How secure is your practice from cyberattack?

“We can patch the systems, but we can't patch humans”

I always intended to write my third column on cybersecurity. The timing was coincidental with the recent incident at Pinnacle Midlands Health Network. At the time of writing, the extent of that particular breach is a bit unclear, but it does look fairly typical in the sense that it's a large healthcare organisation which has had its defences breached. And there’s resulting anxiety for both patients and the network as to what data might have been copied or accessed and what may come next.

Fortunately, we're not seeing a ransomware situation which must be incredibly difficult if you get caught up in that situation.

Hacking is a business, and like most businesses there's a profit motive, systems and continuous quality improvement to how the scams work.

The diagram below shows the number of complaints made to the FBI Internet crime complaint center and published in the Federal Bureau of Investigation Internet Crime Report 2021. Most of those are static apart from phishing-type attacks.

If we look at ransomware, we can see that the healthcare and public health sectors are particular targets, as also outlined in the FBI report.

Fortunately, we are not powerless to reduce our risk; we can never eliminate it, but we have a responsibility to protect our businesses and our patients’ information. Some aspects of this protection are complicated, and others are complex. By that I mean there are technical steps that you can take with your IT provider to ensure technical safety. That's the complicated part.

The current RNZCGP standards refer to a shortened version of the Health Information Security Framework that practices need to adhere to. That framework was 87 pages long and published about 10 years ago. It was intended for larger organisations such as DHBs. Patients First developed the abbreviated version which the college adopted for its standards. This security framework is being rewritten, and while I have not seen it, I do expect there will be greater requirements placed on general practice around data security.

Advertisement

There are a few things you can do. Firstly, I recommend having an external company that specialises in IT security do penetration testing on your systems. Tū Ora Compass PHO is subsidising this for practices in its region, and I hope to see other practices with us.

My practice was the first to do this within our PHO. We got a very detailed report back which we were able to share with our IT provider. It resulted in unexpected vulnerabilities that we then went on to patch. We were very satisfied that in the end we had done some significant work to improve our security position.

The test covered many aspects, such as our PMS, third-party software, Microsoft 365 settings, Wi-Fi passwords and security settings on third-party infrastructure, such as the telephone system and printers. I know we are not bulletproof, the only way to be truly secure from cybersecurity threats would be to go back to pen and paper and we can't do that! I feel, however, we are at least wearing a bulletproof vest which will lower our risk.

I expect that penetration testing will be a requirement for practices, and I know there will be many of you who feel this is another compliance cost put on us. But while there is some cost it is worthwhile insurance. The costs of a significant breach or ransomware are extremely high. You may wish to explore having cybersecurity insurance to help cover those costs if you do get breached.

The other area is a little bit more complex than complicated. We can patch the systems, but we can't patch humans. Many of the successful attacks on businesses come through the vulnerabilities that you or your staff may present. It's important to have policies in place that cover staff onboarding and exit, staff awareness training of phishing attacks, how you manage your contractors coming in and out of the building and how you manage your security when working from home.

In terms of training, we worked with our IT providers to put in place an online training package that simulates phishing attacks. We have a button in Outlook that staff can press when they think they've received a phishing email. If they do hit “open” on a simulated phishing email and they are directed to further training.

The staff have been fine with this, it has raised awareness of phishing attacks and how to spot suspicious emails. The system comes with monitoring and outcome measurement such as the diagram below.

Passwords are still critical, and they need to be better than ever. The chart below from Western Technology Solutions indicates how quickly different types of passwords can be broken by modern computing systems.

We use multi-factor authentication for accessing our system when working from home. This means we need a username, a password and a device. If working from home without using multifactor authentication you should talk with your IT provider about getting it set up.

Below are some useful organisations to contact for a response to a cybersecurity attack:

• certnz - www.cert.govt.nz

• The National Cyber Security Centre (NCSC) - www.ncsc.govt.nz

• netsafe - www.netsafe.org.nz

Our penetration testing was provided by Managed Security Service Provider for Healthcare Organisations - Medical IT Advisors (meditadvisors.com)

Our Phishing training and management is supplied by www.knowbe4.com.