discovered, Identity and Access Management under HIPAA compliance also requires a cadre of policies that can sometimes be more trouble than they’re worth.
Account lockouts after 3 failed attempts to sign in. Account log-off after 15min of inactivity. Minimum password complexity requiring a mix of characters, numbers, symbols, etc. Changing your passwords every 90 days. Members of staff often report a loss of productivity due to excessive access management policies in place. When you consider that your computer workstation will also need to adhere to these requirements. Maintaining multiple passwords that frequently change can be confusing for some users, often leading to multiple account lock outs during the day. Health Care Providers reluctant to justify the delays in their ability to treat patients.
So how can you simplify password management and still remain HIPAA compliant?
Firstly, disable generic administrator accounts entirely on computer workstations, network printers, wifi routers, laptops and servers. Create new accounts with a unique user name such as a company abbreviation, your name, or unique phrase. Assign administrative access to these accounts and store passwords for these accounts in a secure password storage application (lastpass, keeper, etc.). Install your password storage application into your web browser so that your passwords autofill and update for business critical web portals. Secondly, Enable any Two-Factor authentication services for 3rd party software for web portals containing PHI. Develop a standard operating procedure for digital storage of these passwords.
Generic or default accounts such as ‘admin’, ‘administrator’ or ‘guest’ come standard on most all PC computers and consumer network appliances (wifi routers, switches). These accounts are leveraged by Threat Actors when attempting to gain entry to your production network. Most of the time, they are using a ‘brute-force’ attempt to play the lottery guessing your account password. These brute-force tools usually assume that ‘administrator’ or ‘admin’ is the username. By disabling these accounts and creating a custom administrative username you significantly reduce the risk of Cyberattack. These techniques help eliminate viable vectors for ransomware attacks.
Identity and access management can sometimes seem like making a choice between lost productivity and complete vulnerability. While password policies can present a potential learning curve for some. You can implement the solutions I’ve mentioned to simplify password management, deter cyber attackers, and remain HIPAA compliant
8) Firewall Security
This layer of security functions as your first line of defense against cyberattacks. Firewall appliances allow you to control and monitor the data interactions between your computers and the internet. A firewall acts as a protective barrier separating your network data from the rest of the internet. When used correctly, not only can you prevent Cyberattackers from infiltrating your network, you can remain completely invisible to attackers.
While standard on most wifi routers. Firewalls can differ in their capabilities and sophistication. Most commercial grade firewall appliances will range from $500-$5000. When a cheap wifi router from Costco or officemax costs about $150 you may be asking “Why are Firewall devices so expensive? Do I really need an expensive firewall?” The simple answer is a resounding YES, you do. Let me illustrate one common scenario:
A “botnet” in Hong Kong, consisting of thousands of simple automated computer programs, scour the internet for viable targets with a public IP address. These automated software programs (bots) are designed to seek out and identify firewalls and routers publicly visible on the internet. These botnets seek out and identify networks that have been assigned a public IP address. They are programmed to gather information used by the attacker to determine target viability. A fully functional botnet is capable of discovering thousands of networks in a matter of hours. The attacker simply enters a single command and goes afk (away from keyboard); watching netflix, sipping a latte while this is taking place.
While the average medical practice may not store enough PHI to catch the eye of highly skilled hackers. These botnets make light work of identifying thousands of smaller, more viable targets across the globe. Attackers perform this type of reconnaissance to identify devices with known vulnerabilities they can exploit. By identifying hundreds of viable targets, they increase their chances of discovering systems weak enough to penetrate completely undetected.
So then, what chance does a wifi router from your Internet Service Provider or Costco stand against Hong Kong hackers? Not much. In fact, the most common techniques used by threat actors designed to target devices of popular manufacturers. When we consider these devices use computer chips often manufactured in China, and lack the ability to keep a detailed log of their own activity. Attacks can occur without raising any flags or alarms.
For roughly the same cost as a commercial laser printer, you can purchase a firewall that keeps pace with the rate of cyberattack advancement. Firewalls appropriate for small to medium sized businesses now come with the full weight of the manufacturer’s multi-billion dollar security network. Traditional Firewalls identify and prevent attacks using a database of known attack signatures. Basically, it can deter what its aware of.
This new generation of cloud-based firewalls integrates with the manufacturers global threat detection infrastructure. We are able to leverage the supercomputing power of data centers through a device roughly the size of a cigar box to keep the pesky hackers at bay. Cloud managed firewalls enable a new level of security not previously available for small-to-medium sized businesses. We recommend the Fortinet Fortigate series, or Cisco Meraki Series of cloud managed firewall appliance.
If you are currently using a retail Wi-Fi router to manage your office network. Here is a trick you can do that can potentially reduce the chance your router will be discovered by a Botnet. Login to your wifi router and disable the “Respond to PING’s” feature. This will tell your router to disregard a common attempt Botnet’s use to discover your Wi-Fi router.
It is recommended to have someone with a strong technical background setup and maintain your firewall for best results. However, utilizing devices from Cisco or Fortinet ensure your organization is backed by one of the most advanced cybersecurity networks in the world.
7) Event Management and Monitoring
When your systems begin to malfunction, these incidents are stored as events in the systems event log. Your computer systems, network appliances, mobile devices and software applications log everything from identifying users accessing a system, changes those users make, and system errors that may occur without the user being prompted. When you consider the average medical practice may maintain anywhere from 30 to 200 devices (mobile devices included). That can add up to be thousands of events to sift through on a weekly basis.
Event management and monitoring in theory sounds like a lot more work than it is in practice. However, there are simple tricks you can use to simplify this process. While IT professionals utilize software services that centralize the logs of all devices into a single cloud management dashboard. Here is one easy way to deter unauthorized attempts to access your patient records. Most EMR software providers will include email notification features. Practice Admins can setup an email notification upon login when members of your staff login to your EMR portal. This will allow you to identify suspicious login attempts after business hours.
- Create a new company email account with your preferred email provider. This account will be used to send automated notifications of your EMR portal user logins.
- Enable “Email notification of user login” in your EMR software portal. If it is not clear where to do this, consult your EMR provider support for further assistances
- Assign the new email address you created as the “Email notification of user login” email address.
This feature will help you identify:
- Suspicious login attempts after business hours.
- Suspicious login attempts from foreign locations.
- Excessive failed login attempts in short periods of time.
Event monitoring, like many of the topics in our list, is an ongoing process. But, if used correctly, can serve as an early warning system. For best results, an intermediate level of technical proficiency to discern these events, and determine the appropriate remediation is recommended. However, you can use built-in features from your EMR software provider to improve on your current security. Remember, there’s no need to turn your office network into “Fort Knox”. We simply need to make it difficult enough to break into your network for the attacker to look elsewhere.
Proper implementation of event monitoring can help prevent most incidents which result in system downtime or loss of data. Consult with a provider of IT services for proper implementation.
Thank you taking the time to visit our blog. In Part 2 of this blog post, I’ll discuss Email Security, Endpoint protection and some other interesting ways you can enhance your medical practices cyber security immediate. If you’d like to contact us directly please take a moment to schedule a free consultation. Or go to the bottom of our home page to download our whitepaper on how your organization can benefit from a partnership with KTS.
TO BE CONTINUED……