April 2018

OPHTHALMOLOGY BUSINESS

Webinar reporter
Protecting your practice from cybersecurity threats


by Liz Hillman EyeWorld Staff Writer

Ways to enhance your IT security

A webinar hosted by the ASCRS•ASOA Health Information Technology (HIT) Committee presented attendees with practical steps they can take to improve their data security.
“If anyone thinks they are smarter than a con artist, they are mistaken,” said Charles Killmer, security officer, Netgain Technology, St. Cloud, Minnesota. “Hackers are the modern day con artist. If you think you wouldn’t fall for a hacker’s attack …. you’re the one I’m worried about most.”
Today’s hackers, Mr. Killmer said, spend an inordinate amount of time making convincing phishing emails and other traps to find inroads for your information. But why would a hacker want your personal information or the data held by a healthcare practice anyway? Mr. Killmer said the reasons run the gamut from getting private information to resell to installing ransomware, encrypting your files, and forcing you to pay, to using your computer for other illegal activity.
Hundreds of thousands of new pieces of malware are released every day. While antivirus software maintains a list of known malware, it needs to update every day just to stay current with the amount of malware out there, Mr. Killmer said.
The more recent advent of ransomware was a paradigm shift for hackers, giving them a “better return on investment.” Instead of having to sell stolen information or try to use it nefariously without detection, ransomware allows hackers to get money directly from you—if you want your files decrypted.
Hackers have “many ways to get in. We need to be focused on keeping them out of all those ways,” Mr. Killmer said, providing several suggestions to improve data security. These included having a designated specialist with a security credential reporting directly to the administrator; using a password manager; backing up data for recovery in the event of a ransomware attack; performing a risk management assessment in which you think about what you need to protect and where it lives, what could affect that data, what could happen if it were compromised, and implementing methods to protect that data; monitoring for compliance; and documenting all of these actions.
As for specific technical advice, Mr. Killmer went on to provide a few points on this front as well.
Be suspicious of all messages. Even if emails come from friends or colleagues, you don’t know if their account has been compromised. If something they’re asking you to do might have a negative impact on the business or your personal information, give them a phone call to confirm.
Install updates. These updates can close security holes or bring new features, but they can also come with bugs. In these latter cases, Mr. Killmer said that the practice has to decide if the downside of the patch is larger than the upside.
Whitelisting. Mr. Killmer described this as the opposite of antivirus software. As opposed to blocking known malicious applications and websites, whitelisting only allows applications known to be good. If implemented, when you want a new application or website that is legitimate, the whitelist needs to be updated. “It is far easier to implement a whitelist than to trust a blacklist to be comprehensive,” Mr. Killmer said, advising later to also install antivirus software. If a business wanted to allow its employees to access websites—news sites or Facebook, for example—without compromising the network, Mr. Killmer suggested that a few computers be set up in a breakroom with controls so these computers can’t communicate to the rest of the office, isolating them should a compromise occur.
Use iPhone or Google Pixel platforms only. Mr. Killmer provided evidence showing that non-Google Pixel Android operating systems do not have as effective methods to deliver security patches to users.
Use an ad blocker. Malicious advertisements on a known, good website can still compromise your security.
Several questions from the audience led to pertinent discussion. One attendee asked for the top priorities to keep a practice safe with little time to dedicate to IT security. Mr. Killmer said to establish a sender policy framework that can identify some phishing emails (if you have a spam filter this should be included already). You should also educate and train employees about how a phishing attack works and to confirm the legitimacy of requests that might be coming from a friend or colleague. Mr. Killmer recommended a third-party penetration test/risk assessment, but noted they can get expensive.
Another attendee asked about onboarding an in-house IT professional. Mr. Killmer said that it is a good idea to have someone focused on IT. “It’s a better idea to have them dedicated, but cost needs to be evaluated,” he said, acknowledging that small organizations can get away with one person wearing many hats. Once an organization reaches 100 employees, he recommended having someone who devotes 80–90% of their time to IT security.
In response to a question on cybersecurity insurance, Mr. Killmer said organizations without an individual focused on IT security are more likely to be compromised and might consider insurance. In comparison, an organization that is very locked down wouldn’t necessarily need insurance.
On the whole, will things get better? Mr. Killmer asked. “Yes, but this is a cat and mouse game that has been going on since the dawn of time. For as long as people have had things that people want to take, people have been conning other people.
“Right now, the hackers are winning; they’ve got far more out there malicious than what we can do to defend, and that’s largely taking advantage of our trust in the overall good of the internet. We need to start reclaiming some of that and reevaluating some of the trust and not allowing access
to everything on the internet. … Security is a business responsibility … as such, business leaders are being held accountable for failures on security,” he said.

Editors’ note: Mr. Killmer is an employee of Netgain Technology, an IT management company focused on the healthcare and financial industry.

Contact information

Killmer: Charles.Killmer@netgaincloud.com

Protecting your practice from cybersecurity threats Protecting your practice from cybersecurity threats
Ophthalmology News - EyeWorld Magazine
283 110
220 147
,
2018-04-04T10:27:25Z
True, 4