Cyberthreat Protection: Beyond Firewalls and Filters
In late 2022, the U.S. Department of Health and Human Services warned of a growing ransomware threat that might impact the dental community, pointing to new ransomware operators that aggressively target the healthcare sector with increasingly sophisticated methods. In addition, according to a recent Health-ISAC and Booz Allen Hamilton report, ransomware remains at the top of healthcare cyberthreats, followed by phishing and spear-phishing attacks, third-party or partner breaches, data breaches, and insider threats.
In a world of ever-increasing attacks, how can your business stay ahead of the cyber threat curve?
Expect an Attack
“The first thing to understand is that a cyber-attack will happen at some point,” notes Jon Northway, co-founder and Senior Technology Consultant at Integrity Systems & Solutions. “You can try to mitigate the inevitable. Let’s say you get hit with ransomware. If that happens — when that happens — your backup and security should be there to allow you to get back up and running faster than if you had to pay a ransom.”
Part of the issue is that the threat surface, or the access hackers have, has grown continually larger over time, so you don’t always know where an attack will come from.
The assumption tends to be that incursions hit most victims through email or text.
“It isn’t all electronic,” explains Eric Adams, Information Technology Operations Manager at Integrity. “We recently got a call from a company claiming to be QuickBooks Intuit, telling us our credit card wasn’t working. I know that we have no expiring subscriptions, but someone else might have taken the interaction and offered up a credit card number. Vigilance is critical.
“Having the right technology infrastructure in place, such as encrypted backups, encrypted email, appropriate firewall devices, web filtering, and other related protections makes a difference,” he continues. “But awareness and training are as important as any technology you have in place.”
Best Protection Practices
In terms of proactive protection, there are a range of steps you can take. While they are not complex, putting them in place can help mitigate risk and worry. While we don’t have enough space for a comprehensive list, these are some common steps that you and your staff can take that can help your practice keep hackers outside the gates.
Implement strong passwords and multifactor authentication:
- Use complex passwords with a combination of letters, numbers, and symbols.
- Avoid reusing passwords across different accounts.
- Enable multifactor authentication whenever possible for an added layer of security.
Stay vigilant against phishing attempts:
- Be cautious when clicking on links or opening email attachments, especially from unknown or suspicious sources.
- Verify the authenticity of emails by checking the sender's email address and looking for any red flags, such as misspellings or unusual requests.
- Avoid providing personal or sensitive information through email or unfamiliar websites.
Regularly update software and systems:
- Keep operating systems, applications, and antivirus software up to date with the latest security patches.
- Enable automatic updates whenever possible to ensure timely protection against known vulnerabilities.
Exercise caution with personal devices:
- Avoid using personal devices for work-related tasks, especially when accessing sensitive patient data or practice systems.
- If personal devices are used, ensure they are protected with strong passwords, encryption, and up-to-date security software.
Be mindful of public Wi-Fi networks:
- Avoid connecting to unsecured public Wi-Fi networks, as they can be vulnerable to eavesdropping and data theft.
- Use a virtual private network (VPN) when accessing the practice network remotely to encrypt data transmission.
Regularly back up data:
- Perform regular backups of important practice and patient data to secure locations, both on-site and off-site.
- Test data restoration processes periodically to ensure backups are reliable.
Be cautious with personal information:
- Avoid sharing personal or practice-related information on social media or other public platforms.
- Use privacy settings to restrict access to personal profiles and limit the visibility of personal information.
Educate and train staff:
- Provide comprehensive cybersecurity training to all practice employees, emphasizing the risks associated with phishing, ransomware, and other scams.
- Foster a culture of security awareness and encourage employees to report any suspicious activities or potential security breaches.
Implement network security measures:
- Utilize firewalls, intrusion detection systems, and antivirus software to protect the practice network from unauthorized access and malware.
- Regularly update and patch network devices, such as routers and switches, to address any known vulnerabilities.
Develop an incident response plan:
- Establish a clear plan to respond to and recover from cybersecurity incidents promptly.
- Define roles and responsibilities, and regularly test the plan through tabletop exercises or simulations.
Technology is Just Half the Security Equation
“Integrity supplies the technology you need to protect your practice from hackers,” Adams says. “But, as a good vendor partner, we also want to offer guidance that tells you what you’re up against and how to keep a lid on human error. If you decide to undertake training, we want to help you develop the right education and program for your staff.”