Medical Center Cyber Security

Medical Centres are a high-value target for cybercrime, and the impacts of a cyberattack on a Medical Centre can be catastrophic. In 2020, during the COVID-19 pandemic, the health sector reported the highest number of cyber-attacks outside the government and individuals.

While large, high-profile attacks can happen to large hospitals and health systems, solo and smaller practices can have a false sense of security that they are too small to target. Unfortunately, smaller practices are often the most vulnerable to cyber-attacks due to their lack of dedicated IT security expertise and access to sensitive data.

Australian health providers have an increased reliance on telehealth and internet-enabled services, making them an ideal target for financially motivated cybercriminals. These attacks generally involve phishing campaigns, business email compromises and ransomware – a form of malware designed to encrypt files and data that render systems and files unusable until a ransom is paid

The Australian Cyber Security Centre recommends the Essential Eight Framework to mitigate the risk of cyberattacks on Medical Centers.

What is the Essential Eight, and how does it apply to your medical centre?

The Essential Eight is a framework recommended by the Australian Cyber Security Centre to help organisations protect themselves against cyber-attacks. It’s designed to protect Microsoft Windows-based networks and systems, but you can apply its principles to several situations and devices. In addition, it includes several mitigation strategies to reduce the risk of cyber threats significantly. This makes it the ideal starting point for a Medical Practice as it outlines several steps you can incorporate into your organisation’s existing systems to improve their security and stability.

When implementing the Essential Eight, the first step is to determine the maturity level that you’re aiming for. There are four levels, Level Zero through to Level Three. A Maturity Level of Zero signifies that an organisation has weaknesses or holes in their cyber security strategy. Levels One through Three recommend security measures of increasing strength and complexity to improve an organization’s cybersecurity.

How to incorporate the Essential Eight into your medical practice

If your medical practice does not already employ the Essential Eight, we recommend starting with Level One. Below are the key components of this framework.

 

Application Whitelisting

Apply application control

Application Control prevents unauthorised applications from being installed or run on a company computer. It’s a zero-trust security approach designed to protect against malware and untrusted applications. For example, in a Medical Centre, this could involve allowing access to only your practice management software, such as Best Practice or Medical Director, and related tools.

A practical method of implementing application control is to use Windows Defender Application Control (WDAC). This tool is included in Microsoft 365 Business Premium, a component of all GCIT managed service plans.

 

Patch Applications

Patch applications

Patch management ensures all systems are up to date with available security patches in a timely manner. Patches are necessary to close vulnerabilities or bugs in your software. In a Medical Practice, this would involve updating programs such as Best Practice & Medical Director with the latest updates.

Practice Management Software like Best Practice and Medical Director will deliver communications when updates are available. However, it’s the responsibility of the Practice Manager or IT Service Provider to ensure these are applied promptly. Patches and updates should be applied within two weeks of release or 48 hours if a security exploit exists.

 

Keyboard Macros

Configure Microsoft Office macro settings

Microsoft Office applications can create and execute macros to automate routine tasks. A macro is a sequence of automated actions that can replace mouse clicks and keystrokes to complete complex tasks. While these can be helpful tools, macros can also contain malicious code used by attackers to run harmful code or download malware.
We can manage the risks of Office macros using Attack Surface Reduction Rules in Microsoft Defender for Business, another Microsoft 365 Business Premium component.

 

Application Hardening

User application hardening

Application Hardening involves reducing vulnerabilities in the applications your company uses. In the context of the Essential Eight’s Level One maturity model, Application hardening refers to security settings in the web browser. Specifically:

  • Web browsers do not process Java from the internet.
  • Web browsers do not process web advertisements from the internet.
  • Internet Explorer 11 does not process content from the internet.
  • Web browser security settings cannot be changed by users.

These settings can be implemented using Security Baselines in Microsoft Intune, another inclusion in Microsoft 365 Business Premium.

 

Patch Operating Systems

Patch operating systems

A patch is a security update that fixes vulnerabilities. Similar to Application Patching, timely Operating System patching ensures your operating system has all current security updates installed.
Patches need to be consistently monitored to ensure systems are up to date. Security updates can be deployed per workstation using Microsoft Update settings. However, your IT provider can also manage them with a Remote Monitoring & Management (RMM) tool. Like many IT service providers, GCIT offers services to control Operation System patching through our RMM tool.

 

Restrict Admin Privileges

Restrict administrative privileges

Administrative Privileges allow a user to create, delete and modify files, settings, programs and other user accounts. A user with administrative privileges can significantly change an IT environment’s configuration and security posture. Administrative rights also allow users to elevate their operations and access sensitive information. Without restrictions on user accounts, malware and malicious code can cause much more damage, especially if the user that triggered it is an admin.

Restricting admin privileges also creates a more stable and predictable workspace, as fewer users can make significant changes to the environment. Your IT Provider should regularly audit your environment’s permissions through consistent access reviews. They should also take a principle of least privilege approach with just-in-time access, ensuring users have the least privileges possible to perform administrative tasks – for only the time they need.

 

Multi-Factor Authentication

Implement multi-factor authentication

When a user logs in to an account, multi-factor authentication requires multiple forms of authentication to prove their identity. This may come in the form of a password plus a generated code sent via SMS, email or authenticator app, or a secondary device that is already logged in and may need to approve access. An example is Apple’s multi-factor authentication which allows users to sign into their accounts using a password and then approve this action on an authorised apple device such as an iPhone.

Multi-factor authentication is one of the most effective security measures a Medical Practice can implement. When implemented securely, it can make stealing credentials that can cause further malicious activities considerably more difficult. Microsoft reports that Multi-factor authentication prevents 99.9% of identity-based cyberattacks. This effectiveness, combined with its ease of use, makes multi-factor authentication a vital first line of defence for any organisation.

 

Regular Data Backup

Create regular backups

Medical Centres need to ensure they back up business-critical information. This isn’t just for quick recovery in the event of a disaster; it’s also a requirement for general practices to achieve accreditation from the Royal Australian College of General Practitioners (RACGP).

Backup is the process of copying files or databases to ensure their preservation in the event of equipment failure, security and cyber breaches or other disasters. For a general practice to achieve accreditation, they must check their backup system at regular intervals – this includes testing its ability to recover data. The loss of critical data can impose a high financial and operational cost on your practice, so having a business continuity plan that includes a reliable and frequently tested backup procedure is vital.

Conclusion

Protecting your medical centre from cyberattacks is one of the most important steps to improve your business’s stability, improve patient trust, and ensure continued operations. However, it’s important to note that the steps outlined above cannot entirely remove the threat of a cyberattack. Still, they can mitigate the risk and hopefully decrease any attack’s severity and long-lasting impacts.

At GCIT, we are specialists in providing Cyber Security services to numerous businesses across Queensland and New South Wales, including many medical centres. Our Award-winning cybersecurity experts can take the stress out of IT Security and make sure your data is secure.

Contact GCIT to find out how we can help your Medical Practice protect against cyberattacks.

.au domain change

What is the new .au domain?

The .com.au country-specific web address has been in use for over 30 years. Like similar country codes such as .uk, it allows web users to identify Australian businesses and commercial entities quickly. In March of this year, .au Domain Administration Limited (auDA) launched a new shorter domain – .au.

The .au direct name is a general-purpose domain open for anyone with a verifiable connection to Australia who wishes to create or manage an online presence.

Unlike .com.au, which requires an ABN or ACN to verify that you are an Australian business to register, a .au domain does not have this requirement, opening it up to the Australian general public. If you currently own a domain name in any other .au namespace, you have priority registration to the .au direct equivalent of your existing domain until 20 September 2022.

What happens if I don’t register my organization’s .au domain before the cut-off date?

If you don’t request a .au domain via priority allocation by 20 September, the domain will become available for registration by the general public on 3 October. After this date, anyone that meets the requirements of registering a .au domain will be able to register one, regardless of whether a .com.au or .net.au equivalent already exists.

What does this mean for my business?

While this new domain offers businesses, organisations, and individuals opportunities to rebrand, extend or change their online presence, it can also pose a significant risk. Cybercriminals can also use this as an opportunity to commit fraudulent activity against your business. By registering your business’ .au name, a cybercriminal could impersonate your organisation by creating a fake online presence. This could include creating a copy of your website or using the .au domain to send phishing emails under your company’s name.

What steps should I take to protect my business or organisation?

While these changes will not inherently cause issues, you can take some steps to protect your organisation. The ACSC recommends that all Australian businesses, organisations, and individuals take advantage of the priority allocation process to register the .au direct equivalents of the existing domain names.

It is common practice for businesses to register the same names across multiple domains, for instance, gcit.com.au and gcit.net.au. When the .au direct namespace domain launched on 24 March this year, the Priority Allocation Process was created. This process allows existing registrants in the .au registry the first opportunity to apply for the .au direct match of their existing domain name/s. To qualify for priority access, you must have registered the domain name before the launch of the new .au domain.

How do I register for a Priority Allocation for a .au namespace domain?

To register the .au direct match of your existing domain name, you must apply for priority status by 20 September 2022 (23:59 UTC 20 September / 9:59 AM AEST 21 September). You can do this either through your current registrar or another accredited registrar. If you use a new registrar, you will need to retrieve a priority token from the Priority ID Token tool. This token enables a registrar to confirm that you are the owner of the matching existing domain name.

What can I do with the new domain once I have registered it?

If you have an existing web presence, one of the easiest things you can do is to create a redirect from the .au domain to your existing website. A redirect ensures that anyone searching for your business will find the correct site regardless of whether they use .au or.com.au. Of course, many businesses already do this with .net.au and .com addresses.

Another option is moving your website to the .au domain and redirecting your current .com.au address. Ultimately the web address you choose for your business will depend on the needs of your business.

To learn more about the new .au domain, visit auDA, the administrator of Australian .au domains.

Many companies are allowing staff to work from home and remote indefinitely, raising questions about how they can protect work data on personal or uncontrolled devices.

As IT experts for working remote Gold Coast IT Support offer the following information to help.

Because we can lose company data in a variety of ways across different devices, we need to apply a variety of protection measures. Let’s take a look at the features in Microsoft 365 that can allow companies to protect their data while users are working remotely.

Use Mobile Application Management

Despite the name, mobile application management doesn’t just apply to mobile devices, it can also protect Windows 10 devices. Mobile Application Management policies can protect company data on both managed and unmanaged devices.

It works by applying protections to the apps your teams use to access company data, like Outlook, Teams, OneDrive and SharePoint.

You can enforce restrictions on these apps to prevent data being saved, cut, copied or pasted.

Mobile Application Management Prevent Copy Paste

You can also require a PIN when the app starts or block the app from running on a jailbroken phone or tablet.

Mobile Application Management Pin Code

This feature can be used to selectively wipe company data from a users device, without affecting their personal files. This is handy for organisations where staff use their personal computers and mobile devices to access company information remotely.

Mobile Application Management Wipe Device

Set up conditional access policies

We can use Conditional Access to enforce restrictions on non-compliant or unmanaged devices. Such as blocking access entirely, or preventing particular actions like stopping users from saving attachments in Outlook on the web or syncing files to OneDrive

We can apply these protections in other ways to apps like OneDrive and SharePoint. Preventing users from syncing data to their personal devices by either blocking access or only allowing limited web only access

SharePoint Prevent Access From Unmanaged Device

Expert IT advice for working remotely

Use Cloud App Security to protect data on third-party apps

These protections don’t just relate to Microsoft 365 apps like OneDrive, SharePoint and Outlook; we can use Microsoft Cloud App Security to apply additional protections to apps like Dropbox Business too. Applying protection to a third-party app like Dropbox Business can prevent users from downloading your company data to unmanaged devices.

Control Dropbox Access Unmanaged Device

Apps like Dropbox Business also provide their own security measures, allowing you to block access and wipe company data when a device next comes online.Wipe Dropbox Device Remotely

Configure idle session time outs

To lessen the likelihood of the wrong people accessing company information on a shared device, we can configure idle session time outs. These will sign users out after a period of inactivity, just like your bank does.

Enable SharePoint Idle Session Timeout

Get alerts on suspicious activities

Cloud App Security includes built-in alerts that trigger on potentially suspicious activities. We can use these to get notified about things like mass deletions, mass downloads and unusual volumes of external sharing

Enable Cloud App Security Alerts

Protect sensitive data with Data Loss Prevention

We can use data loss prevention to restrict or impose conditions on the sharing of sensitive information. These policies can trigger on certain keywords like project names or sensitive information types like credit card numbers, driver’s license details or tax file information. Once a file containing this info is detected, it can display a warning, be blocked from being sent or have encryption applied.

Use Data Loss Prevention

Using Cloud App Security, we can apply additional data loss prevention measures to third party apps like Box and Dropbox Business

Use Sensitivity Labels

But what happens if this all fails, and someone downloads company data to a personal, unmanaged device. To protect against this, we can apply sensitivity labels. These labels define how sensitive a particular piece of content is and in turn can enforce protections on our data. What’s more, these protections apply no matter where it ends up. These baked-in protections can limit who can access the file and what they can do with it. Preventing the wrong people from opening, copying, saving, forwarding or printing sensitive documents or emails.

Protect Data With Sensitivity Labels

In many cases, these protections can be applied automatically by scanning for those same keywords and sensitive information types that data loss prevention uses.

Automatically Classify Content With Sensitivity Labels

As you can probably tell by now, there’s a lot you can do to protect your sensitive data when people are working from home. If you need help with any of this, reach out to us below.

  • This field is for validation purposes and should be left unchanged.

 

Improvements to Azure AD Identity Protection have launched, making it easier to identify and manage identity risks in your organization.

What is Azure Active Directory Identity Protection?

Azure AD Identity Protection uses machine learning to identify signs of suspicious activity or issues that might cause you to have a compromised identity in your organization. We can use Azure Identity Protection to configure policies that impose conditions on sign-ins or users that are deemed risky by Microsoft 365. We can also use it to manage, investigate and remediate risk alerts when a suspicious sign-in or user is detected.

Azure Identity Protection can generate alerts based on the following risk events:

  • Atypical travel
  • Anonymous IP
  • Unfamiliar sign in properties
  • Malware linked IP addresses
  • Leaked credentials
  • Azure AD Threat intelligence (activities that match known attack patterns)

The leaked credential alert is especially useful because it will let you know whether some of your users have credentials that are exposed on the dark web or in another breach. We use this in conjunction with the Have I Been Pwned API to alert our customers to compromised credentials.

Where can I find Azure Active Directory Identity Protection?

  1. Sign in to portal.azure.com
  2. Open Azure Active DirectoryAzure Identity Protection In Azure Portal
  3. Scroll down to Security on the left rail
  4. Open Identity Protection.Open Azure Identity Protection

What’s new in Azure Active Directory Identity Protection?

Azure Identity Protection has been updated with new controls for managing, investigating and remediate issues with our identities.Azure Identity Protection Improved Controls

We can use these improved controls to manage risk events in bulk, easily confirming a compromised user or dismissing alerts. These new controls are handy for larger organisations who generate many alerts each day. Azure Identity Protection Managing User Risk Events In Bulk

For each alert, we can drill down and see more information on the user’s recent activities. We can see other user sign-ins and risk detections, as well as reset passwords, confirm compromise, block access and investigate further in Azure ATP. Choosing to investigate further opens up Cloud App Security, providing more insight into the user’s recent activities that contributed to the alert.Azure Identity Protection User Risk Event Details

What license do I need for Azure Identity Protection?

Azure Identity Protection is included in Azure AD Premium P2 license. Azure AD Premium P2 is available under the following licenses:

  • Azure Active Directory Premium P2  standalone SKU
  • Microsoft 365 E5
  • Office 365 E5
  • Enterprise Mobility Suite E5

You get some limited reporting on risky users, risky sign-ins and risk detections in Azure AD Premium P1, which is included in Microsoft 365 Business Premium.

Since Microsoft licensing can change, see here for up to date licensing requirements.