Do Your Security Systems Need a Checkup?
Dec 28, 2016 09:45AM ● Published by MED Magazine
Any medical office using a computer system knows that it is vital to keep that system secure. But did you know that security systems put in place when you set things up may no longer be doing the job? How do you know when it’s time to reassess your cybersecurity protocols? Shawn Mendel, Director of Engineering Services at Earthbend, says if you’re connected to the Internet and you can’t remember your last cybersecurity assessment, you’re overdue.
“Here in the Midwest, we have had a mindset that the hackers don’t care what we have here,” Mendel told MED. “What we are seeing is that that is not the case. They are targeting small businesses with ransomware. They essentially steal your data and then demands hundreds of dollar to return it to you. We have seen this happening in every area of business, including medical.”
In fact, Mendel says that cyberattacks identical to those in larger cities which have made national news have happened in our area. In one case, a single area clinic was attacked twice. In the US, Mendel says there are an estimated 20 data loss incidents per days, specifically because of ransomware.
“A medical record is the most valuable data on the black market right now,” he says. “It’s more valuable than credit card numbers. If I have someone’s medical record, I can use it for Medicare fraud and other types of fraud that can last for a longer period of time. Who checks your medical records?”
To ward off ransomware and other types of attacks on your office computer systems, Mendel recommends a layered approach, comparable to protecting physical valuables with fences, locked doors, and safes. The layers start with the perimeter firewall and move deeper to include network security, endpoint security (each computer workstation, for example), security of the applications being used on those computers, data security, and overall office policy.
“We look at whether the office has a policy in place to engage a third party to perform a quarterly assessment, for instance,” says Mendel. Policy would also include considerations such as what data each computer user is allowed to access and whether or not they are allowed to work remotely on office business.
The final layer is the users themselves, the area that Mendel says is most likely to be overlooked.
“What we are finding, especially in the last 18 months, is that this is the most vulnerable area because of social engineering and phishing schemes,” says Mendel. “It is much easier to fool a user than to compromise an entire system.”
For this reason, in addition to assessing and implementing office cybersecurity systems, Mendel now regularly runs 75-minute training workshops specifically for the people who use the computers. “I think what surprises most people is how big a problem it really is,” he says. “They are surprised that these attacks are happening to people in their own community, to the business down the street.”
Mendel recommends that medical offices plan to have a thorough annual assessment of their computer security systems - including all of the “layers” - by an IT professional at least once a year.
“What an assessment does is show an organization where their gaps are, whether they need a new policy in place or a new piece of hardware or software,” he says. “The bottom line is, if you are connected to the Internet, you are at risk and the risks that we face continue to change and evolve. Security systems from last year are no longer useful this year because the threat landscape is constantly changing. There is no one silver bullet. It’s an ongoing, never-ending battle”
Shawn Mendel is Director of Engineering Services at Earthbend in Sioux Falls.