The healthcare sector presents a tempting target for cyber attackers, but defending yourself and your business is a lot easier than getting your black belt in karate.
2020 has been a year when many people and organisations have relied on virtual interactions to keep in contact and to conduct business.
We socialise online, we manage our finances through apps, health information is often held in the cloud, and healthcare consultations are delivered by telehealth more frequently these days.
The healthcare sector has been digitally turbocharged with the implementation of many innovative and improved services. The need for accessible health information, due to natural disasters and the COVID-19 lockdowns, has resulted in many healthcare providers turning to digital services to access important healthcare information such as test results, medications, and hospital discharge summaries.
Due to digitisation and connectivity, cyber-criminals have taken this opportunity to exploit organisations and people who are not digitally secure. The healthcare sector stands out as a tempting target because of the critical nature of healthcare services and the high value placed on health data on the black market.
In August the Australian Cyber Security Centre warned that the Australian aged care and healthcare sector was being targeted for ransomware, and in October the FBI issued a similar alert about renewed threats to the sector.
So, just like a scheduled health check-up, now is a good time to review the security of your systems and information and learn the art of digital self-defence.
Six steps to digital self defence
Build security awareness for yourself and your team
Humans usually present the largest ‘attack surface’ in any cyber security system, so it is vital that everyone using your systems has training in basic security awareness. Understanding the risks and modifying your online behaviours will keep you safer in both your professional and personal lives. The Australian Digital Health Agency offers a free online Digital Health Security Awareness eLearning course that addresses the main cyber security needs of health professionals, and completion may be counted towards continuing professional development requirements for some professions.
Completing the agency’s cyber security eLearning course can help individuals and organisations to effectively increase their cyber defences by arming their workforce with the necessary knowledge and skills to be cyber safe.
Keep your software up to date
Though not widely advertised, updates and patches routinely include security fixes for potential problems that typical end users are not aware of. Best practice is to apply all software patches and updates as soon as possible, before malware writers have had a chance to write software that exploits those problems, at your expense. The Australian Cyber Security Centre recommends patching vulnerable systems within 48 hours.
Use strong passwords and implement multi-factor authentication
The definition of a “strong” password has continued to evolve as the hardware and software to crack passwords continues to improve. Nowadays, it takes just seconds for a brute-force attack to crack an eight-character password consisting of lowercase letters and numbers, so choose a longer password, preferably 14 characters or more. Adding multi-factor authentication to the mix makes life much harder for online criminals to steal your credentials, since it is no longer sufficient to steal or crack a single password.
Back up your data regularly
Backing up data regularly is an essential practice to mitigate hacks, ransomware attacks and hardware failures. The more data you have, the more frequently you should back it up.
A popular and robust data management backup approach is called the 3-2-1 rule:
- Make three copies of every important piece of information
- Store that data in two different formats
- Keep one copy offsite.
Do not respond to unsolicited phishing emails, texts and calls
Recognising phishing attempts is a part of developing a general security awareness. Think before you click on links in emails and SMS messages, and be especially wary of any unexpected communication pressuring you to act immediately.
If you fall victim to ransomware, avoid paying the ransom
If a ransomware attack succeeds in penetrating your organisation’s defences, paying the ransom might seem like the best course of action, but is it? There’s no guarantee that your data will be restored, and the ransom payment provides motivation and additional resources for those same criminals to mount further attacks.
The Australian Digital Health Agency provides detailed guidance for both senior managers and IT professionals addressing the threat of ransomware.
Anthony Kitzelmann is Chief Information Officer of the Australian Digital Health Agency.