Lose weight, exercise more, and eat your fruits and vegetables. Words of wisdom frequently heard in Doctor’s offices. They are simple, proactive measures that most of us can take to lead healthier lives and prevent many health-related issues. Being proactive also makes a huge difference in the health of your IT infrastructure and information systems.
It seems ransomware attacks are making the headlines every week. The health care industry, unfortunately, is one of the top targets for cyber criminals. In a study by Bitglass, cyber-attacks had an increase of over 55% in 2020, with an estimated impact to the protected health information (PHI) of some 26 million people in the United States. Attacks on healthcare providers has turned into a $13.2 billion industry and the average cost of a breach has risen to $499 per record.
There are several reasons hackers focus on healthcare providers. Medical records contain a tremendous amount of personal information. A ransomware attack causes serious disruption by denying you access to patient information and can cause serious delays in providing proper patient care. An attack can also lock down computer-driven health care devices rendering them useless. In addition, there are serious penalties and fines for exposing that confidential data. Faced with these circumstances, the quickest remedy is to pay the ransom which is exactly what the cybercriminals want.
Much like eating fruits and vegetables, adopting healthy practices around your technology infrastructure is the most effective way you can prevent an attack and, should one occur, limit the damage.
Here are some ways you can start creating healthy IT habits. Let us start with the most basic and go from there. It is amazing that some of these need to be listed but, sadly, we still see practices that are not using the most basic protection.
Here are the things you should check:
Passwords should be required on every device that logs into your network, including phones. They should contain at least 8 characters and use a mixture of upper- and lower-case letters, numbers, and symbols. You should require password changes every 3 months at a minimum.
- Example of a bad password: Password21
- Example of a good password: %Tve@l0Bx!
If you have trouble keeping track of your passwords, use a Password Manager program to help you. If you are serious about security, you should be using multi-factor authentication (MFA) to log into critical programs or infrastructure.
Anti-virus and Malware Software should be installed, enabled and set to update automatically. Free AV software is better than nothing but the old saying of “you do get what you pay for” is a wise old saying for a reason.
Those annoying, “please do not shut down your computer” notices contain valuable security patches. Set them to automatically download and install. Restart your computer as soon as the update is available. If your computer is too old to receive any updates, upgrade it at once. It is highly vulnerable to attack.
You should have a firewall. Most likely you do but is it doing the job? Firewalls come in many different varieties. There are major differences in how effective they are at stopping intruders from entering your network. If your firewall is older or you purchased it because it was cheaper than the others, you are probably at risk.
Most security breaches are still caused by human error while working on emails. Falling for a phishing scheme or clicking on a bad link is the cause for most successful hacks. Making sure your users are trained to identify and avoid these traps is key to your cyber defense. Following up with testing to see who needs more training is a smart move as well.
Remove former users from Active Directory and old devices from the network. These pose a significant security risk. It is not uncommon for us to find former employees with active log-in credentials or devices on the network that no one uses. It is usually an oversight of some kind that is the cause of the attack.
DNS filtering protects by blocking access to compromised websites, Spam based websites, and malicious websites. It also can free up network resources and bandwidth (and increase office productivity) by blocking visits to sites like Spotify, YouTube, & ESPN among others.
Best practices say you should back up your data both locally and in the cloud. There should be multiple versions in case one gets infected or locked. Also, make sure you test your backup recovery at least once per quarter. Finding out your back-up is useless when your practice is relying on it is worse than not having a back-up at all.
With so many devices capable of logging onto your network it makes sense to keep them separated. Visitors and vendors go on a restricted guest network while employees work within the business network. This prevents outside forces from infecting your network.
This suite of products and services combines advanced security tools using artificial intelligence, machine learning, analytics, and a staff of security experts to predict, identify, and prevent attacks that your typical virus protection would miss. It also will analyze end user and network data patterns to spot suspicious changes in activity or data traffic sooner and halt the damage before it can spread
The Dark Web is where all that stolen data and PHI goes on the market. Passwords, emails, personal information, and more is up for sale. By continuously monitoring the Dark Web for personal information, you can take action to protect yourself before criminals can gain access to your data or steal your identity.
Having your files encrypted in a ransom attack is bad. Using encryption to prevent others from gaining access to the data on your files is good! You can employ different levels of encryption from data at rest to end-to-end encryption. Choosing the right level for you depends on many factors.
When all else fails, cyber insurance will help offset the costs associated with a ransomware attack or penalties for not protecting PHI. Don’t assume that your general liability insurance will cover these claims. It usually does not. There are also several types of protection to choose from. You may not need copyright infringement protection but may want social media coverage. It is best to consult with a Cyber Insurance expert.
Those are some of the ways you can protect your practice and yourself from being a victim of a cyber-attack. So, how did you do?
Hopefully, you are already utilizing many of these security measures. But please remember, your best defense is only as good as your weakest link. Keeping criminals out 99% of the time is statistically great but it only takes one time to bring your practice to a halt.
As the preferred IT provider of the Greater Louisville Medical Society, we offer a complimentary security assessment to all members. We will give you a detailed report of where you are most vulnerable in your defense. For more information on the assessment, please call 502-584-2383 or visit us HERE!