Medical Centres are a high-value target for cybercrime, and the impacts of a cyberattack on a Medical Centre can be catastrophic. In 2020, during the COVID-19 pandemic, the health sector reported the highest number of cyber-attacks outside the government and individuals.
While large, high-profile attacks can happen to large hospitals and health systems, solo and smaller practices can have a false sense of security that they are too small to target. Unfortunately, smaller practices are often the most vulnerable to cyber-attacks due to their lack of dedicated IT security expertise and access to sensitive data.
Australian health providers have an increased reliance on telehealth and internet-enabled services, making them an ideal target for financially motivated cybercriminals. These attacks generally involve phishing campaigns, business email compromises and ransomware – a form of malware designed to encrypt files and data that render systems and files unusable until a ransom is paid
What is the Essential Eight, and how does it apply to your medical centre?
The Essential Eight is a framework recommended by the Australian Cyber Security Centre to help organisations protect themselves against cyber-attacks. It’s designed to protect Microsoft Windows-based networks and systems, but you can apply its principles to several situations and devices. In addition, it includes several mitigation strategies to reduce the risk of cyber threats significantly. This makes it the ideal starting point for a Medical Practice as it outlines several steps you can incorporate into your organisation’s existing systems to improve their security and stability.
When implementing the Essential Eight, the first step is to determine the maturity level that you’re aiming for. There are four levels, Level Zero through to Level Three. A Maturity Level of Zero signifies that an organisation has weaknesses or holes in their cyber security strategy. Levels One through Three recommend security measures of increasing strength and complexity to improve an organization’s cybersecurity.
How to incorporate the Essential Eight into your medical practice
If your medical practice does not already employ the Essential Eight, we recommend starting with Level One. Below are the key components of this framework.
Apply application control
Application Control prevents unauthorised applications from being installed or run on a company computer. It’s a zero-trust security approach designed to protect against malware and untrusted applications. For example, in a Medical Centre, this could involve allowing access to only your practice management software, such as Best Practice or Medical Director, and related tools.
A practical method of implementing application control is to use Windows Defender Application Control (WDAC). This tool is included in Microsoft 365 Business Premium, a component of all GCIT managed service plans.
Patch management ensures all systems are up to date with available security patches in a timely manner. Patches are necessary to close vulnerabilities or bugs in your software. In a Medical Practice, this would involve updating programs such as Best Practice & Medical Director with the latest updates.
Practice Management Software like Best Practice and Medical Director will deliver communications when updates are available. However, it’s the responsibility of the Practice Manager or IT Service Provider to ensure these are applied promptly. Patches and updates should be applied within two weeks of release or 48 hours if a security exploit exists.
Configure Microsoft Office macro settings
Microsoft Office applications can create and execute macros to automate routine tasks. A macro is a sequence of automated actions that can replace mouse clicks and keystrokes to complete complex tasks. While these can be helpful tools, macros can also contain malicious code used by attackers to run harmful code or download malware.
We can manage the risks of Office macros using Attack Surface Reduction Rules in Microsoft Defender for Business, another Microsoft 365 Business Premium component.
User application hardening
Application Hardening involves reducing vulnerabilities in the applications your company uses. In the context of the Essential Eight’s Level One maturity model, Application hardening refers to security settings in the web browser. Specifically:
- Web browsers do not process Java from the internet.
- Web browsers do not process web advertisements from the internet.
- Internet Explorer 11 does not process content from the internet.
- Web browser security settings cannot be changed by users.
These settings can be implemented using Security Baselines in Microsoft Intune, another inclusion in Microsoft 365 Business Premium.
Patch operating systems
A patch is a security update that fixes vulnerabilities. Similar to Application Patching, timely Operating System patching ensures your operating system has all current security updates installed.
Patches need to be consistently monitored to ensure systems are up to date. Security updates can be deployed per workstation using Microsoft Update settings. However, your IT provider can also manage them with a Remote Monitoring & Management (RMM) tool. Like many IT service providers, GCIT offers services to control Operation System patching through our RMM tool.
Restrict administrative privileges
Administrative Privileges allow a user to create, delete and modify files, settings, programs and other user accounts. A user with administrative privileges can significantly change an IT environment’s configuration and security posture. Administrative rights also allow users to elevate their operations and access sensitive information. Without restrictions on user accounts, malware and malicious code can cause much more damage, especially if the user that triggered it is an admin.
Restricting admin privileges also creates a more stable and predictable workspace, as fewer users can make significant changes to the environment. Your IT Provider should regularly audit your environment’s permissions through consistent access reviews. They should also take a principle of least privilege approach with just-in-time access, ensuring users have the least privileges possible to perform administrative tasks – for only the time they need.
Implement multi-factor authentication
When a user logs in to an account, multi-factor authentication requires multiple forms of authentication to prove their identity. This may come in the form of a password plus a generated code sent via SMS, email or authenticator app, or a secondary device that is already logged in and may need to approve access. An example is Apple’s multi-factor authentication which allows users to sign into their accounts using a password and then approve this action on an authorised apple device such as an iPhone.
Multi-factor authentication is one of the most effective security measures a Medical Practice can implement. When implemented securely, it can make stealing credentials that can cause further malicious activities considerably more difficult. Microsoft reports that Multi-factor authentication prevents 99.9% of identity-based cyberattacks. This effectiveness, combined with its ease of use, makes multi-factor authentication a vital first line of defence for any organisation.
Create regular backups
Medical Centres need to ensure they back up business-critical information. This isn’t just for quick recovery in the event of a disaster; it’s also a requirement for general practices to achieve accreditation from the Royal Australian College of General Practitioners (RACGP).
Backup is the process of copying files or databases to ensure their preservation in the event of equipment failure, security and cyber breaches or other disasters. For a general practice to achieve accreditation, they must check their backup system at regular intervals – this includes testing its ability to recover data. The loss of critical data can impose a high financial and operational cost on your practice, so having a business continuity plan that includes a reliable and frequently tested backup procedure is vital.
Protecting your medical centre from cyberattacks is one of the most important steps to improve your business’s stability, improve patient trust, and ensure continued operations. However, it’s important to note that the steps outlined above cannot entirely remove the threat of a cyberattack. Still, they can mitigate the risk and hopefully decrease any attack’s severity and long-lasting impacts.
At GCIT, we are specialists in providing Cyber Security services to numerous businesses across Queensland and New South Wales, including many medical centres. Our Award-winning cybersecurity experts can take the stress out of IT Security and make sure your data is secure.
Contact GCIT to find out how we can help your Medical Practice protect against cyberattacks.