Can you afford to close your doors for 2-3 weeks while a cyberattack is investigated and remediation is performed?
Cyberattacks are continuing at an alarming rate and we witness practices being victimized on a regular basis. Hackers are now encrypting and stealing the practice’s data, forcing them to pay the ransom to avoid having their patient data made public.
The Consequences of a Cyberattack
In many cases, the owners or managers of a practice do not fully understand the significant operational, financial, emotional and reputational impacts of a cyberattack. While it is easy to dismiss the potential threats or rely on an IT company, this is often insufficient. IT companies cannot provide the advanced security required to properly protect physicians’ offices from sophisticated hackers.
The moment any staff member connects to the internet, there is an inherent risk. Practice managers will say, “I have multiple local and Cloud backups so if I get hit with ransomware, it will be easy to recover.”
Cybersecurity is not just about recovery, it is about protecting highly confidential practice and patient data. In the majority of the cases we have worked on, the threat actor has stolen most or all of the victim’s data and either threatened to release or has released the data.
Can you afford to close your doors for 2-3 weeks while the cyberattack is investigated and remediation is performed? Would your organization survive financially, reputationally and operationally from this type of an attack?
Ways to Protect a Medical Practice
There are many technologies and solutions that can help prevent the theft and encryption of a practice’s data. Let’s review the top 10 ways you can minimize the chance of attack against your practice.
10. Strong, Unique Passwords and Password Managers
Utilize password management tools to create and manage strong passwords for every application you use and website you visit. These tools, which often only cost a few dollars per month, generate unique passwords. When you visit a website for the first time, the password manager will ask you if you would like it to generate a unique password. If you say yes, it will insert it for you and store it. Another advantage of password managers is that they allow you to rescind access to websites and applications upon termination of an employee. If you opt not to use a password manager, make sure you create unique passwords for every website and application with a minimum of 14 characters using a combination of numbers, letters and special characters.
9. Multi-Factor Authentication
Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) is a powerful tool that utilizes either SMS text messaging or a security APP such as Google Authenticator to validate your login. These technologies work by sending you a SMS message with a code or requiring you to confirm a login attempt. If a hacker steals your username and password and tries to log into one of your accounts, MFA or 2FA should block their access since they most likely cannot access your text messages or phone.
8. Encrypting Data at Rest
A tool such as Microsoft BitLocker can help protect data at rest from exploitation. BitLocker encrypts all the data on your hard drive, so that if the device is lost or stolen, a criminal cannot access the contents. However, if the computer is powered up, logged in and an unauthorized individual gains access, the data will not be encrypted by BitLocker and you risk having your data accessed or lost.
7. Online and Offline Backups
Practices should use two forms of backup: online and offline. Online backups are typically done in the Cloud, where all your data is replicated on a daily basis. In addition, on at least a weekly basis, all your data should be copied to an external hard drive and the drive should be physically disconnected from the network. In many cases, threat actors have gained access to Cloud technology and either erased or encrypted the backups being stored. Keep in mind, neither of these technologies will prevent the theft of your data and you may still be forced to pay the ransom to prevent the leaking of your data.
6. Security Risk Assessment
A Security Risk Assessment (SRA), conducted by a credentialed security expert, helps a practice identify and understand where it has operational risk that may enable the execution of a cyberattack. Upon completion of an SRA, the assessor will provide the practice with detailed findings and recommendations.
5. Cybersecurity Awareness Training
Cybersecurity awareness training empowers all employees to identify and mitigate attacks that occur through phishing, spear phishing, vishing, business email compromise, etc. The training should be ongoing and facilitated by a third-party company that understands the latest threats.
4. Internal and External Vulnerability Management
Devices, software, computers and firewalls all have vulnerabilities (think of these as “unlocked doors and windows” on your network) that hackers can run tests against and potentially exploit. Firewalls should be scanned at least monthly and computers scanned daily. The results of the vulnerability scans should be prioritized so decisions can be made on how to best mitigate the risk.
3. Penetration Testing
A penetration test is performed by an ethical hacker who assumes the role of a criminal and attempts to breach your network and/or data. This is much more advanced than vulnerability management and can help expose weaknesses in your environment and/or employees. A penetration test must be conducted on at least an annual basis.
2. Extended Detection and Response (XDR)
XDR software is the next generation of “anti-virus” technology that helps an organization minimize its exposure to cyber events. It typically utilizes Artificial Intelligence (AI) and is designed to act on its own by “killing” malicious code and isolating computers. Many insurance companies have started to require the implementation of this technology on networks as a condition of binding insurance.
1. Seek a Specialist…Not a Generalist
One of the biggest mistakes practices make is relying on a generalist like an IT company or Managed Service Provider (MSP) for security. Most IT companies and MSPs specialize in building and maintaining networks, not in cybersecurity. You need to work with a specialist in cybersecurity who has the advanced training, tools and certifications to ensure that your network is being properly secured. You should never have your IT company auditing its own security measures.
Secure Your Practice’s Data – Today
Taking these steps and giving your physicians and staff members the knowledge to identify potential risks can significantly reduce the risk of your practice being the victim of a ransomware or similar cyberattack.
Gary Salman is CEO of Black Talon Security (www.blacktalonsecurity.com), a Katonah, NY-based company specializing in cybersecurity solutions for small- and medium-sized practices. He has more than 30 years of experience in information technology and software design. Mr. Salman also lectures nationally on cybersecurity topics.