It doesn’t take an analogical moat, shear walls and cauldrons of boiling oil to keep hackers out of your patient files.
Cyber criminals prey on easy targets – and there are plenty of candidates in primary care.
Taking clinic data hostage often requires no more than tricking staff into disclosing passwords or exploiting known holes in old software programs.
Speaking at The Wild Health Summit last month, Louise Schaper, the CEO of the Health Informatics Society of Australia, listed a few basic steps GP clinics could take to protect themselves against attacks.
Together, these very simple measures would stop around 85% of intrusions, she said.
But surely most GP clinics already have these processes in place, right? Think again.
Not even all Australian defence sub-contractors had basic protections, Ms Schaper said.
This embarrassing fact was revealed in October following a hack of an Adelaide-based engineering firm, which worked on multi-billion dollar projects for the Department of Defence.
Hackers were inside the computer system for five months, gaining intel on the Joint Strike Fighter and P-8 surveillance plane programs. The attack was made possible through sloppy IT security, including the use of “admin” as the username and “guest” as the password.
The issue of cyber security was a timely one, said Ms Schaper.
By February next year, new legislation would come into force in Australia, obliging GP clinics to notify the government when a data breach had occurred and was likely to cause significant harm to a patient.
GP clinics are particularly appealing to hackers as medical records are more valuable than financial records on the black market.
Earlier this year, for instance, news broke of the illegal sale of Medicare patient details on the internet.
Fortunately, fending off cyber criminals isn’t as hard as you might think.
So, what can GP clinics do?
We’re all guilty of postponing software updates. But there’s a good reason for keeping your systems as up-to-date as possible. IT professionals call this patching.
“Software is imperfect,” explained Robert Merkel, a lecturer in software engineering at Monash University.
“All large pieces of software have bugs in them and a certain fraction of those bugs can be taken advantage of by hackers.”
Most cyber criminals did not discover their own security holes, he said.
“They exploit known technical flaws. So, they look around for a system that has not been patched and will attack that one. That’s why it is very important to keep your systems patched or up-to-date.”
BEWARE OF EMAIL LINKS
Email is still the number one way that computers get infected, according to Nick Savvides, the chief technology officer for the Pacific region at Symantec.
“It is much better to block hackers at the front door than to try to block them once they are inside the organisation,” he said.
Every staff member – from receptionists to practitioners – needed to be trained to avoid suspicious emails, he said.
It was “disturbingly easy” to hack systems using social engineering attacks, Mr Merkel said.
Hackers can easily find out who the members of a particular medical practice are and compose a plausible-looking email that purports to be from one doctor to another.
Such phishing emails can trick people into clicking on links, or even volunteering passwords.
“Being able to recognise whether an email is legitimate and being aware of the possibility that people might be trying to send you malicious emails to gain access to your IT systems is kind of important,” Mr Merkel said.
The importance of strong password regimes seems painfully obvious, but the recent example from the Department of Defence sub-contractors shows how often this is forgotten.
Passwords should be changed regularly and should be hard to guess, Ms Schaper said.
“The longer your passwords the better,” she said. “For our banking details my CFO has a song lyric – it’s an entire verse.”
Systems that connected to an external IT support provider via the internet needed additional protection, Mr Savvides said.
Clinics should use an encrypted tunnel, called a virtual private network, to connect with support services, with multi-factor authentication turned on, and no default passwords.
Two-factor authentication, where users require an SMS code to log into a system, was also worth considering for access to clinic computers, Mr Merkel said.
This is a low-cost mechanism for preventing most phishing attempts, as hackers need to physically steal and unlock a mobile phone to gain access.
If any staff member in your practice can download a piece of software or a font onto a work computer, you have a potential security problem.
Staff should require special permission or administration access to bring foreign software into the system, Ms Schaper said.
Application whitelisting is the process of selecting which software is allowed to run on practice computers. “And nothing else, in theory, is allowed to run,” Mr Merkel said.
Without it, staff could unwittingly download a program that had malware hidden inside, he said.
But whitelisting was “not for the faint-hearted”, said Mr Savvides, and could only provide protection if maintained.