Sponsored by ChiroTouch
Steps to safeguard your practice and prevent hackers from holding your data for ransom.
The reality is sobering: Hackers are stealing and holding data for ransom in ever-increasing numbers.1 And small healthcare practices are some of their favorite targets because, unlike hospitals and other major healthcare facilities equipped with advanced cybersecurity technology, many lack sophistication and the proper tools.
In the newest form of attack, cybercriminals can lock your computer and threaten to delete all of your data unless you send digital currency (e.g., Bitcoins) to an anonymous address—usually with a time limit of 24 to 72 hours. Enough victims pay the ransom to make this type of crime tempting and lucrative.
But there are actions that you can take immediately to protect both your practice and your patients.
Get behind a firewall
One of the first things a hacker will look for is open ports to your network. Without a firewall, you are exposed to the internet and an easy target for the savvy attacker. Locking down ports with a properly configured firewall can help prevent your network from exploitation.
Without strong password protection, attackers working remotely may be able to log in to your router and change the settings of your router and firewall.
They can then re-route your internet traffic through their own proxy server or an alternate DNS address, leaving you vulnerable. If you have used the same password for other accounts, the remote attacker can now attempt to log into them as well.
First lines of defense
In a white paper published by security provider Tripwire, it was stated that nearly 30 percent of IT professionals do not change the default password on their wireless router.2 Your firewall is your first line of defense for your network. Change the password to a strong one.
Disable remote management software settings so that attempts to log on to the router from the internet will be refused.
Set your network router or firewall so that it does not respond to network pings. Typically, the option to block network pings can be configured on the administration menu of a firewall or router.
And consider blacklisting known and suspected malicious sources. You can find lists published online.3
Use powerful passwords
In a study by BitDefender, it was discovered that up to 75 percent of people use the same password for their email and Facebook accounts.4 Using the same password for multiple accounts can provide hackers access to not only your computers but potentially your email, bank accounts, online shopping sites, social media sites, and more.
Having a unique password for each user and application can limit the scope of a potential breach by only exposing that one user or online account.
- Use unique passwords for each account.
- Avoid using common terms or words from the dictionary.
- Use passwords that contain a mixture of upper and lowercase characters, numeric digits (0–9), and non-alphanumeric special characters, e.g.,!, $, #, and %.
Additional tips for creating secure passwords can be found online and these are well worth your attention.5
Manage access to your resources
Not every employee needs complete access to your business resources.
Remove administrator privileges from users who don’t need them. This procedure varies depending on the version of Windows or Macintosh operating system you’re using, but is fairly straightforward and instructions are available online.
Over time, employees come and go. When an employee leaves your practice, it is important to remove their access to your computer systems as well.
- In Windows, disable their user account or, if it is shared, at least change the password.
- Change the password for any online resources the former employee accessed.
- Periodically audit the users who have access to systems and remove any for whom access is unnecessary.
Train your staff
Even if you have the best security money can buy, you are still vulnerable to “social engineering” tactics. In 2015, Rogers Communications was breached by a remote attacker pretending to be from the company’s IT department.6 Social engineering can circumvent both cyber and physical security measures, allowing a hacker access to login information, encrypted files, and secure facilities.
- Train staff on cybersecurity best practices and to be wary of phone calls that request computer information.
- Help staff defend against social engineering by teaching them to never disclose their login and password information, regardless of the person requesting it, without your permission.
- Train staff on how to recognize phishing (phony) emails.
Use spam filters
Using an email filter will help in canceling out all of the noise in your inbox. Filters make it easier to spot emails that do not belong and help you avoid opening a patently malicious email.7
If you use Microsoft Outlook, you can also take advantage of the Rules Wizard. This wizard allows you to filter out unwanted email messages:
- Navigate to the Tools menu.
- Select “Rules Wizard.”
- Click “New.”
- The wizard offers a number of customization options. These allow you to automatically delete or move selected incoming emails to your Junk or Trash folder.
Using a web filter restricts which websites a user can visit, and can protect against malware, too, as the filters block access to sites that commonly host dangerous software.
Keep your chiropractic software applications up to date
More than 90 percent of software updates are security vulnerability fixes, making the installation of chiropractic software updates one of the most important things you can do. Scan for and update out-of-date-programs. Some programs have a menu item that checks for updates, and there are free software tools that can scan your entire system for you.8
Use antivirus protection
As far as network security is concerned, antivirus software is your last line of defense. If you don’t scan for viruses on every computer, they can go unchecked. Things such as trojans, botnets, rootkits, rogue security software, ransomware, key loggers, and all types of malicious software can be detected and removed—but only if you make attempts to find and destroy them.
Prepare for the worst
Because hard drives crash, ransomware is a threat, and natural disasters and accidental deletion of data can take your business down, disaster planning is a must.
- Begin by ensuring you have an up-to-date offsite backup that is a full disk-image backup, not just your files. With a disk-image on hand, you can restore your system quickly with a few clicks.
- Take an inventory of your reorder this to: hardware, software, and service providers, and write down key information.
- Ask yourself if there were a total loss at the office, what would it take to get you back up and running?
- Keep a copy of your plan offsite and review it periodically to be sure it is updated.
As a licensed healthcare practitioner, you are expected to take reasonable actions to safeguard patient data. Many small healthcare practices are virtually unprotected, running outdated operating systems, and believing they’re too small to be a target. The truth is, these factors make them the perfect target.
The time to act is now.
Themos Pentakalos, PhD, is the chief operating officer of ChiroTouch, in charge of software development and customer support operations. He has held leadership positions in companies such as Toyota, Gateway, Sun Microsystems, and several others. He has also worked with the U.S. government and consulted for the White House and the House of Representatives. He can be contacted through chirotouch.com.
ChiroTouch is the premier provider of certified 2014 Edition Complete EHR chiropractic software technology solutions including ChiroTouch Complete Practice Software and SmartCloud Chiropractic EHR Software. With industry-leading support, training, and compliance expertise, we partner with practices of every type to help them easily automate operations, improve patient care, and increase profitability. Request a demo today.
1 Peterson A. “2015 is already the year of the health-care hack—and it’s only going to get worse.” Washington Post. https://www.washing tonpost.com/news/the-switch/wp/2015/03/20/2015- is-already-the-year-of-the-health- care-hack-and-its-only-going-to-get-worse/. Published Mar. 2015. Accessed Aug. 2016.
2 “SOHO Wireless Router (In)security.” Tripwire VERT Research. https://www.tripwire.com/ register/soho-wireless-router-insecurity/ showMeta/2. Published Sept. 2014. Accessed Sept. 2016.
3 “Blocklists of Suspected Malicious IPs and URLs.” Lenny Zeltser. https://zeltser.com/ malicious-ip-blocklists. Updated Aug. 2016. Accessed Sept. 2016.
4 “Study Reveals 75 Percent of Individuals Use Same Password for Social Networking and Email.” Security Week. http://www.securityweek.com/ study-reveals-75- percent-individuals-use-same-password-social- networking-and-email. Published Aug. 2010. Accessed Sept. 2016.
5 Siciliano R. “15 Tips To Better Password Security.” McAfee Blog Central. https://blogs.mcafee.com/consumer/15-tips-to-better-password-security. Published June 2016. Accessed Sept. 2016.
6 Mai D. “Breach Report: Rogers Communications, NEXTEP, and Mandarin Oriental.” Observe IT. http://www.observeit.com/blog/breach-report-rogers-communications-nextep-and-mandarin- oriental. Published Mar. 2016. Accessed Sept. 2016.
7 Dachis A. “How to Wipe Out Spam Email in Your Inbox.” Lifehacker. http://lifehacker.com/ 5713914/how-to-wipe-out-spam-email-in-your- inbox. Publshed Dec. 2015. Accessed Sept. 2016.
8 “Stay secure by updating insecure programs on your computer.” Flexera Software. http://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/ personal-software-inspector. Updated Sept. 2016. Accessed Sept. 2016.