4 minute read
Is Your Practice Cybersafe?
PART ONE
Is your practice cybersafe?
There’s no question that Australian businesses are under threat online. Worryingly, health providers are more vulnerable than most to cybersecurity breaches.
According to Accenture, security breaches have increased by 11% since 2018 and 67% since 2014. Late last year, the Government showed us how seriously it takes cybercrime by launching an official Australian Cyber Security Centre. The national cybersecurity campaign urges Australians to strengthen their cyber defences and be alert to online threats. Minister for Defence, Senator Linda Reynolds, launched the ACSC campaign in December 2020, saying: “Cybercriminals are relentless, operating around the clock and around the world, in a bid to steal the data and money from Australian businesses and families. “Australians are reporting more than one cybercrime every 10 minutes, making it more important than ever that we all remain alert to the threat of cybercrime.” Dr David Glance, Director of the UWA Centre for Software and Security Practice, says healthcare providers have been subject to increased attacks from cyber criminals. “However, heath providers are being especially targeted by ransomware attacks because these are designed to make a business inoperable by encrypting all of the information on computers in the practice until a ransom payment is made,” he explains. “Because practices have become increasingly reliant on electronic patient records, it is impossible to treat patients without access to those records. “Worse still, attackers have been not only encrypting information to make it inaccessible but have been stealing data and threatening to publish it if the ransom is not paid,” he adds. “This is especially concerning when the information is personal information belonging to patients.” Most valuable to hackers is information that, if released publicly, would cause harm to the business or to its customers or patients to a hacker. “The average cost of a data breach in healthcare is the highest of any industry, at over $7 million per breach,” says Adam Gordon, ANZ Country Manager at Varonis. “This is due to the highly sensitive nature of the data healthcare organisations collect, such as confidential patient records in the case of dentists and hospitals. “Attackers know healthcare providers hold large amounts of sensitive patient data, and that they also can’t do their jobs without access to this data. Attackers are using highly targeted campaigns where they steal data, encrypt it, and extort the victim organisation – pay up, or the attackers publish sensitive information,” Adam adds. “Ransomware is also offered as a service – meaning less experienced hackers buy a toolkit and launch an attack that, if not caught, could unleash ransomware across a victim organisation.”
Common mistakes
When asked about the common mistakes businesses and healthcare providers make when it comes to keeping sensitive data safe, David says lack of cybersecurity awareness is a problem, as well as implementing safe practices such as keeping systems updated, anti-virus software running, and maintaining regular backups of information. “Most attacks come via phishing emails – fake emails that try and trick the reader into clicking and executing a malicious program – and so being absolutely scrupulous when interacting with emails is vital,” he adds. According to Adam, having sensitive files accessible by everyone in the organisation (or more people than required), is another common mistake. “Healthcare organisations need to employ a policy of least privilege, which only gives employees access to the files which are necessary to do their jobs,” he explains. “This will limit the damage hackers can cause if an employee’s account is compromised. It also protects against insider threats, preventing employees from sharing or deleting confidential company data.” Other mistakes to be aware of include poor password hygiene: “This includes having passwords that are weak and easy to crack, passwords that rarely or never expire, and using the same password on multiple accounts,” he says – as well as leaving ‘ghost users’ enabled. “These are user and service accounts that are inactive but still enabled — which can give hackers an easy way to move through an organisations’ file structures undetected,” he explains. “Hackers often exploit this weakness to steal data or disrupt critical systems.” ADAWA recently partnered with financial protection company eftsure, as we believe our members will benefit from their services. eftsure’s solution protects business-tobusiness payments by matching beneficiary names with their account number and BSB. We were persuaded of eftsure’s credentials by a case study of a construction and engineering firm that used eftsure’s Know Your Payee solution to prevent a payment of over $1m to a fraudster. At the beginning of February 2020, the company had been advised of a change of account details for one of their suppliers – a professional company involved in providing services to the construction industry. The requested change of banking details arrived in an email from the legitimate account of their primary contact at the supplier. In keeping with the eftsure process, the customer initiated a change request from the eftsure portal requesting the supplier provide their updated details via eftsure. Since the supplier’s email was under the control of the fraudster, the fraudster intercepted the email and completed the onboarding. This triggered eftsure alerts inside the verification system because the IP address of the fraudster didn’t match the IP address region of the supplier. As per eftsure’s process, eftsure independently sourced the phone number of the supplier and called the supplier to verify the details, subsequently discovering that fraudsters had been monitoring communication in that compromised email account and using it to attempt to defraud the supplier’s customers. Once this fraud was exposed, the supplier closed the email account completely and contacted all their other customers to warn them not to accept any changed details. FEATURE
Find out more: get.eftsure.com.au
