Regulation of Medicine

article

Asking the Right Questions to Protect Your Computer Network

By: Tom Powers, founder and chief technology officer of StrataDefense

With the challenges of the past few years severely impacting medical practices and healthcare facilities, your computer network probably hasn’t been high on your list of priorities. While you scrambled to do the best you could during a crisis, there are people out there eager to prey on your distraction, take advantage of holes in your network security and hurt your business.

These attackers are very good at what they do, and it’s difficult to get a determined attacker from getting into your network. Building a better system doesn’t necessarily mean establishing stronger perimeter defenses, but implementing rapid methods of detection and limiting what attackers can do when they get in.

There is good news. There are professionals who focus solely on making sure that your business and your patients are as safe as possible while still being reasonable and cost-conscious about security. But while employing the right IT professionals is important, the ultimate responsibility for protecting your system lies with you.

This article is designed to help. You’ll learn questions to ask and answers to expect from your IT team in the following areas:

  • Protecting electronic health records and personal health information
  • Installing patches and implementing vulnerability scans
  • Reviewing managed service providers
  • Establishing internal system security

You don’t need to know the technical details to make sure the parts and pieces are in place and working. All you need is a basic understanding of what you have, where you’re vulnerable and how to check that your technology team is making positive changes. It’s time for you to get more involved.

Protecting Electronic Health Records and Personal Health Information 

The commodity that cyberattackers want is information — specifically, patient information. Names, Social Security numbers, Medicare numbers, payment information and insurance information all aid in identity theft. With this information, an attacker can submit fraudulent claims to acquire benefits like Medicare or Medicaid or obtain medical services or prescription medications.

Of course, your patients’ personal health information should be protected, and all medical records should be secured in your electronic health record (EHR) system, which should be encrypted and require multiple forms of authentication. Now is a good time to verify that this is the case in your practice. 

1)    Verify EHR encryption 

Ask your EHR software manufacturer to provide information on how it has encrypted patient data and which fields are encrypted in your software databases. Reputable EHR software vendors have this information readily available. Get a copy, read it and ask questions about what you don’t understand.  

In addition to making information difficult to read, make your system difficult to enter. A username and a password should not be the sole method of EHR access, as stolen credentials are easy to capture once an attacker has control of a system. If you do not have multifactor authentication on all your critical systems — which means you use more than one method to verify access — get your team to implement it now.

2)   Scan your network for Personal Health Information 

While your EHR system is a treasure trove of information, it should be hard to access. However, cyberattackers typically can find many documents in the most vulnerable of places: saved on people’s personal computers. Your goal is to minimize patient information that is unprotected and outside your EHR system. 

Your IT support should scan all machines to look for unprotected personal health information and personally identifiable information (PHI/PII). They should investigate all of the following: 

  • Word or Excel documents that are unprotected
  • Local cached email files, such as PST or OST files for Outlook and offline cached exchange files
  • My Documents for each user profile on local machines
  • Shared drives on network servers
  • Temp directories on local machines or terminal servers

When it comes to this activity, do not take no for an answer from your IT support. The process isn’t difficult and doesn’t strain your systems. Your team can easily scan workstations during the day but should scan file servers after hours or at the lowest times of activity to avoid slowdowns. If your IT team still says it’s too hard to do such a thorough scan, tell them to do a Google search for “Powershell and PII.” They will see numerous results of premade Microsoft scripts to get them started. 

If the scan finds not PII, then it was most likely faulty. A good rule of thumb is that the larger you are and the longer you have been around, the more unprotected information you have scattered about. Your team needs to find these documents and get them removed from your network and into your EHR system.

You can test the results yourself: During the scan process, make a Word document with some fake Social Security information and patient information. You know what your forms look like, so copy them. Save the document on your desktop and see if the scan finds it. If it doesn’t, then tell your team what you did so they can adjust their scans and make them better.

3)   Verify that your remote workforce is secure

While some offices are fully back to work in person after the pandemic, many employees, even for medical practices, still work remotely. IT departments and support companies did the best they could to establish security during the emergency, but circumstances often meant they cut corners. Now it’s time make sure that your remote workers are secure. 

Check use of VPN. Your remote workers should access your network through an encrypted virtual private network (VPN).

Check use of multifactor authentication by your remote workers. As an example, many VPN clients support a token-based system that can run on your smartphone. 

Allow remote access only on company-owned and hardened workstations whenever possible. If you had to scramble to find laptops when supply was limited, and you let your workers use their own home machines, it is critical that the remote access solution be a secure one that uses multi-factor authentication.

Establish a method to verify your workforce VPN connections. Whether this is an internal console that shows who logs in and when or a daily report of log on activity doesn’t matter. You just need a method in place to quickly review and verify VPN connections.  

Look for log ons from workers at times you don’t expect, from places you don’t recognize. Pay close attention to logons from workers who are on vacation.

Securely store all passwords. A password-protected spreadsheet such as Passwords.xls doesn’t cut it. Instead, everyone should be using one of the reliable password managers that are available. I recommend KeePass because it is free, it works, and you can synchronize it between your network and your smartphone. 

Installing Patches and Implementing Vulnerability Scans 

Probably the most important step in securing a network is a robust patching routine. Patches fix security issues and performance problems, and they provide enhancements to software and operating systems. For those reasons, you should install all available patches. 

4)   Verify that patching and vulnerability scanning are up to date and complete

Patching should run weekly for Microsoft patches and daily for third-party software, such as Adobe Reader, Google Chrome, Mozilla Firefox and others. Your IT team or support company should already have a patching system in place. If they do not, that should be the first thing you address. 

You should get reports that include the following: 

  • Which patches were successfully installed on which machines and when. 
  • Which patches are still missing. Occasionally, a software vendor may say that a certain patch can’t install. When that happens, it should be documented as an accepted risk, but otherwise, install all patches. 

Vulnerability scans should be run on rotation. A quarterly internal scan of all workstations and servers, as well as an external scan of your firewalls, is a good starting point. Whether you purchase your own scanner software or use the one your support team already has in place, get that rotation set up.

  • You will get vulnerability reports that, at first, will look like the whole world is ending, and that you are riddled with issues. Relax and take a breath. These reports are sometimes a bit misleading. 
  • Many times, you’ll see the same vulnerability listed more than once and with different severities. Your team should remediate all findings listed as critical and high, and work on the medium/moderate vulnerabilities. Just like with patching, occasionally you’ll have a remediation setting that conflicts with software or a device that you run on the network. Document that accepted risk and exclude it from future reports.
  • You may see vulnerabilities come back that were originally fixed. This often happens when software is updated or patches are installed. Your teams may need to reapply certain fixes at various intervals. 

Reviewing Managed Service Providers 

It is not uncommon to use external teams and consultants for software, network and security support. In fact, many practices and institutions have external support from a managed services provider (MSP), which is a good idea if they are up to the task.

In the past, literally anyone could be an MSP and meet the needs of their clients. Now, the stakes are higher, and you need to evaluate the quality and level of services. Security has become paramount as attacks on MSPs themselves are on the rise. If attackers breach an MSP, they then have access to the clients the MSP serves. Because of this, it’s important to review your provider and verify that it has kept up with the security landscape.

5)   Evaluate your MSP Ensure that your MSP does not let remote sessions remain open continuously.

Remote access into the system should only be done when work is required and has a ticket assigned to it and should start and end when work is being performed. You should get a weekly report of MSP log ins and disconnections and should be able to compare that against service tickets. Question any connections without an associated ticket.  

Ask your MSP for proof that their employees use a multifactor VPN for access to the MSP network. All systems should have unique passwords and tokens for all employees with access.

Ask questions to help you determine whether your MSP can help with your security needs. 

  • Have they offered vulnerability scans and remediation services?
  • Have they discussed with you the threats to your practice? Security discussions should include topics such as advanced persistent threats, detecting attackers after they have gotten in, incident response plans, security information event management (SIEMs) systems, penetration testing and system/network hardening.
  • Can they demonstrate their ability to simulate an attack and then show how they detect this activity and act? The best defenders know how to attack. They should be able to show you attack and defense to prove their understanding and their ability to protect your systems. If this is all new to you, and you have not had such discussions with your MSP, seek additional outside security help. 

Establishing Internal System Security 

What should you have in place to make your systems more secure? Keep in mind that security is a process, not a product. This means that it is more important to use what you already have before adding more. It is possible to detect, deter and stop attackers quickly without breaking the bank. Tell your team that before they buy anything else for your network, you want to ensure that they are using what you already own to its fullest extent. 

6)   Review the security of your internal systems

The topic of internal systems security is too large to tackle in a single article. However, you should know the key components to discuss with your internal teams and external support companies. These include network hardening, firewalls, virus scanning and your internal logging system. 

Network hardening. Network or system hardening aims to reduce security risks by eliminating unnecessary services and applications as well as activating built-in security features. Ask your teams to show you that you have network hardening configurations in place or have a plan to begin putting them in place. 

Firewalls. Your firewall is the barrier between your network and the Internet. Virus scanning, intrusion prevention and detection, and application filtering (blocking applications that aren’t necessary for work) should be enabled. Ask your teams to show you the level of configuration. 

Virus scanning. Commercial virus scanning platforms have evolved considerably over the past few years. Things to have your team verify and report on include: 

  • Virus and malware detection in real time, as well as scheduled scans
  • Blocking of unauthorized encryption algorithms (ransomware blocking)
  • Behavioral analysis, which uses machine learning, artificial intelligence, big data and analytics to detect differences in normal, everyday activities and identify malicious behavior
  • Endpoint protections to control USB usage

Internal logging system/SIEM. There are a lot of logs to review, and there is no way any team can go to each machine to review them all. Consolidation of logs from all machines to a centralized system is called log aggregation. A log aggregation system that focuses on security is called a security information event management (SIEM) system. 

Your Next Steps 

The inevitable question is, “Where do I start?” As you move through the topics in this article, you will begin to better understand your own systems. Talk to your security team and make sure each member of your internal and external teams understands this goal:  

We want to have a network that is secure and that can see an attack in progress. We want to have an environment that makes it so difficult for the attacker to move around that they give up and move on to someone else. 

Make sure your security team knows that you hold them accountable for getting the information you need and making the changes that need to be made. Have them explain the way things are set up, and if the explanations don’t make sense, keep talking until you get the insight you’re looking for.

When you find things that need attention, plan with your team and set deadlines. Treat these changes and the security lockdowns like any other business project. 

A physician once told me: “If you do not make time for your wellness, you will be forced to make time for your illness.” The same is true with your network and security. Either you address it proactively, or you’ll clean up the mess after someone has stolen everything. It’s your choice. What are you going to do?  

This article was excerpted from an original piece by Tom Powers, founder and chief technology officer, StrataDefense

 

09/23

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.