Cover Your Assets by Tom Jewkes and Dan Gavin

Cover Your Assets 

Cybersecurity experts lay out the defenses needed to keep hackers out of the practice


by Tom Jewkes and Dan Gavin


What if your practice was under siege from cyberattackers out to steal your patient data and shut down your business? Would your digital defenses hold up?

In the novel The Return of the King, Gandalf the white wizard was charged with defending the city of Minas Tirith, which had a series of seven concentric walls, each with a gate that faced a different direction, for protection. Each wall and gate were meant to delay an advancing enemy and allow the defense time to counterattack or prepare.

Having multiple layers of cybersecurity to protect your organization’s data and information, known as “defense-in-depth,” is a lot like defending Minas Tirith: It’s designed to slow down attackers before they get to your critical assets. If one set of defenses fails, another mechanism is in place to impede the attack.

Dental defense

Orthodontic offices must protect patient data to be HIPAA-compliant. The goal of defense-in-depth is to make your practice a troublesome target, so it’s not worth an attacker’s time to try to break into your system. Unlike Minas Tirith, where the siege was quite obvious, cyberattacks can go undetected for weeks or even months. Layered defenses, however, can help to slow down those avaricious attackers and subvert the possibility of an undetected attack.

Terms to know

Let’s set the stage with a few definitions:

  • An asset is a physical device or information that’s valuable to your practice. This may include your servers and laptops, as well as any database of customer health and credit card information.
  • A vulnerability is a weakness that, if attacked, could result in the loss of your asset. Examples of vulnerabilities include the use of unencrypted email or customer Wi-Fi access.
  • A threat is any circumstance or event that could adversely affect your practice’s assets. Not always of a malicious nature, threats can include natural disasters like flooding of a server room or a fire, or an employee accidentally deleting patient records.
Take action

What do you do to defend your vulnerable assets from these threats? Implement controls, which are actions, devices, procedures or techniques that remove or reduce a vulnerability. The keys to cybersecurity, controls can make vulnerabilities difficult for attackers to exploit when used in depth.

In the orthodontic world, an asset would be your patient’s tooth. A vulnerability would be the weakening of the tooth’s enamel, making it susceptible to cavities. A threat would be a diet filled with sugary foods and drinks. Protection controls would be regular checkups and cleanings, reducing sugar consumption, brushing, flossing and using mouthwash. You don’t expect your patients to only receive regular checkups and skip the rest. To protect from cavities and gum disease, there’s not just one silver bullet your patients use. Good hygiene defense consists of overlapping protection. In cyber defense, it’s similar—but on steroids.

Get control

There are three types of cybersecurity controls: physical, administrative and technical.

Most office managers understand the basics of physical security; things like locking the front door at night and not letting patients in the back office are commonly done without thinking. However, have you also considered securing computers with a cable if left out overnight? Who has access to your server room? Is it even locked?

We have a saying in the cyber world: “Physical access trumps everything.” With physical access to any computing device, a hacker can break into and access your data, regardless of other control categories you may have implemented. A lost or stolen computer is more than the loss of an $800 laptop; if that laptop contains protected health information, it’s a reportable breach.

Because all dental offices fall under HIPAA, protecting patient information begins with physical controls, such as adding privacy screens to staff monitors and not leaving passwords out in the open. (In one instance, in a health care office, the front desk computer had a sticky note attached to the screen in plain sight with its login username and password, leading to easy access to all patient health information!)

Check these areas

  • Many offices allow patients to log in to a free Wi-Fi network. If you do, have your IT department separate and secure the guest network. Wi-Fi in general is unsecure, but allowing anyone onto the same network as the administration is outright dangerous.
  • Most people don’t consider the network printer, which has many default settings that make it easily hackable. Restrict printer access to only known office devices or require a password for printer usage to reduce the risk.
Administrative efforts

Even when technical controls are strong, sometimes the easiest avenue into your data is through your employees. Can everyone on your staff identify a phishing email? Do they understand the social engineering involved with wire fraud? Are they familiar with basic password hygiene, the dangers of short passwords and password reuse? What would they do if they found a USB device in the lobby? Administrative security, one often-neglected control category, consists of documented policies.

  • Every employee should read and sign a computer acceptable-use agreement that sets guidelines and expectations of what’s allowed on the office network.
  • Password policies should allow for strong, unique passwords.
  • Each office should have a documented backup policy to preserve important data, which sets the frequency and type of the backup. An alternative location for local backups, like a cloud backup, should be included. This prevents losing all your data because of flood or fire at the office. Yes, these things may be inconvenient, but ransomware is even more inconvenient.
Doing the most with the least

You should implement a “least privilege” policy, which gives people access to only the resources they need to accomplish their tasks. Only certain employees should have administrative access to their computers, for example.

Here’s how to see if users have the proper permissions: In a Windows search bar, type “cmd,” which pulls up a suggested application called Command Tool. Right-click over the app and choose “Run as administrator.” If a command tool window pops up without asking for the administrator password, then you are not running with least privilege. This is one of the biggest problems we see with a new client.

Other administrative controls are policies that are in place to protect your business:

  • Your office should have a contingency plan, a disaster recovery plan and an emergency operations plan.
  • An incident response plan—the documented actions to implement should your office be hit with malware—should also be required.
Creating these plans may seem like a waste of time, but if there are ever major problems, these policies will prepare your office to swim rather than sink under the flood of adversity.

Tools to have

Technical security controls—what most people consider to be cybersecurity—are just one leg of the stool. Antivirus software is the most well-known control.

People often ask which antivirus software we recommend and believe it or not, we think Microsoft Defender is usually all most practices need. Defender has become one of the best, and it integrates well with other tools. For those watching the bottom line, it’s free, so you can use that extra money to implement the technical controls you are missing.

Firewalls are probably the second-most well-known technical control. All ports not actively being used should be closed. Cybercriminals regularly scan the internet for open ports used by unsecure protocols.

Case in point: A client’s office received a “Christmas present” of ransomware by opening the port that allows Microsoft’s Remote Desktop to operate. A hacker detected this, did some basic password hacking and dropped in a program to encrypt the server. In the end, the office’s IT department may have found a free way for the business staff to have remote access, but not a secure way. The mistake was costly.

There are many more technical controls, but what most orthodontic offices are missing— critical for today’s advanced malware—is endpoint detection and protection software.

Sophisticated malware is designed to avoid detection by antivirus software. Endpoint detection software instead looks for unusual behavior and raises a red flag if something is out of the ordinary. Endpoint protection software, meanwhile, allows only approved applications on a computer to execute on a computer, which removes the opportunity for malware to operate. (In fact, even approved programs won’t have free rein to do whatever they want, because hackers can also weaponize good programs.) Endpoint detection and protection is a must.

Although insurance is not technically a cybersecurity control mechanism, consider it to be the keep of the castle where your defense system is concerned. If somehow there is a colossal breakdown and you do have a breach, your practice can still survive and be healthy if you have cyber insurance. In the next 10 years, 99% of businesses will be attacked—many more than once.

The idea of defense-in-depth has to do with applying all these different types of controls—physical, administrative and technical—to make it really difficult for cybercriminals to break through. They might sneak around the firewall, but you’ve got a strong password policy. They may get access to your server through a malicious email link, but they can’t execute their malware thanks to your endpoint protection. There may have been a fire in the server room, but cloud backups have you up and running with a new server within a day or two. The idea is to have wall after wall of protection.

Stay prepared

In reality, hackers are lazy. Unless you’re a very high-profile target, they’ll stop when it starts to feel like work. If you make yourself a hard target, the hacker just moves on to the next easy target, forgetting all about you.

When it comes to defense-in-depth, the sum of the protection is much greater than what’s offered by each individual component. Just like the city of Minas Tirith, your cyberdefense needs overlapping and redundant defenses.


Author Bio
Tom Jewkes Tom Jewkes founded CyberEye in 2018 to protect small and medium-sized businesses against advanced cyber threats. Jewkes has three industry-recognized certifications and a master’s degree in cybersecurity, and is a cybersecurity professor at the National Security Agency-accredited University of Arizona. Before starting his business, he had more than 20 years of experience in government and industry.


Dan Gavin Dan Gavin also has three industry certifications, as well as a master’s degree in computer engineering and more than 25 years of software, testing and cybersecurity experience in industry and government.

Website: cybereyeaw.com
Sponsors
Townie® Poll
Do you have a dedicated insurance coordinator in your office?
  
Sally Gross, Member Services Specialist
Phone: +1-480-445-9710
Email: sally@farranmedia.com
©2022 Orthotown, L.L.C., a division of Farran Media, L.L.C. • All Rights Reserved
9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 • Phone:+1-480-598-0001 • Fax:+1-480-598-3450