Simple, relatively cheap measures can protect you and your practice’s reputation when the inevitable occurs.
A cybersecurity expert has urged GPs to spend a little time thinking about the effects of a data breach on their ability to treat patients and keep their practice afloat.
Glenn Makowski, managing director at CommuniCloud, told delegates at the Australasian Skin Cancer Congress recently that whether they owned their practice or not, cybersecurity was their responsibility.
“It’s fascinating the number of people I talk to who think it’s never going to happen,” Mr Makowski said. “The reality is, it’s going to happen.
“At the moment [doctors] aren’t personally accountable for an outage, but if you look at what’s happening in the UK at the moment, it is very much the way that it’s going. You will be the owners of data, both individually and as a company.
“The key is to prepare, because if you eventually become accountable – and that is coming – you need to demonstrate that protections are in place.
“You’re not going to get in trouble if you have done that. If you can say that you’ve done X, Y and Z to protect against a data breach, the government is not going to be upset with you. If you have done nothing to protect your data, then you are going to be in trouble,” he said.
Securing against a data breach didn’t have to mean spending huge amounts of money, Mr Makowski said.
“Look at the Medibank breach,” he said.
“Everybody thinks Medibank is going to spend a lot of money on cybersecurity, and they do. But, at the end of the day, that breach wasn’t about cybersecurity, the actual root cause was about bad password policy.
“They hadn’t removed the [password] access from a third party that was accessing their system, and that not about money. That’s not about spending money on applications to protect people. That’s having a bad policy about how you craft passwords.
“That demonstrates that you don’t need to spend tons of money on cybersecurity to be safe.”
Protecting passwords
Mr Makowski told GPs password security was about putting aside frustration and taking a little time to put simple steps in place.
“Yes, it’s frustrating going to a new website, signing up for a new service and going through all the rules – special characters, capitals, 10 letters, 50 letters – it’s frustrating. And it is again when you come back to that website and have to remember your password. It all takes time,” he said.
“Think about the other side of it, though.
“If you pick a weak, or silly password, and at some point, a criminal gets hold of that password and uses your information to impersonate you.
“You are then looking at years of pain – they’ve used your password to gain access to loans you know nothing about, which will damage your reputation, they may have access to social media where they can damage your business brand.
“Take some time to think about the consequences of not putting in a decent password.
Keeping home system passwords separate from business passwords was also vital, he said. “If you’ve mixed home and work passwords, when the breach occurs it will effect you personally and professionally.”
Mr Makowski recommended password “vaults” such as LastPass, rather than relying on your internet browser to store different passwords.
The big threats
Artificial intelligence is becoming a huge part of how hackers are damaging businesses, said Mr Makowski.
“What’s happening in the email space is AI is sucking in all the email traffic from your practice,” he said.
“It’s learning how you speak to people and then it’s using your language and your style of working to impersonate you and get information from other people. It’s using your information to entice someone to click on the wrong thing or send the wrong information.”
Ransomware – a common and dangerous type of malware — works by locking up or encrypting your files so you can no longer access them, according to the Australian Cyber Security Centre.
“A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files.”
“I had a customer in Ireland who had a ransomware attack,” said Mr Makowski.
“What [the hackers] did was send results out to patients that weren’t right. They were telling the patient that they had cancer, when they didn’t have cancer. That’s the perfect example of what you don’t want to happen to your patients.
“In the end the organisation paid the ransom.”
Making assumptions about what protection your practice already has, is another danger. Even with a managed service provider (MSP) or IT professional in place, more can be done.
“A lot of GPs assume that the MSP or IT company is doing your security, and they are probably doing a little bit of it,” said Mr Makowski.
“They’ll tell you they’ve got a firewall up, and an antivirus in place. Unfortunately that’s not enough.
“The firewall does a pretty good job of protecting you – it is literally a circle around your organisation. The problem with that is that more and more people are working from home, more and more people are mobile, and more and more people are bringing things into the organisation. So, in a bigger picture scenario, the firewall is actually becoming less effective in protecting you.”
The attacks that come from cyber-criminals are multi-directional. You can’t just have one kind of solution in terms of the security specifically in your contract.
“You need to ask your MSP, how are you going to help me fix this. How am I going to mop this up? How am I going to get myself back up to speed? What is it you’re actually doing to protect my organisation?”
Mr Makowski listed specific question to ask your MSP:
- What specifically does your MSP do to protect you?
- Is security specifically called out in your contract?
- Challenge them to understand their offering
- How regularly do you talk strategy with them?
- How do they protect your data?
- Is your network flat?
- What is their password policy for you?
- Everything is backed up, right?
A flat network means once a hacker is inside they can move throughout the network easily and quickly.
“If you have your network subdivided into different parts, it makes it harder for them to traverse,” said Mr Makowski.
These days cyber-criminals are often inside your network for up to 200 days before they are discovered.
“During the 200 days, what they’re doing is they’re mapping your work,” he said.
“They’re looking at the trends of the day, at the busiest times because when they’re going to hit you is when they know you’re most busy. That’s because you’re going to be most likely to click on something you normally don’t because you tried to do five or six different things at the same time.”
The bottom line
Protect yourself and your business by taking the time to think about the consequences, was Mr Makowski’s bottom-line advice.
“Thing about what the asset is that you’re trying to protect, and how much it would cost you if you had no access to the asset,” he said.
“If you’ve lost business for four weeks, which is generally the typical time [it takes to recover] after a breach, how much is that going to cost your business.
“Then use that to work out how much you want to spend on protection.”
