Your sensitive information is more accessible than you think
By Phill Feltham
Your clinic is not immune to data breaches—cyber or physical. Practitioners store patients’ health and financial information on their networks, however, there are criminals who want to steal this information for identify theft or credit card fraud—which costs a patient dearly. That’s when, as a practitioner, you lose your valuable reputation and increase your operating costs.
The doctor-patient relationship is based on trust. As a practitioner, it is your duty to help your patients, as well as to protect their sensitive data.
CYBER ATTACKS
In March 2016, the Ottawa Hospital confirmed that four of its computers were cyberattacked by a ransomware virus.
Kate Eggins, a spokeswoman for the hospital, says that the malware locked down the files. The hospital wiped its drives clean and said that no patient information was compromised in the attack. Ransomware is one type of cyberattack that is on the rise.
David Greenham, senior manager of the Richter Advisory Group in Toronto, defines a ransomware attack as “a type of malicious software that prevents or limits users from accessing their system, often by encrypting files on the system.” The attack usually infects the victim’s PC when the user visits a malicious or compromised website.
“This type of malware forces its victims to pay a ransom through certain online payment methods in order to be granted access to their systems, or to get their data back,” he says. “This type of attack is not industry-specific, and the main goal of the attacker is monetary gain.”
PROTECTION
In order for a practitioner to fully protect his or her clinic, it is important to understand the different attack patterns and how they can damage operations. Raymond Vankrimpen, a partner at Richter Advisory Group, citing Verizon’s 2015 Data Breach Investigations Report (DBIR), says that 88 per cent of existing cyberattacks impacting practitioners fall into three attack patterns: denial-of-service (DoS), crimeware and point-of-sale (POS) intrusions. Vankrimpen recommends the following solutions for each type of attack.
Denial-of-Service: Botnets are used to compromise network and system availability. Hacktivists (hacker/activist) attack to prove a point. Organized crime groups and other criminals attack companies to request ransom or to cover their tracks on other hacking attempts. Ransomware viruses are classified as a DoS attack.
SOLUTION: Since many DoS attacks expose operating systems vulnerability, patch servers promptly. Deploy or subscribe to an anti-DoS service. Additionally, deploy a defense-in-depth architecture. This method allows servers to be effectively segregated behind firewalls on different network segments. Servers containing critical data will be protected by multiple firewalls deep within the network.
Crimeware: Crimeware is malware that has been designed with the purpose of committing illegal activity such as data theft or extortion for financial gain. Cryptolocker is an example of crimeware. It is often used in conjunction with social engineering attacks such as phishing.
SOLUTION: Ensure regular and frequent updating or patching of anti-virus, operating systems, and browsers. Enable two-factor authentication on critical systems. Compromised passwords and login credentials are common impacts of malware attacks, and implementing two-factor authentication can break the attack chain. Follow a solid change management process. If a change is being made to your systems, it should be done in a planned and authorized manner. Monitoring your systems for unplanned changes may help to identify if crimeware has been installed.
Point-of-Sale Breaches: Cyberattackers penetrate systems remotely to obtain credit card and customer information, which can be used for false transactions or identity theft.
SOLUTION: Restrict remote access by tightly controlling who has access to POS systems (for example, third party companies). This method involves training staff to identify questionable attempts to access in-store POS systems.
In addition, change default settings to wireless networks, touch terminals, desktop servers, card signature and/or signature capture—anything that connects or services the POS system. Also, prohibit employees from surfing the Internet on POS systems.
PHYSICAL LOSS
Cyberattacks are only one type of data breach. Unfortunately, the biggest cause of data breaches for clinics, according to the Verizon 2015 DBIR, is physical theft or loss, including laptops, flash drives, and paper documents.
SOLUTION: Encrypt sensitive data. Encryption adds an extra layer of security when—and if—data-held devices are stolen, thus rendering the encrypted device useless. Secure all mobile assets. Sensitive information should be stored accordingly (lock away devices and paper documents in a secure area where access is limited).
Also, automate backups. This removes human error and ensures data is backed up regularly. Greenham says that the method used depends upon where the data is stored. “If the data is stored on individual PCs, automated backups can easily be set up using tools provided by the operating system vendor; this process can be done in Control Panel in Windows, or using Time Machine on Mac.”
Greenham adds that practitioners can use an external hard drive so that the backup is not located on the same hard drive as the original data. Also, a Network-Attached Storage (NAS) device can be utilized. “Servers also have the same built-in backup utilities provided as part of the operating system, but there are also other third-party backup software utilities on the market if necessary.”
INSIDER DATA THEFT/HUMAN ERROR
Insider and privilege misuse is another cause of data breaches in healthcare organizations. In this case, employees and/or business partners abuse their access rights to steal confidential information. Medical documents are highly sensitive—and extremely valuable—data that criminals can use for tax refund fraud or identify theft.
Additionally, humans make mistakes—sometimes costly ones. The Verizon 2015 DBIR says that healthcare organizations suffer data theft for three primary reasons: employees email or mail files sent to the wrong recipients, fail to properly dispose of documents (shredding papers and wiping hard drives), or private data mistakenly published onto public websites.
SOLUTION: The Verizon 2015 DBIR suggests knowing the details of your data—including location and access. Also, the report recommends reviewing user habits such as monitoring systems to pinpoint any suspicious behaviour. Lastly, set up controls to monitor data transfers to prevent insider data theft.
“First, practitioners should put in place a written policy stating that confidential data such as patient records must not be sent outside of the clinic unless the transfer has been authorized,” says Greenham. “As a deterrent, the penalty for non-compliance with the policy should be stated (for example, termination of employment). The policy should be communicated to employees and incorporated into security awareness activities.”
As preventative control, Greenham says, a clinic could employ a Data Loss Prevention (DLP). “These tools detect and/or prevent sensitive data from leaving the clinic via email or other file transfer method and can also lock down the use of USB ports, restricting access to external storage devices.”
However, Greenham says that before a DLP tool can be implemented, the clinic needs to know the location of their data. “A data inventory will help to identify not only where the data is, but its relative sensitivity as well.”
The Verizon 2015 DBIR also suggests training staff on how to properly dispose of sensitive information.
POSTURE
Darace Rose, a cybersecurity expert with GMJ Consulting, a cybersecurity firm, says practitioners should pay extra special attention to their cybersecurity posture and ensure they have the right controls in place to protect themselves from the continuous onslaught of breach they may experience.
“Don’t put your head in the sand and pretend the problem doesn’t exist,” he says. “The threat is real and without taking the correct steps, practitioners will find themselves in difficult situations that can be avoided.”
IMPACTS
Rose says that some companies have been devastated to the point where business had to discontinue due to fines and costs associated with paying for a breach.
“Credit card companies pass all costs associated with credit card fraud back to the business owner,” says Rose. “That means if a credit card was used to buy a service, that loss is coming back to the practitioner where the breach occurred.”
Besides large fines from credit card companies, a breach of sensitive information can have a monumental impact that damages the practitioner’s reputation. They could suffer a drop in revenue because of a loss of trust from patients. This number can get very steep in a short amount of time.
“Also, practitioners can be hit with a large cost to hire and work with computer forensic firms to diagnose how hackers infiltrated their system, how to plug that hole and to find out what information was accessed,” says Rose. “If the hole is not plugged with a defense in depth strategy, the hackers will continually return.”
Provincial laws provide stiff legal and financial penalties to health organizations who do not properly protect patient information. Greenham says that hospitals, community centres, and pharmacies in Ontario must have a contact person designated to be responsible for Personal Health Information Protection Act (PHIPA) compliance. “This assigned individual is responsible for the proper oversight and accountability of health information privacy practices and policies,” says Greenham.
“Hospitals, community centres, and pharmacies must take reasonable precautions to ensure that personal health information is protected against theft, loss, unauthorized use or unintended disclosure. The information must also be protected against unauthorized copying, modification or disposal.”
Individuals who do not comply with PHIPA regulations can face fines up to $50,000, and corporations—up to $250,000.
OTHER SECURITY SOLUTIONS
Practitioners, Rose says, can employ skilled computer security staffs who are becoming harder to find due to their high demand. “They can also work with a cybersecurity firm to build a defense-in-depth strategy.”
“The first step we undertake with any new client is to provide an assessment of the current landscape similar to a lay-of-the-land,” says Rose. “We will then build a strategy and work towards it.”
“Once this process is complete, a long-term program is required that has the right staff watching out for signs of security events and incidents on an hourly and daily basis,” continues Rose. “This is the only way to achieve security within your environment and to remain secure.”
Not all practitioners can afford expensive in-house cybersecurity solutions. In this case, Vankrimpen recommends utilizing the services of a managed security service provider (MSSP). They work with multiple clients and maintain a strong contingent of qualified and experienced security experts. This is beneficial, Vankrimpen says, because information that is shared among multiple parties can help to identify patterns of attack, allowing defensive cybersecurity teams to stop attacks from further propagation.
“Cybersecurity is not a set-and-forget proposition,” adds Rose. “It takes continual effort and practitioners cannot afford to neglect this aspect of their computer operations.”