Types of Cyber Attacks & How To Improve Your Practice Security
In part two of our blog series focuses on helping you protect your medical practice from a data breach we take a look at how data breaches can actually occur. We encourage reading part 1 of this blog series before continuing.
Types of vulnerabilities
Vulnerabilities come in many shapes, sizes and disguises. We’ve summarised some of the most common forms below.
Malicious and criminal attacks
Healthcare providers should be aware of malicious or criminal attacks which are designed to exploit known vulnerabilities for financial or other gain. These can include:
- Theft of paperwork or data storage devices storing patient data;
- An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices for gaining access to systems, networks or physical locations;
- An attack by an employee or insider acting against the interests of their employer or other entity;
- A cyber incident which targets computer information systems, infrastructures, computer networks or personal computer devices;
- Short for ‘malicious software’, a malware attack is software such as viruses used to gain unauthorised access to computers, steal information and disrupt or disable networks;
- Ransomware, which is malicious software that makes data or systems unusable until the victim makes a payment;
- Untargeted, mass messages sent to many people asking for information, encouraging them to open a malicious attachment or visit a fake website encouraging the user to provide information or download malicious content;
- A brute-force attack, which is typically an unsophisticated and exhaustive process to determine a cryptographic key or password, which systematically attempts all alternatives until it discovers the correct one;
- Credentials that are compromised or stolen by methods unknown;
- Hacking or the unauthorised access to a system or network (other than by way of phishing, brute-force attack or malware), which is often to exploit a system’s data or manipulate its normal behaviour; or
- Business email compromise is a form of cybercrime that uses email fraud to attack business, government and non-profit organisations to negatively impact (for example financially) the targeted organisation.
Types of phishing attacks
Phishing comes in many forms depending on the attacker and the target, including:
- Email phishing: is the most widespread form of phishing. The emails are designed to trick users into entering their login credentials, personal information, opening malicious attachments, etc;
- Smishing and vishing: leverages SMS and voice messages to trick users to click on a link or provide sensitive information;
- Spear phishing: personalised phishing emails targeted at specific employees within the company (often top-executives, finance or payroll staff);
- Whaling (CEO fraud): named after the biggest ‘phish’, whaling attacks impersonate the target company’s CEO or top executives. These emails pressure specific employees (often in accounting or payroll) to immediately pay a fake invoice or share sensitive information. This form of phishing often leverages spoofed emails; or
- Email spoofing: the attacker impersonates a known company domain to fool people into trusting the email.
Stay safe through secure password
When it comes to understanding online safety, password security is the baseline action for keeping your accounts cyber safe. We’ve compiled our top tips for better protecting your online passwords:
1. Use a strong passphrase
A passphrase is a list of random words put together to create a phrase, for example ‘B@nanas Ate Breakfast In My Ferr@ri’. A combination such as this creates a strong passphrase that is easy to remember. It’s widely regarded that passphrases are longer and stronger than passwords.
We recommend making sure the words in the phrase are unrelated and unpredictable – although memorable enough so that you still remember the phrase.
2. Never reuse the same password
Reusing the same password for multiple accounts is a dangerous game. It is like having several houses and using the same key for all of them. Password reuse can expose your account to credential stuffing attacks in which credentials obtained on one account are used to attempt to login to another unrelated account.
And don’t mix work and play! It is important to always use a separate passphrase for your work accounts and your personal accounts.
3. Use a password manager
Password managers can be a simple tool for generating complex, unique passwords for each of your accounts before storing these away in a secure vault. You can then access the vault through a single ‘master’ password – or passphrase – which opens the vault to provide the password for the account you’re trying to access.
This eliminates the temptation of making the security faux pas of writing long, complex passwords on sticky notes or sharing passwords with colleagues.
4. Implement Multi-factor Authentication (MFA)
Multi-factor Authentication (or ‘MFA’ for short) adds an extra layer of security to an account. MFA requires multiple forms of authentication to prove that you are who you say you are when logging into your accounts, such as a one-time-password, fingerprint or retina scan.
Setting up MFA for all your key accounts can help to increase online security and mitigate activity from dangerous hackers, and this includes creating MFA on password managers.
Human error
Human error and malicious intent are some of the leading causes of data breaches in internal security breaches.
Patient confidentiality can be compromised through an unintended action of an individual, for example inadvertently sending a document containing personal information to the incorrect recipient via SMS, email, fax, mail or another channel.
Other examples include:
- Failing to use blind carbon copy (or ‘BCC’) when sending an email to a group, thereby disclosing all recipient email addresses;
- Insecure disposal of personal information that could lead to unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin;
- Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on public transport;
- Failure to effectively remove or de-identify personal information from a record before disclosing it;
- Disclosing personal information verbally without authorisation, for example, a member of staff proclaiming this in a waiting room; and
- Unauthorised disclosure of personal information in a written format, including paper documents or online.
System faults
Less common means of data breaches are business or technology process errors, such as system faults, that have not been caused by direct human errors.
Maintaining strong operational security and best practice privacy governance
At MedicalDirector, part of Telstra Health, we know that cyber security is one of the biggest threats to businesses in today’s digital climate. It is crucial that medical practices take proactive measures to protect the sensitive information and systems.
As part of Telstra, Australia’s largest telecommunications company, MedicalDirector has the innovation, technology, cyber security expertise, data governance, national infrastructure and financial sustainability to provide a safe and reliable ecosystem for our customers.
All MedicalDirector solutions and software are backed by the Telstra Security Operations Centre, which helps to decrease the likelihood of side-channel access to data.
How robust is your practice’s privacy and security?
The Essential Eight Maturity Model is based on the Australian Cyber Security Centre’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.
When implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.
Medical practices that would prefer security specialists to review their current practices and assist them in improving privacy and security could consider MedicalDirector Shield.
Customers of MedicalDirector Shield can benefit from:
- Initial recommendations to improve your cyber security;
- A physical intrusion detection which plugs directly into your network;
- 24/7 monitoring through Telstra’s Cyber Security Operations Centre;
- Cyber security reporting;
- Training for your team to prepare you for responding and addressing the ‘human factor’ risks commonly involved in cyber security breaches; and
- Guides to help you respond to incidents.
Further resources
For further information, we recommend referring to the following resources.