How to Practice Safely in an era of Cybercrime and Privacy Fears

Transcription

1 How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. 1

2 It s Your Responsibility The Australian Privacy Principal 11.1 States: An App Entity That Holds Personal Information Must Take Reasonable Steps To Protect The Information From Misuse, Interference And Loss, As Well As Unauthorised Access, Modification Or Disclosure. Cyber Risks Of % 60% of 1.05 million global ransomware attacks targeted Australia 24 Every 24 seconds a host accesses a malicious website 34 Every 34 seconds an unknown malware is downloaded 1 Every minute a bot communicates with its 5 command and control Every 5 minutes a centre high-risk application is used 50% Identifiable Health Information worth 50% more than a credit card on the black market 2 Australia had the 2nd highest number of ransomware detections in the first quarter of 2015 than any other country 6 Every 6 minutes a known malware is downloaded 2

3 Privacy Breach What This Means For You ANY SECURITY OR PRIVACY BREACH Places You At Risk Of A Fine Anywhere Up To $1.7 Million Loss of Integrity And Reputation Loss of Patients Potential Litigation Rectification Costs Disruption of Services Negative Publicity 3

4 Our Practice Is Too Small If you think your practice is too small than you re a prime target. 5 Steps Is All It Takes To Minimise Your Practice Risk 4

5 5 Step Process 1. Audit Highlights Practice wide vulnerabilities: Technical weaknesses Usage procedures User knowledge System Management Identify: 1. Asset & Information Types 2. Possible Threats 3. Existing Protection Methods 4. Current Vulnerabilities 5. Potential Safeguards Plan: 1. Technical Protection Requirements 2. System Governance 3. User Education and Training Plan 4. Maintenance and Management Requirements 5

6 Basic Audit Example Asset Datatype Threat Current Protection Current Vulnerabilities Server Laptop Health Record Practice Info HR Doc Health Info Remote access Theft Loss Damage Accidental exposure Theft Loss Damage Accidental Exposure Password protection Antivirus Windows Firewall Locked in cupboard Dedicated server Web browsing disabled Antivirus PWD Protected VPN Access Remote access PWD protected. Locked in secure location when not in use. Potential Safeguards No network firewall All practice users know PWD Numerous external unattended access. No confidentiality agreements Physical Firewall (UTM) Change PWD Limit User Access Confidentiality Agreements Remove unattended access Lack of contractor due diligence Modify remote access policy Use of hosted services Not up to date Move server or Hot water system No Antispam Hot water system above No Encryption No firewall when out of practice User opens suspect No Antispam Missing updates Encryption Mobile Privacy Screen Auto locking Safeguard Types Technical User Governance Maintenance Education Technical User Governance Maintenance Education Reception Patient Info Faxes Scanning Printing Financial EFTPOS Results Specimens Accidental Exposure Loss Privacy Policy High Counter Minimal patient info discussed. Phone calls reduced to patient providing information. locked trays for financials Scanning kept from front counter. User error Private information discussed Identified information visible Incorrect user access to paper documents Loss of documents User Education and Training Change results recall process Move EFTPOS slips Path/Rad specimens removed to secure area. User Governance Education Common High Risk Areas Web Browsing Printer Pathology Specimens Mobile Devices Test Results Wifi Scanning USB Drives Paperwork Social Media SMS Backup Recall Letters Out of Date Software Dictation Phone Conversations Patient Discussions Fax Reception Desk 6

7 2. Network Perimeter Protection You must protect EVERY possible entrance to your Practice network. Commercial grade Firewall Encrypt and secure EVERY device that may connect to your network (Inc BYOD) Hide your wireless network and consider zoning your network. (DMZ/VLAN) Use Commercial versions of Antivirus and Antispam. Automatically lock devices when idle for a set time. Don t use generic usernames, shared user accounts. Provide administrative rights to users only when required. Ensure your users have long and complex passwords. Secure Every Doorway If Your Equipment Is STOLEN OR LOST Make Sure Your Data Is Protected. SSL certificates and VPNs for remote and wireless access. Remote management tools to enable destruction of information on portable devices. Conduct regular Security Audits on personal devices. NO business information on personal devices. Encrypt and password-protect backup. Check the security, privacy and encryption policies of Cloud Backup Portable hard drives backup stored securely while offsite. Don t take it to dinner with you! 7

8 Protect The Cloud Too As soon as information has left your network you are no longer in CONTROL. Use secure VPNs, Encryption or Gateways to connect and send information to a cloud host. Different passwords for each cloud-based service. Check where your data is stored and ask for a copy of the security and privacy policies. Keep your internal network secure. You still need a firewall and security software. Firewall Your First Level of Protection Must have UP TO DATE Security Software: Intrusion Protection System (IPS) Web Filtering Content Filtering Antivirus Antibot Antispam (Incoming & Outgoing) 8

9 3. Policies & Procedures Policies and Procedures SET THE RULES, principles and practices for the appropriate and secure ongoing usage and management of the Practice Information Systems. They ensure consistency, efficiency and accountability Create clear and easy-to-follow policies. Enforce them, no point having if they are not adhered to. Policies Internet & Social Media Usage Remote Access BYO Device Usage Mobile Device Usage & Security User Access & Passwords Privacy Policy Internal & External Users Confidentiality Employees and Contractors Disaster Recovery Plan Software Installation Workstation Security Backup Security Vendor Support Physical Security Risk Notification Breach Notification 9

10 4. Education & Training Your Practice is only as secure as your MOST AND LEAST technical users. There s no point having good policies if you don t educate your users. Allocate enough time to train new users on all your security policies and procedures. Provide ongoing education to all users. Educate users on safe Internet and usage. Go through the importance of patient privacy and high light areas of risk. 5. Maintenance & Review Ongoing Maintenance, Support, Review and Education ensures a healthy and SECURE Practice, Information System and Management plan. Servers, network and devices are monitored and maintained. Operating systems of all computers up to date. Internet browsers are up to date. Firewall monitored with firmware and software up to date. Antivirus and Antispam software is up to date and monitored. Regularly review policies and procedures. 10

11 Can You Afford Not To? How much would a security breach cost you and your Practice? More Information at olliehanit.com.au/gp15 Christina Harbridge INFORMATION PROTECTION SPECIALIST 11