10 BC Advantage Magazine www.billing-coding.com

ARE PRACTICES READY FOR

CYBER ATTACKS?The short answer? No. Practices are not ready for cyber attacks. In fact, healthcare entities account for the highest percent of all US data breaches.

istorically, hackers go after credit card and other finan-cial data. However, statistics show compromising health-care is becoming a fast and

easy way to gain equally valuable data, like electronic protected health informa-tion (ePHI).

The healthcare problemI’ve heard all the security excuses. Some legitimate, some not. “Security is too complicated.” “I’m not trained in security.” “Sorry, I don’t have time.” “HIPAA is too technical.” “I don’t have a budget.” “The HHS hasn’t told me what I’m supposed to do.”

Know thy enemyIn the Art of War, the military general Sun Tzu explains his secret warfare strategies.“… If you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.”

Perhaps part of the reason healthcare has a false sense of security is because they don’t understand their enemy, or their own security problems.

My point in writing this article isn’t to scare you, but to assist you in first real-

H

izing your obstacles, and then under-standing the opponent in order to suc-cessfully avoid cyber attacks, win the battles and the war.

Inside the mind of a hackerMalicious hackers exist for one pur-pose: to steal valuable data to make a profit on the black market.

Thanks to the Internet, supreme intel-ligence isn’t required to be a hacker. Most stand on the shoulders of their hacking world superiors, and use pre-made tools to locate vulnerable organi-zations and steal data.

In that regard, you should be glad. Most of today’s hackers are limited by their toolset. Reason states that if we know how to jam the tools, we can likely avoid compromise.

A hacker’s behavior is similar to that of a wild predator. They look for small entities that characteristically have weaker security.

Here’s a quick explanation on how hackers pry their way into healthcare and business networks.

1. Scan for open ports. A port is an opening used for com-munication between computers. Ports are how we send email and browse

11BC Advantage Magazine www.billing-coding.com.com

the Internet. For example, general Internet browsing connects to a serv-er via port 80.

2. Exploit a known vulnerability. Vulnerabilities are the weaknesses in computer code or configuration that allow hackers to bypass many security measures.

3. Capture valuable data. A common tool hackers use to seize data allows them to pick and choose which data they’d like to steal, and how they’d like to receive it. Just like ordering off a menu.

4. Install malware. As a contingency plan, a hacker will often install malware inside a system to scrape any future healthcare data before it has a chance to be encrypt-ed. That way, he can continue to profit off an organization long after his original hack.

Handling healthcare’s top weak-nessesNow that we understand more about hackers, let’s solve the failing tech-nical problems in healthcare that make medical offices so irresistible to attackers.

Insecure remote access. Does the phy-sician at your office like to work from home? He’s probably using a remote access application to gain admittance to your patient database. Do you use a third party for IT support or billing? Odds are you allow them to access your network through remote access

too.

A remote access application allows you to login to your office network without being at your office comput-er, but a vulnerable one may make it easier for attackers to gain direct access to your office and patient data as well. Some examples of remote access include GoToMyPC, LogMeIn, and RemotePC.

Remote access can be secure, as long as it uses strong encryption and requires two independent methods of authentication (called two-factor authentication). For instance, your username/password is the first meth-od of authentication and an autho-rized onsite person to “allow” the remote access session is the second. Ensure the remote access tool your staff uses has two-factor authentica-tion and strong encryption.

Weak/easily guessable passwords. Random but non-complex passwords are easily broken by hackers utilizing simplistic password cracking software. I am constantly surprised how com-mon this problem is at both small and large healthcare entities.

If you have a difficult time remem-bering passwords, I suggest a pass-phrase. Difficult to crack, easy to remember. Think of a memorable phrase, and then take the first letter from each word to create a new pass-word. Here is an example: “My dog Kibbles has 16 teeth & loves 2 eat Steak” becomes “MdKh16t&l2eS.” This

Mecenas sed elit erat. Nunc dapibus tellus erat. Aliquam eget urna vitae mauris ets sodales ornare. Praesent ac ligula eges-tas odio iaculis pulvinar. Phasellus aliquam pulvinar lobortis. Integer eget quam et lobortisert. Mauris metus urna, conts sequat non vehicula nec, fermentum sit amet libero. Vivamus posuere iaculiset lacus, Donec

FREEHIPAA

WEBINAR1 CEU

HOW TO ACCURATELY CONDUCT A HIPAA SECURITY RISK ANALYSIS

Presented by Tod Ferran, Security Analyst for SecurityMetrics, Inc.

This one-hour audio will: Tell you exactly what HIPAA risk anal-ysis rules are required by dissecting the complex definition provided by the Department of Health and Human Services (HHS).

Dive into the multifaceted compo-nents of a risk analysis and learn the details involving system identification, vulnerability mapping, and prioritized risk levels.

Study the Do’s and Don’ts of common healthcare misconceptions about HIPAA risk analyses.

Overcome common healthcare chal-lenges that include overburdened staff, deciphering vague specifications, and the ultimate decision to employ outside assistance.

www.bcadvantageaudio.com/webinar-register.cfm

12 BC Advantage Magazine www.billing-coding.com

“complex” 12-character password is complete with all the aspects of a secure password: letters, numbers, capitaliza-tion, and special characters.

Unpatched applications. The best way to avoid vulnerabili-ties is by installing software updates that contain essential security enhancements.

Important systems that need regular updates include Internet browsers, firewalls, application software, POS ter-minals, all staff workstation computers and mobile devices, computer operating systems, EHR systems, app software, network attached medical devices, etc. Many POS systems are running on Windows XP that is no longer compliant. Be sure to contact your vendor to verify your POS systems are still compliant or have them updated/upgraded.

Improperly configured firewalls. Most threats can be blocked by simply and selectively restricting access to the environment through firewall rules.

Did you know 50% of small organizations SecurityMetrics investigates don’t have a firewall? Properly configured firewalls won’t let attackers in, and won’t let PHI out. Don’t be fooled. That black box your Internet service provider gave you likely isn’t enough to protect your whole network! Speak to your IT guy to get your firewall configured cor-rectly.

No malware scanning. Updated anti-virus software will often detect and prevent common malware attacks. Most anti-virus software scans for viruses, spyware, and adware that target your specific computer operating system.

Make certain all anti-virus software is up-to-date on every computer that stores or processes ePHI. If you don’t have anti-virus software, I recommend Malwarebytes, Symantec, or McAfee for Windows and ESET Cyber Security for Mac.

Irregular vulnerability scanning, or no vulnerability scan-ning at all. Vulnerability scans are automated high-level tests that identify exploitable network weaknesses in software, hardware, and network structures. Some are able to identify more than 50,000 unique external weaknesses,

including patches or updates that might have been over-looked in your regular update schedule. Because cybercrim-inals discover new and creative ways to hack businesses daily, it’s important to scan often.

After a scan completes, it is crucial to fix any located vul-nerabilities on a prioritized basis. SecurityMetrics’ vulnera-bility support team recommends prioritizing based on risk and effort required.

Falling prey to phishing. Phishing continues to remain a lucrative criminal profession in our email-packed world. The goal? Get recipients to willingly provide social security numbers, passwords, banking numbers, PINs, and credit card numbers. Once the malevolent link is opened, hackers create new user credentials or install malware into your system to steal sensitive data.

Hackers send out more than 150 million fraudulent emails daily, hoping just a few will click on attached links, docu-ments, or pictures. According to CyberSafe Canada, 8 million phishing emails are opened every day, 800,000 embedded links are opened, and 80,000 fall for the scam and share personal info.

The only true way to protect against it is through exhaus-tive employee training. Staff should be familiar with the easiest ways to distinguish a fake email from a verified one, such as grammar errors, unsolicited attachments, links not matching URLs, and suspicious domain emails.

Winning the battleLike Sun Tzu explains, if you know both your enemy and yourself, you are ready to win the battle. Don’t hide your head in the sand like many other healthcare entities. Know your practice’s weaknesses backward and forward. Then, choose to conquer them.

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Reach him at tod@securitymetrics.com

13BC Advantage Magazine www.billing-coding.com.com