School is in session. In this new serious, Quick Wins, we put aside all of the doom and gloom about HIPAA breaches. This series is designed to give you information that you can use NOW for quick wins in your own practices. In this week’s Quick Wins, we will show you three ways you can improve your electronic health record (EHR) security now and protect your practice. HIPAA is complicated and hard for many practices to wrap their head around. Quick Wins will give you bite-sized portions to help you get your practice compliant. One more thing, where possible, we provide you with tips that are free for your practice to use. No reason to pay extra money if you can get a useful service for free.
What is the number one threat to electronic health record security? At the current time, it is phishing attacks. Looking through the HIPAA Breach Portal, you can see that the majority of the breaches listed are a result of phishing attacks (they are listed as Email on the portal).
What is a phishing attack?
In a phishing attack, the attackers will send out emails that are made to appear legitimate but also push the user to perform an action. This could be opening an attachment or clicking on a link. The content of the email is designed to create a sense of urgency. Examples would be an email from your bank or credit card company saying a transfer or charge had occurred or that your package from Amazon had been delayed. Sometimes phishing attacks use threats from the IRS or other government agencies. The IRS never sends emails but many people will still click on them out of fear.
The purpose of a phishing email is to get a user to perform some action that will lead to the attacker gaining access to the system. For HIPAA purposes, this is a breach.
How phishing attacks compromise electronic health record security
Once an attacker sends out phishing emails, they wait to see if anyone will bite. If a user were to open the attachment or click on the link in one of these emails, then their computer will likely be compromised. At that point, the attacker will have access to the computer and network of the practice. From there, they are free to steal data and compromise the security of your health records. Most breaches of this kind go unnoticed for months. This gives the attacker plenty of time to steal whatever they want. Breaches such as that of Peachtree Orthopedic in Atlanta, Georgia, exposed hundreds of thousands of patient records. This attack went on for months before it was discovered. The attackers were able to steal the records of nearly 500,000 patients.
How can you prevent phishing attacks?
The weak link in phishing attacks is always the user. As noted above, phishing emails play to the emotions and work hard to pressure the user to click on them. This is by design. The best way to defend against this is to provide training to your users. Google provides free online training that is a good way to help your employees understand phishing and how to detect it.
Some of the tests in Google’s training are hard at first. But once you understand what to look for in a phishing email, it becomes pretty easy to detect them.
You can find Google’s phishing training here.
The second thing you can do is to stop the phishing emails from working if a user were to click on them. Most phishing emails use domain names that are created for the purpose of these attacks. Once the attacks have begun to spread, the domain names become well known. Cybersecurity services add these domains to various blacklists so that businesses and users can block them. The is step will show you a way to make use of those blacklists.
Quad9 is a DNS provider that uses blacklists to protect its users. Quad9 is free to use. From their site, Quad9 claims to block 10 million sites per day. They use data from 18 different threat providers to build their filtering system. This provides an enormous list of malicious sites that grows daily.
How does Quad9 work?
To use Quad9, you change the DNS servers on your computer or router to use theirs. When you go to open a website, the request for the website first goes to Quad9’s servers and they compare that request to their list of known malicious sites. If the site you are trying to visit is on the blacklist, you are not allowed to browse to it. This protects you from going to sites that would possibly infect your computer or steal your usernames and passwords.
From the Quad9 site
The best way to use Quad9 is to change the DNS servers in your firewall or router. Quad9 uses the following DNS server addresses:
If you want to try it on a single computer, Quad9 has a step by step guide on how to set up your Windows 10 computer. You can see that video here.
3. Anti-malware software
The third and final way to help prevent phishing attacks from breaching your electronic health record security is anti-malware software. This one, unfortunately, isn’t free. In our experience, there isn’t a good anti-malware software product that is free. Most free versions do not include real-time scanning. This means that the software is actively watching what you do and if malware is found, it will react. Most free software simply runs scheduled scans. This will find an infection AFTER it has occurred. By then, the attacker has already compromised your security. It is necessary to use software that has real-time scanning capability. The one exception to this is Microsoft’s Windows Defender. It is included with Windows 10 and does a pretty good job. However, a paid software product usually performs much better and offers additional services like intrusion detection, sandboxing, etc. Currently, we recommend products from the following vendors:
If you follow these three steps, you will go a long way to preventing successful phishing attacks against your practice.