Medical Practice Cybersecurity: Implementing the Essential 8

If you own or work in a medical practice, you might not realise that you are a high-value target for cyber criminals.

More than anything, cyber attackers look to steal information. This information can be used to blackmail you, infiltrate your systems or catch you in a phishing scam. It can even be sold to other attackers for a profit.

Medical practices store a lot of information about their patients, and can look like a goldmine for greedy criminals. So it’s important you know how to protect that information, and your business.

Read on to learn how implementing the Essential 8 can protect your medical practice.

Why Do Medical Practice’s Need Cybersecurity?

Medical practices collect a lot of sensitive and confidential data about people. From patient contact details and identity documents, to detailed records of their medical history, all this information can fetch a high price for hackers. Due to their lucrative nature, data breach attempts on medical practices are a serious threat.

This problem is made worse by the fact that more and more Australians are using internet based doctor services, appointment booking apps, and record transfers. The more users a medical practice has connecting to its network, the more entry points for a cyber criminal.

Just recently, Medibank, an Australian health insurance giant with 3.9M customers, suffered a high-profile data breach. Customers had their personal details and parts of their medical history, such as claim codes, potentially leaked. This has caused a huge loss of reputation for Medibank, and has left customers feeling exposed.

What is the Essential 8?

The Essential 8 is a framework of cybersecurity measures for implementation in businesses. Created by the Australian Cybersecurity Council (ACSC), it outlines 8 steps businesses can take to protect themselves from cyber criminals.

It’s recommended that medical practices, and all businesses for that matter, consult an IT service to implement the Essential 8 for them as soon as possible. Data breaches have recently increased by 6% in Australia, and if your practice isn’t secure it’s only a matter of time before you fall victim to a breach.

Implementing the Essential 8 in Medical Practices

The following Essential 8 measures will help you protect your medical practice from cyber breaches.

*Note: the Essential 8 are designed for Microsoft Windows internet connected networks. If your business is based on a cloud service many of these strategies still apply, but you should supplement them with these resources.

Application Control

Application control stops unapproved or suspicious applications from being installed in your computer systems.

When you visit a compromised website, it’s possible to download dangerous applications without you knowing. Application control also protects you from employees installing suspicious applications and introducing vulnerabilities to your system.

Remember, your employees likely aren’t deliberately trying to sabotage your cybersecurity, but people make mistakes, and configuring application control helps prevent these mistakes.

Application Patches

Patches don’t just improve performance or add new features, they also fix known exploits that cyber criminals will use to gain access to your medical practice’s systems. It’s in your best interests to check that your software and devices are set to automatically update.

Don’t fall into the trap of assuming that your software are updating themselves. You need to be positive that they are, or you are leaving yourself vulnerable.

Even after taking this step, if you hear of any exploits in software that you use, manually checking for an update will give you some peace of mind.

Microsoft Office Macro Settings

Macros are automated actions that can complete a number of simple tasks for you. In many areas where you would need to click or type, Microsoft Office macros can do that for you.

The problem is, the code that allows this feature to work can also be the perfect vehicle for malicious code to enter and wreak havoc on your system.

By configuring Microsoft Office properly, you can substantially reduce the threat of an attack through your macro code.

Web Browser Hardening

Your web browser is your doorway out into the internet, where much of modern medical practice business takes place. The problem with doorways is that while they let you out, they can also let cyber criminals in.

Browser hardening adjusts the settings of your web browser to make it as protected as possible. This process commonly includes making sure employees can’t change their browser settings. It also stops your browser from processing common harmful traffic sources, like online ads and programs running Javascript.

Operating System Patches

Just like your software, your devices need regular patches as well. Like renovating a house that has a weak foundation, no matter how often you update your software, if your device operating systems stay at the factory level you’re still exposed.

Setting up automatic updates on your devices should be your first step. If you have a larger medical practice, it’s a good idea to contact an IT service, they can remote update all the devices on your network for you.

Admin Privileges

Your administrator privileges shouldn’t be accessible among your entire team. They have the power to change very important settings and configurations across your entire device network. They also grant access to confidential information.

Remember, if your employees are compromised, anything they can access is something your hacker can access too. You need to seriously consider who in your team needs admin access, and then restrict it just to that group.

A good rule of thumb for deciding what level of access to give is to only grant the amount required for your team to complete their tasks. Any more is unnecessary and increases the potential damage of any future attacks.

Multi-Factor Authentication

Implementing multi-factor authentication is one of the most powerful measures you can take to protect your medical practice. When you sign into an account with multi-factor enabled, you will need to use a second device to confirm your access. A common example is being sent an SMS message with a code when you try to log in through your desktop.

This quite literally doubles the work a hacker needs to do to access your account, because they need to compromise two of your devices, not just one.

It’s also a great early warning system when someone is trying to breach your security. If you receive a code, but you know you haven’t tried to access your account, then you know someone is trying to hack you.

Regular Backups

The patient records kept at medical centres are incredibly important. They contain important information about people’s medical histories, such as notes about allergies, tolerances and health conditions that could affect future treatments.

While people often think of data breaches as data being stolen, they fail to think about data being withheld or deleted. Ransomware, malware that locks you out of your data and demands a ransom to unlock it, is particularly threatening for medical practices. People need their medical records, and you need them to operate your practice, so hackers may believe you are more likely to pay the ransom

Backing up your data to the cloud is one way that you can be sure to retrieve it in the event of a cyber attack. Many cloud-based backup solutions store your data on multiple servers across multiple countries. This makes it incredibly difficult to access for hackers.

Contact an IT Service

Receiving accreditation as a general medical practice depends on having high-quality cybersecurity. To be confident that you can keep your patient data safe, you need to contact an IT service.

At OneCloud IT Solutions, we specialise in implementing the Essential 8, as well as additional measures that we know are necessary.

We’ll conduct a full audit of your current cybersecurity setup and identify any vulnerabilities in your system. This allows us to implement any measures required to keep your medical practice and your data safe.