Health information technology – RISC Management and Consulting

Part of what RISC provides during our regular education sessions is awareness of phishing emails which may lead to sites that collect sensitive information such as login credentials or passwords, and may contain attachments to infect your computer systems. Cybersecurity is defined as the “protection of information and systems that connect to the Internet. It is in fact protecting your personal information or any form of digital asset stored in your computer or in any digital memory device. It includes detection and response to a variety of cyber (online) attacks” according to the Office of the National Coordinator for HealthIT Information Technology (n.d.).

Just last week, the United States Computer Emergency Readiness Team (US-CERT, 2014a) published “Ebola Phishing Scams and Malware Campaigns” as a cautionary statement to the public.

“Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:

Do not follow unsolicited web links or attachments in email messages.
Maintain up-to-date antivirus software.
Refer to the Using Caution with Email AttachmentsCyber Security Tip for information on safely handling email attachments.
Refer to the Avoiding Social Engineering and Phishing AttacksCyber Security Tip for information on social engineering attacks” (USCERT, 2014).

According to How To Geek (2013), even though Microsoft Outlook fixed their vulnerability with regards to using JavaScript for emails which contained security problems, it is prudent to use best practices to stay safe while viewing your email attachments.

Here are some Email Safety Tips gathered from experts:

Keep Your Mail Client, Web Browser, and Operating System Updated: Software updates are important, as the bad guys regularly find holes and try to exploit them. Software updates close some of these holes and help protect you. Many operating systems offer automatic updates. If this option is available, you should enable it. If you are running an outdated browser and email client, you could be compromised. (If you have Java installed, you should it or at least disable the browser plugin to protect yourself, too.)
Use Antivirus Software: On Windows, antivirus software is an important layer of protection. It can help protect you from both mistakes and software bugs that allow malware to run without your permission. If you are using a corporate email system, have a discussion with your Information Technology (I.T.) Department about all the levels of required antivirus; Gateway, Email Server, and Client.
Be wary of unsolicited attachments, even from people you know – Just because an email message looks like it came from your mom, grandma, or boss doesn’t mean that it did. Many viruses can easily “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email as attachments.
Don’t Run Dangerous Attachments: If you get a PDF file from someone, it might be safe to open if your .PDF reader and antivirus software are both completely up to date. However, if you suddenly get an email with a .exe file or another potentially dangerous type of file you aren’t expecting – even if it’s from someone you know – you probably shouldn’t run the attachment. Exercise extreme caution with email attachments – they are still a common source of infection.
Be Careful of Links: Clicking on links provided within the body of an email message is not a good idea. Rather than clicking on a link, which can actually be hyperlinked to something entirely different, open a new tab of your browser and type the address in. When you receive an email that has your bank’s web address in it and it displays as a hyperlink, it could easily map to a scam or virus-laden site.
Trust your instincts – If an email or email attachment seems suspicious, don’t open it, even if your anti-virus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the anti-virus software might not have the signature. Additionally, 0-day, (Zero Day) attacks are attacks that do not have patches developed or deployed yet, and your antivirus will not recognize them as a threat. At the very least, contact the person who supposedly sent the message to make sure it’s legitimate before you open the attachment. However, especially in the case of forwards, even messages sent by a legitimate sender might contain a virus. If something about the email or the attachment makes you uncomfortable, there may be a good reason. Don’t let your curiosity put your computer at risk.
When sending email with sensitive information, remember to encrypt it. Some email applications allow you the option of sending encrypted or not encrypted. When in doubt, encrypt. If you don’t have an email encryption solution, use an alternate secure method and contact I.T. to add this to their budget requests.
Do business with reputable companies.
Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

Additional important security tips from the US-CERT (2014b) is knowing how attackers use certain social skills to obtain information such as social engineering and phishing attack.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
epidemics and health scares (e.g., H1N1)
economic concerns (e.g., IRS scams)
major political elections
holidays

The goal is not to become the victim. It is important to protect your privacy. Be suspicious of unsolicited phone calls, visits or email messages if others are asking questions about employees or colleagues. Always verify the source directly. It is not good practice to provide personal or financial information via email unless it was through a verified source and encrypted route. Take the extra step to install and maintain anti-virus software, firewalls, and email filters to reduce spam.

Be aware and keep abreast of technology. Lastly, be vigilant for signs of identity theft and consider reporting the attack to the police or file a report with the Federal Trade Commission (http://www.ftc.gov/). For more information on Identity Theft, please visit https://www.fdic.gov/consumers/consumer/alerts/theft.html.

References

Cybersecurity. (n.d.). Office of the National coordinator for Health Information Technology. Retrieved from http://www.healthit.gov/

How To Geek. (2013). Why opening an email is safe. Retrieved from http://www.howtogeek.com/135546/htg-explains-why-you-cant-get-infected-just-by-opening-an-email-and-when-you-can/

US-CERT. (2014a). Ebola phishing scams and Malware campaigns. Retrieved from https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns

US-CERT. (2014b). Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/st04-014

Solutions

Read the 10 Best Practices for CyberSecurity
Implement the use of Password Managers, visit http://lifehacker.com/5042616/five-best-password-managers
Visit Microsoft’s Safety and Security Center https://www.microsoft.com/security/pc-security/password-checker.aspx
Use Wi-Fi networks cautiously. Use VPN or SSL protection. Do not send sensitive data such as mobile banking through public Wi-Fi and Bluetooth. Turn off Bluetooth when not in use.
Make sure links or URLs are legitimate – only go to trusted sources
Install security software on your smartphone http://www.avast.com/en-us/free-mobile-security

SOLUTIONS

Solutions for cyber security

Note: Number nine pertains to Mobile Device protection, and a strong password is the best tip. For more information http://www.healthit.gov/providers-professionals/cybersecurity

Use Strong Passwords and Change Them Regularly – Visit Microsoft Safety and Security Center to see if your password is strong enough: https://www.microsoft.com/security/pc-security/password-checker.aspx
Install and Maintain Anti-Virus Software
Use a Firewall
Control Access to Protected Health Information
Control Physical Access
Limit Network Access
Plan for the Unexpected
Maintain Good Computer Habits
Protect Mobile Devices
Establish a Security Culture

Protect Mobile Devices

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

Because of their mobility, these devices are easy to lose and vulnerable to theft.
Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.
Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.
Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.
Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.

Sponsored by: RISC Management, www.RISCsecurity.com

Contact us today for all your compliance needs: Sales@RISCsecurity.com

References

About.com. (2014). What makes a smartphone smart? Retrieved from http://cellphones.about.com/od/smartphonebasics/a/what_is_smart.htm

Bloomberg Business Week. (2013). How Samsung became the world’s no. 1 smartphone maker. Retrieved from http://www.businessweek.com/articles/2013-03-28/how-samsung-became-the-worlds-no-dot-1-smartphone-maker

HealthIT.gov.(2014). CyberSecurity: 10 Best practices for the small health care environment. Retrieved from http://www.healthit.gov/providers-professionals/cybersecurity

Hill, M. (2010). 5 Terrifying ways your own gadgets can be used to spy on you. Retrieved from http://www.cracked.com/article_18532_5-terrifying-ways-your-own-gadgets-can-be-used-to-spy-you.html

Home Box Office, Inc. (2014). The Wire. Retrieved from http://www.hbo.com/the-wire#/

Microsoft. (2014). Safety and security center: Create strong passwords. Retrieved from https://www.microsoft.com/security/pc-security/password-checker.aspx

Tech Media Network. (2014). Top Ten Reviews: 2014 Best smartphone reviews and comparisons. Retrieved from http://cell-phones.toptenreviews.com/smartphones/

U.S. Department of Health & Human Services. (2014). Health Information Privacy: Guidance materials for consumers. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

U.S. Department of Justice. (2013). Privacy and civil liberties: Electronic Communications Privacy Act of 1986. Retrieved from https://it.ojp.gov/default.aspx?area=privacy&page=1285