Cyber Security - Vibe GroupVibe Group

SECURITY GUIDANCE

Overview

This document provides guidance on security principles which will help to keep your clinic secure and prevent an information breach or loss. We also touch on the topic of whether Cyber Security Insurance should be taken up and provide staff training advice and templates to improve your security.

What risks does my clinic?

Cyber breaches, data theft and overall Cybercrime in 2018 has cost businesses $600 Billion in revenue in the six months to June 2018. As there is alot of money in either stealing information or ransoming your businesses data, there are many criminals trying to do so.

This year has also seen a significant increase in the ‘CEO scam’ – an email requiring an urgent bill to be paid immediately which appears to be sent from a decision maker in your company.

How do Cyber attacks occur?

There are many ways that a Cyber attack can occur and can be grouped broadly into two categories:

Employee Exploits or Attacks

These attacks are the most common and largest cause for Cyber Breach in Australia. Common methods include:

– Virus, spam or trick emails used to gain access or install software or download software into your business environment
– Websites which appear to be legitimate websites and trick users into performing an action
– Tricking someone into revealing their password, then using that access to steal or ransom data.

– Phone call scams: fake tech support, pretending to be from your bank etc.

Network or Software Exploits

These attacks involve using network knowledge or commonly used methods to attempt to break into a system. This may include:

– Attempting to guess common usernames/passwords using common remote access methods
– Using bugs in software to attempt to gain access to a system
– Scanning your network for common service types then trying to use exploits

What can we do to prevent Cyber Breaches?

Vibe actively manage your network, security and patching to reduce the risk of any security breach or cyber attack. In addition to this, our network access and security policies ensure that we reduce the risk and surface area (potential methods to gain access) to your clinic.

All devices within your network are configured with Anti-Virus Software which reports to our central server in case of any breach or viruses are detected. These alert us so that we can proactively manage any issues should they occur.

We also apply security policies and regularly audit your network which reduces the risk of breaches occuring by limiting the ability to perform certain dangerous tasks.

While Vibe actively manage your IT Environment to reduce the risk of Cyber breaches, it is important that we also address the largest method that Cyber breaches occur – via your staff.

Staff Training

Training your staff is critical to prevent cyber breaches. Vibe Recommend at minimum staff being aware of the following guidance:

– Never open an email from an unknown sender

– If you receive an email with an attachment from an unknown person or company you do not work with, do not open it.

– Your team will receive these emails from time to time.

How can my practice prepare for a breach?

We recommend that all our clients prepare a Cyber Security breach process document so that you are prepared if you ever have a data breach. For an example of this please refer to the Department of Heath policy.

Please ensure that as part of the process your team call and notify Vibe immediately of any breaches so that we can assist in managing the incident as best we can.

Should we get Cyber Insurance?

Legally, we can not provide you with any advice as to whether you should purchase Cyber Insurance or any insurance for that matter. We recommend you speak to your business insurance representative for more information here.

Frequently Asked Questions

How secure is email? Can I send patient or private information in emails?

Email can be secure however this is not 100% guaranteed. As such we strongly recommend against transferring any private patient files, documentation or information via email to people outside of your organisation.

Vibe recommend using secure messaging providers such as Argus, Medical Objects or similar applications to transfer private information. In most cases laboratory results and testing can be delivered via these types of applications.

Using a secure Australian based electronic fax service (such as GoFax) is also a suitable option and can be setup to be as simple to operate as sending an email.

How safe are online services like Dropbox, One Drive, Google Drive?

Generally speaking, these applications are safe to use however there are a couple of considerations here:

-Where your data is stored. If you are using a service which has data stored overseas then you are subjected to that countries’ data laws. This has implications from a medico-legal perspective which must be considered.

– How your data is stored. Choosing a plan which allows us to control security (when you access and how the files are stored) is critical.

– How your data is backed up. Many people see online services as a backup location, however certain viruses may impact your online storage also.

What should I do if I get a virus?

The best course of action is to call us immediately with details of how you believe you have gotten the virus. This will allow us to diagnose the issue as fast as possible and prevent any further impact.

If you are unable to call, please switch off your PC, disconnect it from the network then call us when possible.

I receive lots of spam emails. Are there any tricks to identifying when they are virus/fake emails?

The best course of action is always to call us if you are unsure of an email. Outside of this some tell tale signs of virus or scam emails:

– If you receive an email asking for your personal details

– If you receive a bill or email from a company you do not have an account with

– Bad Grammar and excessive spelling mistakes from people who you do not regularly communicate with

– Emails asking for bills to be paid from unknown people with a sense of urgency

– Emails where either the display name is faked:

Image result for faked display name email outlook

– Emails where links are faked or hidden, or point to strange websites. In the example below, an email supposedly from LinkedIn has a link which points to a french website:

If you are ever unsure or suspicious of an email please contact us and we will assist accordingly.

Useful Websites

– Scamwatch: This government run website has useful information on types of scams commonly run and can provide you with email alerts for new scams.