Speaker 1: You're listening to Your Practice Made Perfect, support, protection and advice for practicing medical professionals brought to you by SVMIC. J. Baugh: Hello everyone and welcome to this episode of Your Practice Made Perfect my name is J. Baugh, and I'll be your host for this episode. The title of this episode is Using Technology To Secure Your System and to provide us with some information about this very important topic is Brian Johnson. Brian, welcome to the show. Brian Johnson: Hello J. Glad to be here, talking with you today, as you said, I'm Brian Johnson. I'm the Information Security Officer for SVMIC. One of my primary duties is to identify risk and prescribe recommendations to control that risk. I've been doing IT work professionally for 27 plus years. I've been doing security for about 15 years. I like to say I was probably concentrated on security long before most companies realized they needed it. I consider myself a self proclaimed geek. I love talking about technology, especially security with anyone who will listen. So I'm ready to talk security today. J. Baugh: Well, Brian, we're glad that you are taking some time to be with us today to talk about this very important topic. We discussed the importance of cyber security in our episode last month. And the first step in establishing your cyber security program is with a Security Risk Analysis. Now we would like to discuss, utilizing your technology to help you and not hurt you, specifically using technology to secure your systems. Medical practices have and use a large variety of technology and it's a good idea to double check all of that technology to ensure it's keeping you secure and not causing unnecessary threats. So Brian let's get started. Now you don't have to look very far to find a news story about a cyber attack. So what threats should we be concerned about? Brian Johnson: You're certainly right about the news stories. The rate of breaches and compromises are accelerating. Years ago I called these made-for-movie events, but now they happen almost daily. We all know about the Colonial Pipeline and JBS, the meat supplier company that got compromised. If I can't get gas from my car or Costco runs out of bacon, now that's a news story, right? J. Baugh: That's right. Brian Johnson: We've even seen some large hospitals get hit with ransomware throughout 2021. In fact, it's been a hard year for healthcare. Many of these hospitals had to cancel surgeries and turn away patients due to these breaches and compromises. I do think these news stories help bring awareness to the situation, but I don't believe they are true to the threats that most of us, most of the people listening to this podcast, should be concerned about. The reason being these new stories make it sound like these are sophisticated target attacks that are happening to larger organizations. Brian Johnson: The reality is most events aren't going to make them news and they aren't really that sophisticated. A large hospital in California that must turn away patients, is going to make the headline news, but a small two physician practice in rural Tennessee isn't going to make the news. If you look at the numbers, everything is up. The number of ransomware attacks, the dollar amounts of the ransom, the number of data breaches, HIPAA breaches, malware, phishing attacks, it's all going up year after year. The threat is real and I think everyone realizes this now. Five years ago, I was still having to convince organizations they were a target. I believe some of the misconceptions were, I'm not big enough. No one cares about my data, but I think ransomware has highlighted the fact that everybody is now a target. Briefly let's talk about who's behind these targets or behind these attacks. Brian Johnson: You have organized crime cartels. These are groups that are financially motivated. They're the ones behind most of the ransomware. You hear a lot about Russian hackers and that's where a lot of these ransomware groups are operating from. We have government backed espionage coming from foreign states. We have cyber activists, these are radical groups that go after companies online for beliefs and ethical reasons. We have terrorist groups taking their efforts online. And lastly, we don't like to think about it, but we have the risk of an insider in our own organizations, a past or present disgruntled employee who's going to either sabotage or steal our data. J. Baugh: So earlier in your answer, you mentioned that it's been a hard year for healthcare. Why do you think that is? Brian Johnson: Well prior to 2021 and even 2020, the rate at which healthcare was being targeted was behind other top industries, such as finance or manufacturing, oil and gas, these type of organizations. Lately we've seen a dramatic increase for a couple of reasons, first COVID-19. Healthcare has been on the front lines fighting COVID, they're tired, they're weary and cyber crime units, especially the ransomware groups saw them as being susceptible and easy targets. As a result, we saw a deluge of phishing emails, especially using COVID-19 themes thrown at the healthcare industry. Also related to COVID was an upswing in government-backed espionage, these being foreign governments, this impacted a smaller subset of healthcare in particular research institutions, such as anyone helping develop the vaccine or studying the vaccine or other medicines used in response to COVID. Brian Johnson: Now, most of us aren't working in that area, but we do run the risk of a downstream attack or being simply a victim due to association with one of these organizations, such as a research hospital. Lastly, for the cyber crime organizations, it's all about the money. At some point in 2020, they realized that healthcare institutions cannot afford to be down and unable to care for their patients. Therefore, they are very likely to pay the ransom to get operations up and running again. J. Baugh: So what can medical practices do to protect themselves from a cyber attack? Brian Johnson: Well, the good news is, it's not all doom and gloom like maybe the news media wants you to believe. Not all attacks are sophisticated and therefore don't require sophisticated solutions. Over the last couple of years, we've started using the term security hygiene. We're all familiar with the term personal hygiene. And we're probably on the same page as what comes to mind when we think about personal hygiene. These are the basic and fundamental practices of maintaining a healthy lifestyle, likewise, we use the term security hygiene as a term to identify the fundamental security controls to maintain a healthy security posture. I like to refer to these as their fundamental and basic, we like to call them the low hanging fruit, where we're going to get the most bang for our buck if we implement them. J. Baugh: So can you provide us with some specific security controls? Brian Johnson: I certainly can, but first I'd like to talk about the problems we're trying to solve and then prescribe the correct security controls. The first problem is with passwords. Passwords are no longer good enough to protect our systems. Cyber criminals are very good at obtaining that. They do this by stealing even obtaining password dumps off the dark web. For those who don't know, the dark web is an area of the internet where people can run anonymously and not be tracked. And lastly, cyber criminals simply ask for our passwords. Now I know most of us are thinking I would never give anybody my password if they asked, none of my employees would ever do that, but we are tricked into giving our passwords. This is done through phishing emails. You get a phishing email that looks very realistic to a normal procedure that is familiar to you. Brian Johnson: And that email will contain a link that'll take you to a very realistic, but fake login page. You will enter your username and password thinking it's legit, but you have now given your username and password to the cyber criminal. The next problem is with vulnerabilities. Cyber criminals are constantly probing and analyzing software applications, looking for bugs and security holes that they can exploit. An example of this was seen earlier in the year with Microsoft's very popular email solution exchange, it had a security hole in it. Cyber criminals discovered it and they started exploiting Exchange Servers. Brian Johnson: At one point, there were known 30,000 compromised Exchange Servers. And because of these vulnerabilities, our third problem is we now need to continuously patch and update our solutions to plug those security holes as they are discovered. So now let's talk about the solutions. The solutions to the password problem is a security control that we call Multi-Factor Authentication or MFA for short. How this works is in it, addition to our username and password, we add a second security control or a second authentication method. Brian Johnson: This could be biometric, it could be a fingerprint scan, it could be a palm scan. It could even be something that you physically that you have like a USB stick that you put in your computer, but what we're seeing most often and the easiest solution to implement is either a security code sent through a text or an authenticator app on your mobile phone. So let's walk through how this works. Let's say I have a solution where I log in with a username and password. My username and password will be authenticated and then that second stage, that Multi-Factor will kick in. So if I'm using the text method, I will now receive a text on my phone, a six digit security code. I'll be prompted to enter that code, and once authenticated I'm into my system. Similarly, if I'm using an authenticator app, I'll get prompted on my phone and I'll say, do you want to accept or deny this authentication request? Brian Johnson: And I'll usually tap a button that says allow. Now the reason this works is because the cyber criminals, as we said, are very good at getting your password, but they are not going to be able to get that second form of authentication because in order for them to do that, they would need to have access to my phone. And I believe we're all very good at keeping close eyes on our phone. So that's how Multi-Factor helps the password problem. The next problem I mentioned were the vulnerabilities. The vulnerabilities is closely related to the patching and updating. In fact, the patching and updating is a result of all the vulnerability. So what we want to do is we want to ensure that we have a program in place, a process in place to identify our outdated software and implement a method of continuously updating and patching those systems. Brian Johnson: The good news is, and the easy solution is that many of these applications have automatic updating features. The problem is you must go in and turn them on. For instance, Office 365, the popular Office package that most of us are using comprised of Word, Excel, PowerPoint. It will automatically update but you must go in and turn it on. Now for those solutions that don't automatically update. You need a solution to identify them and update them. Unfortunately, this is a manual process. So you need to ensure that you have somebody internally or a third party, like an IT service. Larger organizations will probably have enough staff or have an IT staff that can do this for them. There are solutions that will monitor your networks, scan your networks and identify software packages that are out of date and alert you and then you can take whatever the necessary means is to update the software. Brian Johnson: Likewise, with the vulnerabilities, you want to find the vulnerabilities before the cyber criminals do. So you want to scan your networks, this is going to require a special software that'll scan your networks, it'll identify the vulnerabilities and it'll alert you. Many of these vulnerabilities are going to be already be fixed because of your patching and your updating for the ones that aren't, these are usually configurations. A lot of times, they're just simple mistakes, they're things people overlook, you didn't set up the system, somebody else did. And for instance, they didn't change the default administrator password. A lot of your equipment in your practice comes with a default administrator, user name and password. This is very well known. There's password lists on the internet. So you want to be sure that you're changing those passwords. A vulnerability scanner should identify that alert you and allow you to go in and make the necessary change. Brian Johnson: So in review, the three things we want to do is we want to implement MFA Multi-Factor Authentication. We want to scan our networks, we want to find the vulnerabilities before the cybercriminals do. And then we want to implement updating and patching solutions. And lastly, I ask everybody to look at your antivirus software. We've been running antivirus software for a long time, everybody's got it. The problem is it has evolved over the years and if you're running the same antivirus, you ran five years ago, you definitely want to take a look at it and get on a newer version. The other mistake people make is antivirus, it's a subscription-based service. So you need to continuously be paying for that subscription, or you're not getting the latest updates. J. Baugh: So Brian, let's talk for a moment about something that we hear in the news quite a bit, and that's ransomware. So how does a medical practice defend against the threat of ransomware? Brian Johnson: Well, so the previous security controls will go a long way in protecting you against ransomware. Your fundamental problem is they have access to your network. They are in your network. And when you get ransomware, that is a particular payload they decided to deploy on your system. Realistically, they could have done anything. And in a lot of cases, they are, they're stealing your data, they're exporting that out before they ever deploy the ransomware and lock you out of your data. So by deploying the MFA, you are keeping them out of your networks, by plugging the vulnerabilities and updating your systems. You are blocking and you're locking down your systems to the most popular methods of these cyber criminals getting in to your systems. And lastly, we talked about the antivirus, newer anti viruses are much better at discovering ransomware. They're not foolproof, but they will notice a sudden change of a lot of files being altered all at once, which is a good sign of ransomware and they will stop that attack. J. Baugh: So Brian you've mentioned the word phishing several times today. Why is phishing so successful and what can our listeners do about it? Brian Johnson: So phishing is an interesting challenge. It is definitely everywhere. It is the most popular method used by cyber criminals because it works. We mentioned the password problem and cyber criminals, simply asking for your password. They do this through the phishing email and the reason they're so successful with phishing is because it's not just a technical problem. I like to call it a psychological problem. And we actually call this a social engineering attack because we all use email. We're all familiar with it. We all get legitimate emails with attachments and links and what the cyber criminals do is they take phishing and they impersonate. They impersonate somebody you know, trust, they impersonate brands. And even sometimes a process that you do often through email. So as far as combating phishing, context of an email is very important. There are certain red flags you can look for. Brian Johnson: There's a company called KnowBe4, they put out a free resource, it's a one page document of all the red flags you should look for in an email. It's everything from the two address, the from address, hyperlinks, context is everything, even looking for misspellings. The second thing we can do to combat phishing email is, have a way for your employees to report suspicious emails, again KnowBe4, the company already, they have a free phish alert button that you can put in your email packet. Anyone who thinks an email is suspicious or malicious can hit that button and it will be reported. Now, the important thing is that you send that report to somebody who can review and act on it. If you're a smaller company, it may be somebody in your practice. That's very technical than the typical employee. Brian Johnson: You may want to outsource that to your IT service provider. Larger organizations probably have somebody internally that you can send that to. The third thing you can do with phishing is you definitely want to train your employees, we've already touched on that. Let them know about the red flags, let them know about the phish alert button and lastly, you want to use a testing solution. Again, I'm going to talk about KnowBe4 they do this very well. The reason I like to mention them is because they have a free demo and we'll put a lean to that in the show notes. Brian Johnson: So you can go, you can sign up for a free test. They will devise a Phish email, they will send it to your organization. They will collect the results and they will report back to you. Who opened the email, who clicked the email. Did any anybody enter credentials? And so a phishing program, a testing program like this should not be used to catch your employees doing bad, right? The purpose of a phishing solution is to create a safe environment, to train and educate your employees so they can learn about phishing. And it also helps you identify your risk. If you do a phishing test and you fail miserably, then you have a lot of work to do when it comes to the training of that. J. Baugh: So when it comes to the issue of phishing, would your advice be the same for a small practice as compared to maybe a larger practice? Brian Johnson: So regardless of the size of your practice, the threats are the same and the protections are the same. What's different is the scale of the attack, the scale of your capabilities. So a smaller practice is not going to have internal staff to help combat and deploy the security control. So a smaller practice is going to have to rely on an IT provider. They need a trusted partner that they can help evaluate their systems, evaluate their security posture and help them implement these solutions. A mid-sized practice may have some internal staff that can implement some of this, but may still need to call upon an outside IT vendor to help. And of course, I believe larger practices are probably going to be able to handle this internally, get the training and have the ability to implement these controls. J. Baugh: So Brian, as we get ready to wrap up this episode, do you have any final advice for our listeners? Brian Johnson: Yeah, I certainly do, in review, attacks are not as sophisticated as maybe we're led to believe. These security controls that I mention, they can easily be implemented and they will go a long way. The cyber criminals are in it for the money. They want quick money. So if you can put in a stumbling block, it may be enough for them to say, "You know what? I'm just going to go to the next organization. That's a little more easy prey and I'm going to try to compromise them. We have been talking about security through our webinars, our podcasts, such as this we've been releasing a series of security articles in our newsletter, the Sentinel, I recommend everybody go back and then review those. Those are all available online at svmic.com. A lot of these materials are behind the vantage login site. If you log into vantage and you go to resources, there's a whole library of security resources where you can find our articles and our tips for implementing these security controls in your practice. J. Baugh: So as we bring this episode to a close, I would like to remind our listeners that we will include links in the show notes for the resources that Brian has mentioned in today's episode. So be sure to check out our show notes, if you would like additional information and Brian, I want to thank you again for discussing with us today, this very important topic. Brian Johnson: All right. Thank you, J. Glad to be here. Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect. Listen to more episodes, subscribe to the podcast and find show notes at svmic.com/podcast. The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policy holders are urged to consult with their personal attorney for legal advice. As specific legal requirements may vary from state to state and change over time. All names in the case have been changed to protect privacy.