Identity theft is increasing on a global scale, with financial information and client records considered foundational data for cyber criminals that indulge in this practice, whether for strict financial gain or use in fraudulent transactions. The normal practice is that harvested data is used to create other accounts (such as bank, email or other) or indeed continue using existing accounts but changing passwords to prevent legitimate access.
Small to medium enterprises obviously store both financial and health information and are prime targets for hackers. In August 2014. These criminals do not care about your business information but focus more on your personal details such as date of birth, address, etc., using them for services or credit applications.
Australia has had its fair share of data breaches. In 2012, ransomware (software that locks down a computer until a ‘ransom’ is paid using an untraceable digital currency such as Bitcoin) was used to compromise the operations of a Gold Coast medical centre.
Luckily, with a little knowledge and some forward planning, you can protect your medical practice from most of these data breaches. I say most, as even large enterprises are successfully breached by highly skilled hackers on occasion and few servers can continue operation if thousands of hackers launch a simultaneous attack.
The first logical step is to identify all possible weaknesses in your IT infrastructure. Small or medium sized businesses are no different from companies in other industries in this respect, even though the database will store is often more valuable or simply more concentrated. All companies store their data in some or all of the following locations:
- Local networks and workstations that may or may not include a server
- Wireless networks – use of strict security protocols with passwords is essential as the entire network is compromised if unsecured
- Portable devices such as mobiles, tablets and laptops. Best practice is to have a policy in place for remote wiping of data in case of loss or theft. An even better practice is to store data remotely and never on a portable device, providing secure remote access only to authorised devices.
- Physical storage – anything that he is used to store paper-based documentation, such as filing cabinets
- The cloud – use of a reputable cloud service provider will ensure that encryption is standard. For maximum protection, this cloud provider is certified to the highest security standards and has experience of the health industry.
- Employee devices – should only be allowed if a defined bring your own device (BYOD) policy that protects your business is in place
Evaluating the security of the entire IT and business structure is a task for professionals with specific skills in penetration testing or ethical hacking as it is more commonly known. These experts think like hackers and can easily identify potential issues, including possible lapses in physical security procedures.
This can include rubbish disposal as valuable information is often obtained by hackers from the company’s recycling bins and even from landfills. This makes crosscut shredding and secure disposal of documents a necessity for any medical practice.
Shoulder surfing is another technique that can compromise data and simply involves visitors looking over the shoulder of staff members as they work on medical records. Staff awareness and training is the only real prevention for this.
It is fair to say that your staff can unwittingly cause data breaches, as hackers use many avenues of attack to gain access to your network. Consequently, it is very important that you and your staff are aware of the methods that hackers use to harvest data illegally. I cannot emphasise enough the importance of staff training in this area.
The most common methods of hacker attack are:
- By email – Staff members must never open and attached document from an unknown sender, as the attachment is likely a virus that will either grab, destroy or in another way compromise the business
- On the internet – Many companies have a white list of trusted websites and prevent access to all orders. This may not be practical but staff should only interact with trusted sites and never download to work-related devices
- Social media -be careful what you post online as hackers use this information to guess passwords or work habits
- Software exploits and vulnerabilities – your IT staff or service provider must be diligent in applying security updates and patches as soon as they are available. Hackers will take advantage of any delays in this area. Companies that still use Windows XP are common targets since Microsoft has ended support
- Security questions – if password retrieval is unsuccessful hackers will try to guess the answers to related security questions. When successful, the current password is changed and the legitimate user can no longer access the account.
- Burglary – breaking into the actual premises provides direct access to the IT network
- Cameras – most smartphones and portable devices include this is a standard feature
- Rubbish – mentioned earlier but worth mentioning again. Use crosscut shredders or incinerators when disposing of documents
- Portable devices – when lost or stolen, company information is compromised if stored on the actual device
- Old hardware – data recovery is possible from hard drives memory sticks and other storage devices. Ensure secure destruction and never donate or resell computers with hard drives or other storage media intact. Industry professionals recommend total destruction of older hard drives with a metal spike or degausser (removes the magnetic field and therefore the data from a hard drive). Alternatively, use an incinerator or retain a company that specialises in data destruction.
Companies that take their security seriously and employ the tips outlined above can considerably reduce their chances of a data breach, making the hackers’ goals much more difficult to achieve. In fact, they were more than likely move on to an easier target.
Security diligence is essential, considering the ongoing rise in cybercrime. Carry out regular security checks on an ongoing basis. Intermittent checks will not suffice as new tracts appear on a daily basis. This approach and due diligence on our part, protects our medical data, despite the best efforts of those seeking to extract it.
Rob Khamas is an eHealth & technology solutions strategist with REND Tech Associates.