“I had no idea that anything was wrong until I got a call from the vendor. Now I’m told that our system may have been hacked and our patient files encrypted. What do I do now?”
As reported in the media earlier this year, this incident involved a flaw in Argus secure messaging software, used by more than 40,000 Australian health specialists. The problem was reportedly due to the way that the software allowed for remote access – for example to enable doctors to check results from home or communicate with other health professionals after hours.
The software’s distributor, Telstra Health, and the Australian Digital Health Agency (ADHA) have responded to that incident, which is said to have affected only a small number of customers.
It is a terrible feeling and you never really think it will happen to you. But with more and more systems being interconnected, taking some time to protect your systems could be time well-spent. If you are not the technical expert in your team, we thought it would be helpful to arm you with some questions to ask your IT support.
- Check you have network security controls in place.
- Keep healthcare systems and software up-to-date.
- Install and update anti-virus and ad-blocking software.
- Use strong passwords and change them regularly.
- Backup business systems and files.
Steps to protect your systems
To avoid situations like the one above, follow these steps to protect your network and system:
1. Check your network security controls
It’s important to check with your IT personnel or service provider about your network security controls including:
- Remote Desktop privileges (for example, logon from home or remote IT support)
- Firewall (network and/or local computer)
- Virtual local area networks (vLANs)
- Intrusion detection and protection.
Asking the following questions can help facilitate this process:
- How are these maintained?
- Is there a monitoring process in place?
- How are unusual behaviours tracked, reported and addressed?
You should also check who and how your network and computing systems can be accessed. In the case of the Argus incident, the remote systems access was not changed from the default setting and the password did not meet security standards. Ask the following questions:
- How are user IDs created and managed?
- Are certain user profiles granted systems administration access (more advanced than the usual staff role) and how are these regularly reviewed and managed?
- When a staff member moves to another role or leaves the practice, how is their access changed, deactivated and deleted?
- Do you have password standards (for example, complexity, expiry and secure communication of passwords etc.) that leverage best practice and are they being followed? How is compliance monitored and reported? If there is non-compliance, how is it managed?
Your next layer of defence needs to be embedded in your personal computing fleet, i.e. laptops, desktops, and mobile devices. Adopt the following best practices:
2. Update your systems and software
Those alerts on our computers that pop up advising us there is a new software update to install can easily be ignored. However, regularly installing operating system (security updates) and software updates is the most effective way to keep your healthcare systems protected against cyber-attacks and viruses.
Known as patches, these updates resolve any issues in your operating system, applications and programs.
3. Use anti-virus and ad-blocking software
Cyber criminals commonly use malicious software (malware) to target computers with viruses, spyware, trojans and worms. These can be delivered by email or while browsing the web. Some malware is also delivered through advertisements on the web.
To prevent these attacks compromising your systems, ensure your antivirus software and an ad-blocking browser plug-in is installed and up-to-date, to allow automatic updates from the manufacturer1
4. Use strong passwords
Strong passwords are very important in terms of keeping sensitive information safe and preventing cyber-attacks. Hackers may use automated methods to guess a password, so it’s not advisable to include personal information in your password. This includes anything that can be found on a social networking site, even if the words are slightly altered. Consider the following:
- Passwords entered in the log on screen should not be displayed in clear text.
- Change passwords regularly and/or set password expiry for a certain period.
- Staff must never share passwords.
- Password length must be at least eight alphanumeric characters with one character being a special character (such as !, @, #, $, &, *, ?). ‘Passphrases’ are encouraged as length and memorability are important security considerations.
- For instances when a temporary password is assigned, the user is forced to change the password (on a successful login) to one that complies with the standards.
- The login account is locked after multiple unsuccessful attempts to log in.
5. Backup your business systems and files
Hackers use malware to deny access to files and can demand a ransom to regain access. Malware can usually only be removed by wiping the computer and reinstalling the operating systems, applications and data from backups.
Therefore, it’s important to keep frequent backups of all critical information and systems. Backups should also be stored securely offsite and not connected to the network to prevent their loss due to malware, fire or theft1.
If you have questions about cyber security, it’s best to speak to your hospital’s information technology team or practice’s IT advisers.
1 Australian Digital Health Agency and the Attorney General’s Department. Information Security Guide for small healthcare businesses. ACT (AU): Commonwealth of Australia; 2017. 24 p. ISBN - 978-1-920838-21-8. @Commonwealth of Australia 2017.
Register for the Australian Competition & Consumer Commission’s ScamWatch Radar service.
Share your view
We welcome your feedback on this article – email the Editor at: email@example.com