Cyber security remains an issue that is not only of interest to IT nerds but should be one of increasing importance to directors and managers of Australian healthcare practices. At the AAPM national conference in October, Avant will present a session on cyber risks, and the same day I will discuss cloud computing. Make sure you attend these sessions.
Readers of this journal may recall a series of articles in previous issues of the Practice Manager that highlight the ever-increasing trend line of cyber security threats.2,3,4 In 2016 the cyber security risk picture has worsened, with “spear phishing” and ransomware becoming the new normal.
Examples of spear phishing attacks are emails that either contain a notice of some kind (fake, of course) with a link to a web page or an attachment containing a malicious payload. For example, the fake Australia Post emails/alerts which have been well publicised, and also fake Telstra accounts. In July 2015 Telstra warned:
“These emails look very authentic, often including logos and slogans, to trick you into opening them. They often contain a link or an attachment, which is designed to entice you into clicking on it.”5
Ransomware attacks are increasing as well. The importance of cyber security to directors is highlighted in a sobering article titled “Defence Mechanism” by Domini Stuart in the July 2016 issue6 of Company Director magazine published by the Australian Institute of Company Directors (AICD). Stuart warns company directors that “Cybercrime is now one of the risks every board must manage,” further quoting Leon Fouche, national leader cybersecurity and partner at BDO to make the point: “There hasn’t been a test case in Australia yet but the general view is that, in the future, directors who have failed to take appropriate steps to ensure that sensitive information is properly secured could be held personally liable.” This quote sounds very like the requirement from Australian Privacy Principle (APP) 11: APP 11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
a. from misuse, interference and loss; and
b. from unauthorised access, modification or disclosure
“Cyber security is a business imperative that requires executive and board level ongoing involvement” 5
The Telstra Cyber Security Report 2016 7 highlights that organisations surveyed reported a more than doubling of security breaches experienced in 2015 compared with 2014. The Telstra report also states that ransomware and phishing emails threats are continuing to rise in Australia and that cyber criminals are using more sophisticated methods and tools than ever before. This is also confirmed by other cyber security organisations in many of their reports published this year. Michael Khoury, partner at Ferrier Hodgson, explains reasons the risk/reward paradigm is at work here:
“Many organised crime gangs have recognised that the risk/reward equation for cybercrime is generally much more in their favour than, say, robbing a bank or another form of extortion,” says Khoury. “To sweeten the pot, cyber criminals can ‘telecommute’ to their targets, handily avoiding local law enforcement efforts to track them down. And, even if they do get caught, cyber crimes can be difficult to prove and the punishments relatively benign.”8
So no one should be surprised that the cyber extortion we call ransomware is doubling every year. Simply put, it is enormously profitable, ransom payments are now being demanded in Bitcoin digital currency making payments difficult to trace, and the risk of getting caught by local law enforcement is very low. The highwayman/bushranger from yesteryear has evolved into a modern-day cyber extortionist. Mitigating cyber risks.
Mitigating Cyber Risks
So, what can medical practice owners, managers and staff do to protect the business and the data? Please, please act on the tips and guidelines below. Security vendor Trend Micro advises that organisations require four layers of security to minimise risk.9
- Email and web protection to “block ransomware before it ever gets to your users, at the email and web gateway and on Office 365”.
- Endpoint protection to “catch ransomware at the endpoint before you’re forced to pay to recover your
data”. - Network protection to “detect and block ransomware on your network”.
- Server protection to “stop ransomware from getting to your servers where your most valuable data lies”.
In my own experience in performing IT audits and reports in 2016, it is of great concern finding medical practice owners and managers still not really understanding cyber security risks:
• fileservers and PCs that are missing security patches
• systems that have very poor or even no malware
protection
• no web gateway security
• untrained users who have clicked on unsolicited and
obvious fake emails
• poorly configured systems for high availability and rapid disaster recovery
• no off-site backups
• non-compliant systems such as Windows XP and
Windows Server 2003 still in use, etc.
One would think that healthcare professionals who understand biological infection controls would really understand cyber infections and controls better than the average person. More to come…
Telstra’s tips to avoid phishing scams:10
• Beware of unsolicited requests for sensitive information. Don’t click on embedded links in emails or sites you don’t know or trust.
• Never respond to a request for personal information in an unexpected email or pop-up.
• If in doubt, always contact the company that claims to be the sender of the email using its official contact details.
• Make sure all your devices are protected with regular updated anti-virus software.
• Use a spam filter to help block unsolicited and unwanted email.
• If a phishing email contains a Telstra account number, check that the number corresponds with the account number on your previous bill.
FBI tips for dealing with the ransomware threat:11
While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.
Prevention efforts
• Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
• Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
• Manage the use of privileged accounts — no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
• Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
• Disable macro scripts from office files transmitted over email.
• Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business continuity efforts
• Back up data regularly and verify the integrity of those backups regularly.
• Secure your backups. Make sure they aren’t connected
References
- http://en.wikiquote.org/wiki/Thomas_Jefferson#Attributed,
accessed July 2016, my 2016 Update - Practice IT Security 2013, Part 1, Practice Manager 2013(2):8
- IT Security 2013, Part 2, Practice Manager 2013(3):16
- Practice IT Security 2014 Update, Practice Manager 2014(3): 26
- http://exchange.telstra.com.au/2015/07/24/phishing-email-alertre-fake-telstra-bills/, accessed July 2016
- Domini Stuart, Defence Mechanism, Company Director, July
2016, pp.40-45 - Telstra Cyber Security Report 2016, http://exchange.telstra.com.
au/2016/02/23/telstra-cyber-security-report-2016/, accessed
July 2016 - Op cit, Domini Stuart, p.42
- http://www.trendmicro.com.au/security-intelligence/enterpriseransomware, accessed July 2016
- http://exchange.telstra.com.au/2015/07/24/phishing-email-alertre-fake-telstra-bills/, accessed July 2016
- https://www.fbi.gov/news/stories/2016/april/incidents-ofransomware-on-the-rise/incidents-of-ransomware-on-the-rise, accessed July 2016