Three Network Security Steps Steps for Healthcare Administrators
Cyberpirates are constantly trying to hack health care administrators' email and one simple slip could put your facility on lockdown and put patients at risk, costing you tens of thousands of dollars in recovery, lost revenue and community reputation.
Most Cybersecurity plans are overly complicated and not implemented.
Here is an easy 10 Step guide to keep your healthcare facility protected and ready to recover.
A simple email or file download suddenly becomes a threat to your organization.
Here is a simple 3 Step Cybersecurity Guide every Healthcare Administrator must take to Defend, Recover and Prevent a cyber attack saving lives, reputation and financial uncertainty..
Note: some of these items might seem technical but they can't be ignored. Please consult your IT administrator (admin) to discuss the below action item.
The following information should become your minimum security technology stack. These tools and applications are readily available and be implemented rather quickly.
There will be costs involved both on a monthly subscription and also a setup/install if you use an outsourced IT admin.
Before we get started: please note the below links are NOT affiliate links and we receive no commission or backend payment for these recommendations.
Step 1 is to DEFEND:
- Require a Unique Microsoft Office 365 Password (or Google Gmail)
- Not used for any other website
- 25 characters using one capital letter, a number and a special character
- Creating a 'passphrase' will make this exercise easier and we've created a template for you to use: www.smadatek.com/have2
Enable Two-Factor-Authentication (2FA) or Multi-Factor-Authentication (MFA) activated on all Office 365 email accounts.
This is free and available through the Office 365 account. See the official write up here:
Filter all your email through professional SPAM software
- The 'free' SPAM filter with Office 365 is not adequate enough to catch unwanted spam, viruses, and malicious content (attachments, weblinks) that is not captured by native Office 365 security.
- Here is the doc:
Add a Conditional access Office 365 license
This protects the Office 365 admin console from being compromised. This adds an additional layer of security to keep the Office 365 admin account secure. You can read the article here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Electronic Medical Records (EMR)
Deploy IP Authentication on EMR systems
- Lock down EMR access to the facility's WAN IP
- This will keep people outside the office from accessing the EMR system trying to exploit it and logging in it
- Administrators needing access outside the office will require a VPN
Verify 2FA is available and enabled
Refrain from ALL public WiFi networks (hotel, coffee shop, airport)
- Public WiFi networks are not secure.
- A VPN must be used; preferably not a paid VPN service like Nord VPN or F-Secure because they may or may not be gathering your information to sell. But, these programs are better than using NO VPN but your IT admin should be able to create a VPN off your professional firewall (see below).
- A mobile hotspot is also an option (see below)
Remote access into the facility must ONLY be done via a VPN, to check email, EMR, billing or any customer facing information.
- Do NOT use naked RDP
- Be cautious of home WiFi (kids, friends and other unsecure devices are dangerous)
- If no VPN is available, utilize your mobile phone hotspot instead. Read this article for guidance: https://www.thejakartapost.com/life/2019/10/29/how-to-secure-your-phones-portable-wi-fi-hotspot.html
Maintain a professional Firewall in addition to a modem/router
- 25 character password (see email password requirement)
- No port forwarding
- Block port scanning
- Remote access by IP only for IT admin (whitelist)
- VPN with IKEV2 capable preferred (SSL is slow and L2TP is older generation)
- Any protocol will work but we prefer IKEV2
- Here is the firewall we use: https://www.watchguard.com/wgrd-products/mobilevpn
Restrict administrative access on local computers and laptops. This prevents:
- Users from downloading malicious software
- Disabling antivirus/antimalware
- Circumventing encryption of firewalls
- Users from wiping their hard drives
- Disruption of critical security updates for programs and the operating system
- Helps defend against hackers looking to gain administrative rights so they can exploit a network.
This is critical in making sure that computers remain in compliance for any insurance policy, government contracts or other contractual obligations that could, if
Encrypt all Hard drives on laptops
- Bitlocker is native to Windows Operating System
- Bitlocker key stored in Office 365 account
- See article here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
Create a Guest WiFi network
We run into a mix of problems with wifi networks in small businesses. First, most 'guest' wifi networks are not password protected. This becomes really dangerous when the guest network has not been properly configured not allowing guest users to access the 'main' network. These two networks must be logically separated by a vlan.
Here are some other
- No personal devices allowed on main network.
- If you have short term or longer term residents, you can add a 3rd WiFi network.
- Ubiquiti WiFi access points are what we recommend. See product here: https://store.ui.com/products/unifi-6-long-range-access-point
- Isolate the different WiFi networks with a VLAN so users on the different networks can't access the other devices on the other WiFi network.
Utilize a password manager
You need a unique and strong password for every site and especially those business critical applications: accounting, pharmaceutical, HR and payroll.
We need to stop assuming employees can create and manage a strong password for each website or application login. Give them a tool to help facilitate the change in behavior needed.
Here are a few:
BONUS: Setup 2FA on all 3rd party applications.
New Minimum security requirements will be 2FA (aka MFA; see above)
BONUS: Remove all FREE antivirus or other desktop/laptop protection software and install professional programs such as:
Step 2 is to RECOVER:
The largest financial damage to a business after a cyber-attack comes from downtime from service interruption and/or data loss.
We DO NOT recommend cloud backups because they are difficult and cumbersome to recover from.
A 500GB file stored in the cloud with a 100Mbits/s internet connection would need around 12 hours to restore. How much would 12 hours of downtime cost your business? What would the damage be to your business reputation?
The best recovery time comes from a local onsite backup. Cloud backups should be only utilized for a disaster situation such as flooding, fire or nature disaster. Cloud backups should not be used as a 'recovery point' to bring your systems back online quickly.
This is possible utilizing the right hardware and software combination and it's very effective to defend against a ransomware attack.
However, this hardware and software solution needs to be configured correctly to make sure a ransomware attack doesn't encrypt the local backup.
If done correctly, this can speed up your recovery up to 10x. This is critical when it comes to billable time to recover the data, lost revenue in downtime and both of those will impact the perceived damage to your reputation in your community.
If you get hacked, the last thing you want is to be stalled in the recovery phase. This is the most expensive phase that causes the most damage.
In the case of ransomware, the only recovery is a wipe and reinstall. The ONLY difference between a fast recovery and a damaging one is, does the reinstall come from a backup.
Servers, mission critical desktops and cloud services need to be backed up.
Here is a great article on the Kaseya ransomware attack and the recovery pathway to restore servers and desktops. https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/
Hardware & Software
Here is the hardware and software solution document we use: https://www.synology.com/en-us/dsm/solution/ransomware
Make sure to back up any server(s) or desktops that have critical applications:
- File Shares
Here are the hard drives we use: https://www.seagate.com/products/nas-drives/ironwolf-hard-drive/
Here are the Cloud Apps you need to consider for back up:
- Office 365 Backup
- Sharepoint Backup
- OneDrive Backup
- EMR Backup
- Accounting Backup
Please note this is not an exhaustive list. But, our goal is to put a stop to the theft and disruption taking place in our organizations.
You can't forget a good cyber insurance policy for data breaches, electronic theft and vandalism, denial of service attacks. We use CHUBB and you can learn more about them here: https://www.chubb.com/us-en/business-insurance/privacy-network-security.html
Please consult your insurance agent for more options.
Step 3 is to Educate & Prevent:
The best defense to all Cyber attacks is done through education. Here are a couple tools inside the Office 365 ecosystem you can utilize.
Microsoft Security & Compliance center will allow you to simulate phishing attacks. They have a very good selection of templates you can start with. This tool also provides:
- Great reporting on who clicked on the link and if the user gave up their credentials.
- Any user who gives up their credentials gets redirected to a website that provides a very warm and user friendly education video on what phishing scams are and what to look for.
See here for more info:
In order for you to utilize this tool, you will need to upgrade 'one' Office 365 E5 license.
There are other standalone web based phishing simulators and here is a good blog post that discusses some other options with pros and cons.
Human Resource Policies:
Make sure you have a current Internet Usage Policy. And, we recommend putting a a password policy in place that works in conjunction with the Internet usage policy.
Both of these documents will be critical in defending against litigation. They are also important in HIPAA.
Monitor your Domain & Email:
Continuously check to see if your personal details or credentials have been leaked. Being proactive in this is much like having a credit monitoring service for identity theft. Think of this as your business domain and email monitoring. Utilize this website here to see if you've been 'pwned'. https://haveibeenpwned.com/
Have you ever had email delivery problems? The mxtoolbox website https://mxtoolbox.com/ will check the health of your email. It has a plethora of tests and diagnostic tools that will scan the internet for looking for potential problems that could become actual threats.
These 3 action steps will provide a strong defense, a recovery plan and a solid cybersecurity education to help protect your business, your employees, your family and ultimately your money.
“We keep your computers and Internet running fast and secure so administrators and nurses can help patients recover faster and get back to their loved ones.”