What do individuals, companies, schools, a police department and the federal government have in common? Their computers were all infected by malware; an attack by Phillip Durachinsky, of North Royalton, Ohio. Investigators say Durachinsky may have had access to nearly 2,000 University of Virginia (UVA) Medical Center patients records over a period of 17 months between 2015 and 2016. These institutions Durachinsky “infected” would seemingly have the best cyber security.
Durachinsky used malware called Fruitfly. Investigators say the program infected both PC and Mac computers. It allowed Durachinsky to listen to conversations, record keystrokes, download screenshots and turn on web cameras. The malware got into the UVA Medical Center when a doctor used his infected laptop to access patient records.
Cyber security for your practice
If malware could infiltrate the UVA Medical Center and the federal government, how safe are your medical records?
“The first place you would want to start is with a Risk Assessment,” said Frank Gatto, President of P3 TekSolutions, LLC, a managed cyber security services provider in Roanoke, Virginia. “The HIPAA Security Rule and Meaningful Use requirements call for all organizations to perform a HIPAA Risk Assessment.”
According to a Ponemon Institute Study, 91 percent of healthcare organizations suffered at least one data breach in the past two years, Gatto said.
Is your data under lock and key?
“Fulfilling regulatory checklists may vindicate you from government-issued oversight and fines, but it doesn’t eliminate you from business disruption, lawsuits, reputation damage or public outrage,” continued Gatto. “You have to take a layered approach to security and it has to go beyond the “good-enough” mentality.”
Easy steps
For starters, all emails containing electronic protected health information need to be encrypted. An email encryption service such as Sendinc costs less than $50 a year. Sendinc does not store encryption keys, so only your recipients can to decrypt your messages. And it meets HIPAA compliance standards.
Other easy steps include installing a privacy screen on monitors to prevent unauthorized or accidental disclosure of patient information. You should also disable USB auto play which will stop Explorer from automatically launching and possibly automatically launching malware on to your computer.
“You also need to conduct network vulnerability assessments and auditing which enables you to analyze the state of your network security, identify risks and address how to take action before it is compromised,” explained Gatto. “There are some 60,000 known vulnerability scans that need to be checked daily or weekly at a minimum. A managed security services provider, like P3 TekSolutions, can handle all of this for you. As one of my clients likes to say, ‘I want to practice dentistry not IT, which is why I need you.’”
Ransomware attacks take place every day. Ransomware, is a type of computer virus that attempts to deny access to a user’s information by encrypting their data. Once the hacker seizes the data they demand money to release it. Do not think your practice is too small to be affected.
“You have employee data, client data and payroll data to name a few and if that information were to be subjected to a ransomware attack, your business would stop dead in its tracks,” said Gatto. “Everyone, and I mean, everyone, is a target!”
So how do you know if your computer has been compromised? You may notice your computer is acting a little weird. For example, your internet browser has a new search bar, or your home page is different, or your CPU is maxing out for no reason. There may be new software loaded or your antivirus is disabled.
“So, what do you do when you have an UH-OH moment? Immediately unplug the ethernet cable and power down the system,” said Gatto.
Then your next step should be calling a managed security services provider to determine if your whole network has been infected. Being cyber-secure does not have to be complicated or expensive. Enlisting the help of a managed security services provider is a good first step.
Originally written for the National Association of Dental Assistants newsletter, “The Explorer”
Click here to learn more about Frank Gatto
