Hello, welcome to a discussion on cybersecurity and protecting your practice from bad actors. My name is Eden Essex, and I will be the announcer for this session. We will go ahead and bring up the title slide, if you wouldn't mind sharing your screen, Stephen. And while he's doing that, I'll make a few points before we get started. You'll be able to submit questions and comments throughout the event via the Q&A box. Your questions will be addressed following the presentation. There are handouts and those will be sent to you via email following the presentation. Now it's my pleasure to introduce you to our moderator for the session, Barbara Tauscher. Barbara received her master's degree in healthcare administration from the University of Minnesota and is a fellow in the American College of Medical Practice Executives. She has worked in a variety of primary care and specialty practices, notably including gastroenterology over the last 35 years, focused on practice management and settings ranging from a small office to large medical groups with multiple facilities. Barbara is a member of the ASG practice operations committee. I will now hand the proverbial floor over to Barbara. Thank you very much, Eden. Cyber incidents in healthcare have been increasing. From 2018 to 2022, there was a 93% increase in large data breaches and a 278% increase in breaches involving ransomware. Healthcare facilities are attractive targets due to our size, our independence upon the technology, sensitive data, and some unique vulnerabilities to disruptions. One of our greatest fears in any healthcare entity is to lose access to the electronic medical record. The recent breach of Change Healthcare illustrated the unique areas of vulnerability that are present in the healthcare field outside of the EMR system. As many of you know, the Healthcare Change Platform is one of the largest information exchange platforms in the US. The company manages 15 billion, with a B, claims per year, totaling over $1.5 trillion. The recent breach affected claims processing, payment posting, and prescription management. Things that we often don't think about in a security breach. The safeguarding of patient information is critical, and addressing these risks require proactive steps and continual awareness by the clinic's IT and management departments. We are incredibly grateful to Stephen Hammond for sharing his time and his expertise with us today. Stephen is the co-founder and managing partner of IT Group Northwest, and for more than 25 years, IT Group Northwest team of information technology professionals have been architecting, deploying, and supporting reliable and secure information technology systems for small and mid-sized businesses in the Portland area. I've had the privilege of knowing Stephen through my colleagues, and I've always heard great things about him. So Stephen, the audience is yours. Thank you very much, Barbara. Good afternoon, everyone. Thank you for inviting me today to talk about cybersecurity for small and mid-sized medical practices. I want to start by sharing that I am not a presenter by trade. This is not something I do very often. I'm used to speaking with folks in person and having interactive conversations. Hopefully my content adapts well and this goes smoothly. Cybersecurity, data theft, ransomware, these and related topics are in our news feeds every day. If you take these topics seriously, it can be hard to sleep at night. The thought that the bad actors are working 24-7 to break into your environment makes many of us want to just bury our heads in the sand and hope for the best. That's certainly an understandable reaction, but clearly not a good response. The primary goal I have for today is to help cut through all the noise and bring you a better understanding of the cybersecurity landscape and a distilled list of specific things that you can and should do to better protect your practice. This presentation is not a deep dive, nor is it going to make any of you cybersecurity experts, but I hope it will enlighten and empower you to have good conversations with your security and our IT experts. After this webinar concludes, I'll be updating the handout to try to capture the Q&A portion. Once the handout's been updated, it will be sent to each of you via email. I am in no way being compensated or have a financial interest in any of the products or services we're talking about today, so you can count on this information not being biased or conflicted for my personal gain. The agenda for today is basically five sections. I'd like to talk about some security fundamentals, some underlying principles that everything else is based on. We're going to then talk about, I'm going to present a list of what I consider cybersecurity essentials or non-negotiables. These are the things that absolutely positively every practice should be doing. There is no excuse not to have these things in place. The next thing, we'll talk about a couple of specific vendors that I've been working with for many years that I think do an excellent job of providing products and services that we'll be talking about. The additional layers of security is a section where I will discuss a number of additional things to consider. Those things may not make sense for every practice. They often have a higher cost associated with them relative to the security they provide, but they're certainly relatively low-hanging fruit, certainly things to consider and when possible implement in your environment. Then finally, we'll have some questions and answers at the end. Security fundamentals, again, these are important to understand underlying concepts and principles. Ease of use and security are at opposite ends of the spectrum. The easiest to use system is completely insecure. The most secure system is impossible to use. The trick, the goal, what we're all trying to do is to find that spot somewhere along that spectrum where you can maximize your security posture with as little inconvenience and loss of efficiency or productivity or direct expense as possible. The cybersecurity essentials or non-negotiables presented in this webinar offer significant improvements to security with minimal expense, whether that expense is measured in dollars or inconvenience or lost productivity or just hassle. Good security is never a set it and forget it type thing. Many of us like to think that if we build the infrastructure properly and do everything we're supposed to do and get it done, we can check that off the list and not think about it anymore and move on to other things. Security is absolutely positively not one of those things. Implementing good cybersecurity typically requires a pretty significant upfront investment of time and energy and sometimes money to architect, build, and test the systems. But even after you've done that investment, your work is not done. Security is an ongoing process. There are new threats, there are new security tools, and of course the people involved need to stay vigilant and keep current. Technology alone isn't comprehensive security. You absolutely should embrace the technology available to help secure your systems, but never forget that that alone is not enough. The people in your environment are always involved and they are always the weakest link. Many small layers of security are better than one big layer. A good example or way of thinking about this is if you think about your home, we all lock our doors at night because we want to keep people out from our house. A good security posture for your home is to have a good lock on the door, a strong door, maybe you get an alarm system. Those are three different layers of protection you might build to keep your house safe. It's much better to have a good lock and a strong door and an alarm system than to have a super triple-strength door lock and that's all you've got. Clearly, multiple layers of security are better than one single big fat layer. Pressure to act quickly increases mistakes. One of the most common tactics the bad actors use is to make their intended victim feel a sense of urgency to act. If the bad actors can get you to act quickly, you're more likely to make the mistake and do the wrong thing. You'll note that, and I know we're all familiar with phishing emails and some of those scams, a very common thread among those phishing emails is trying to instill some sense of urgency. If you don't act right now, your account is going to be locked. If you don't act right now, we're going to take more of your money. They're always trying to make you do something quickly. That sense of urgency, that pressure to act quickly, increases mistakes. If everyone in your practice feels like they can't slow down long enough to make thoughtful decisions or they're too busy to follow the security protocols, you're going to be exposed. You're going to find a way to help your staff and your people understand that slowing down for good security is appropriate and a worthwhile trade-off. Empowering your staff to ask questions is an important element of security fundamentals. Your staff are going to be receiving those phishing emails, an unexpected pop-up on their screen when they're browsing the web, a text message, and sometimes even phone calls from the bad actors. Your staff needs to know that it's okay to ask questions when they're faced with a potential security threat and they're not sure what to do. I think it's really, really important to foster an environment where acknowledging your mistakes is a good thing. If your staff are terrified of getting in trouble for making a mistake, they will be much less likely to come forward when they click on a link in an email they shouldn't have or accidentally forgot to encrypt some email they sent that contained PHI. If someone makes a mistake and clicks the link they weren't supposed to or potentially provided their passwords to the bad actors, the sooner you're aware of that and are able to take the appropriate steps, the sooner you're able to do that, the risk of the bad actors getting away with what they're trying to do is reduced. Time is of the essence. The longer it takes to react to that mistake, the worse things can get. Now I'm going to dive into what I'm calling the cybersecurity essentials and the non-negotiables. These are the things that I believe every business, every medical practice should be doing every time. I don't think there are any legitimate reasons that these kinds of things should not be taking place. The first is end user training. Your people are your first line of defense. They are the most important line of defense. You can have the best security system in the world and all it takes is one person making one mistake to circumvent all of that. So training your people is absolutely essential. Training is also an ongoing process. It is not enough to provide some sort of training when you hire somebody into your environment and expect that that's good enough. Training needs to be recurring, ongoing. The best type of feedback in training and security systems is instantaneous or real-time feedback. Keeping things fresh and current, mixing it up is important. If people see the same fake phishing email regularly, they're going to quickly learn to ignore it or identify it and it's not going to really have the desired effect. We'll talk a little bit later about one of the vendors that I think does an excellent job of providing end user training and what that looks like. One of the key features that they offer in their system is the ability to keep the content fresh to change up what kinds of things people are seeing every day. If somebody makes a mistake and clicks on that link in an email they shouldn't have, they will get immediate real-time feedback that says, hey, you just did something you shouldn't have. Here's what you should have noticed. These are the clues that told you this was something you shouldn't have done. And that has a dramatic effect on helping people retain that information and make those mistakes less frequently in the future. The next security essential is account lockouts. All of your systems should be configured that if a user enters invalid credentials more than a certain number of times in a relatively short period of time, that account is automatically locked. The real goal here is to prevent somebody from attempting to brute force or guess their way through your username password security. If a bad guy sitting in a foreign country can write a piece of software and push a button and that piece of software can be guessing thousands or hundreds of thousands of password combinations every minute, it's just a matter of time before they guess the password and break in. If every time, if they are only able to guess five passwords in a five-minute period of time, that's going to slow them down enough that will make those brute force attempts not effective. So account lockouts. You can implement this in your Windows environment. You can implement it in your email systems. In fact, it should be implemented everywhere you can. And I'm sorry, wrong direction. And while there are all sorts of options or ways of setting the account lockout, a really common approach, one that I think is very sufficient and sort of hits the sweet spot of good security while not being too obnoxious or inconvenient, is a policy of five invalid attempts in a five-minute period locks the account for five minutes. What this suggests is that if a user just mistakenly types their password too many times, they only have to wait five minutes, the account gets unlocked automatically, and they can then try again and get back in. This does a pretty good job of slowing down the bad guys, but not making it such that it becomes a big ordeal when somebody does lock out their account and you have to chase somebody down to unlock their account. If it automatically unlocks after five minutes, that's a pretty reasonable approach. The next cybersecurity essential, multi-factor authentication. I'm sure we're all familiar with it. We are probably forced to use it when working with our banks and that sort of a thing, but multi-factor authentication really does provide a significant layer of security for a relatively low cost in the form of hassle and expense. All remote access into your corporate environment, absolutely positively, should be required to have multi-factor authentication associated with it. And this means everyone, not just your regular staff, not just the contractors. It should be every remote access into your environment, including if you have an outsourced IT department, those folks should be required to have multi-factor when they get into your environment to do work. Your line of business vendors, if you've got an on-prem EMR or EHR, those vendors often have the ability to get into your systems to do maintenance on their own terms. They should be required to have multi-factor authentication to get in. Oftentimes the owners or the physicians of an environment don't want to deal with that hassle, but everybody positively should have that set up. Multi-factor authentication comes in multiple forms. I think the sweet spot today is a push notification. The idea there is when multi-factor is needed, something will pop up on your smartphone and you can simply push a button to approve the authentication. Very low hassle, convenient, easy to use. The another, the second most common scenario is some sort of a code generator that can be an app on your smartphone where you open up the Microsoft Authenticator or the Google Authenticator app. And there'll be a six digit code that changes every minute and you type that code in. I'm sure we're all familiar with that process. That same idea of a code generator can be done through a hardware token. You have an employee who doesn't have a smartphone or is unwilling to put that app on their smartphone. You can get a hardware token that generates those same codes relatively inexpensively. And there's other ways of doing multi-factor authentication, but those are the three big ones. Multi-factor authentication for all email access from outside your secure corporate environment should be enabled. The idea here is that if your credentials are compromised, if one of your people mistakenly falls for that phishing email and they enter their credentials in the wrong place and the bad guys steal their username and password, those bad guys are probably not sitting inside your office. They are someplace in another part of the world. And when they go to try to log into the email system with those stolen credentials, if they don't have that multi-factor authentication, they can't get in. And that dramatically reduces the risk of the bad guys breaking into your email because even if they get those credentials somehow, it doesn't do them any good. Now, I differentiated between multi-factor authentication for email outside your environment from inside your environment. Even better, require multi-factor authentication for email or email within your business. But that adds a level of hassle that many people don't find palatable. And so I think it is a reasonable trade-off to disable that requirement from within your office, but it definitely positively should be set up for access outside the office. Patch and update all systems exposed to the internet and or the public. So the truth is all your systems should be patched and updated regularly, but the most critical, the ones that need the highest priority attention and should have absolutely positively regular access maintenance and updates are those devices that are directly exposed to the internet. For most organizations, that's going to be your firewall, your firewall router appliance device, as well as any servers inside your environment that the firewall allows traffic from the outside public internet to come in. A really good example of that kind of a scenario would be if you have an on-prem patient portal, what that means is people out on the outside internet, the random public, the untrusted world has the ability to connect directly into and talk to a server in your office, like your patient portal. That means that server where the patient portal is running is one of those high risk devices that should absolutely be, and positively be maintained and patched. This means keep the security and the maintenance, sorry, keep the maintenance and support subscriptions current. Most firewall router devices, when you purchase them, they may come with a period of one year or two years of updates and patches, and they may require a fee after that to continue to receive those patches. You absolutely positively must be doing that for these components that are directly connected to the internet. Pay particular attention to zero day and or urgent issues that require immediate action. I'm gonna talk briefly about a situation that occurred just last February. ScreenConnect is a remote support tool that many IT service providers like myself, as well as in-house IT departments use to remotely access and manage computers. And in early February, ScreenConnect identified and shared with their customers that there was a security vulnerability that had been detected in their product. This was a effectively a situation where the bad actors could break in to the ScreenConnect tool and immediately start doing anything they wanted. This is a very significant vulnerability, the worst kind. They announced the vulnerability, sorry, they acknowledge that it exists. Two days later, they release an update or a patch that you could install to protect your systems from that vulnerability. And 24 hours after that patch was released, the bad guys had already started breaking into computer systems all over the world. What that means is that you had 24 hours from the time that patch was released to get it installed before you were at risk of the bad guys breaking in. That's the kind of situation that illustrates how and why it's so important to keep your internet exposed systems patched and updated and to pay particular attention to those urgent notifications. A lot of us get bombarded with notes about this update's available and that update's available. Well, there's a good reason to respond to those quickly and not just keep hitting that I'll do it later button. Of course, good passwords are cybersecurity essential. 12 characters today is really considered the minimum length for a good password. Generally speaking, more is better, but 12 should be your minimum. A good password should require a mixed case, uppercase, lowercase, which would have numbers and often symbols in the password as well. Do not use the same password for multiple systems. I know we've all heard this a million times, but there's a really good reason for this. For a while, I was regularly getting emails from the bad guys and it was a generic spam message that said, hey, Steven, we've broken into your account and I've had access to your stuff. And by the way, here is your password. And right in the email, they would send a copy of my password. And if you don't give us some money in the form of some Bitcoin, we're going to do something horrible to you. Now, when you get an email like that, and in the email, you can see your password, that really lends some credibility to this bad actor. They just showed you that they know your password. Well, the way that worked, the way those guys were able to do that and show you your password, that only affected people who tended to use the same password in multiple locations. If you use the same password for your Amazon account as you do for everything else, and the bad guys break into Amazon and steal your password there, they can now send you an email that says, I've got your password. And that same password would apply to other systems as well. Do not use the same password for multiple systems. Data backups, we all know how important this is. Data backups should absolutely adhere to the 3-2-1 rule. This rule states that there should be at least three copies of your important data. The first copy is the live production environment, the one that everybody's using every day. A second copy is typically stored within the same environment or the same building as the primary copy or the first amount, the first copy, the live data. The third copy is typically stored someplace off-site, three copies of the data. Backups should be on at least two different media types. So, and again, in a typical environment, one media type is going to be hard disk based. For example, the primary backup system that's within your office is very likely a dedicated system with a bunch of hard drives in it and your data, the backup data lives on those hard drives. And that second media type might be cassette tape, magnetic tape, are used far less today than in the old days, or some sort of an off-site storage, something in the cloud at any number of major cloud backup providers. Three copies of the data, two media types, and always have one copy of that backup off-site or physically distant from the others. If your building burns down and all of your backups are in that building, you're out of luck. So keeping a copy of that backup off-site or physically distant is an important part of the 3-2-1 rule. And at least once a year, you really should perform a full restore test under what you would consider worst case scenario circumstances. So for example, what we do for our clients is at least once a year, in fact, we're doing it closer to quarterly, we restore a backup of their data from that off-site location for our clients that happens to be in Texas, we restore a backup from the data center in Texas to a brand new server and make sure that we can do a full restore, boot that server back up, sign in, look around and make sure everything's there. That is kind of the worst case scenario where client's building burns down and all their data is lost. All the backups that were stored in that building are lost. Well, we're going to have to rely on that off-site backup. And so that's where we do the restore from. The next cybersecurity essential is the principle of least privilege. The idea here is that good security states that you give users the least privileges possible whilst it still allows them to do their jobs. If you work in, if you're a clinical person in your environment, there is probably no reason that you need access to the financial side of your systems or if you are working at the front desk, maybe you don't need access to the clinical side. Maybe you just need access to the patient scheduling and demographics areas of the system. The point is don't give people access to areas of any information system that they don't need access to. That reduces the risk of accidental or intentional damage. And in the case of ransomware, if a user is limited access to just the areas of the servers or the IT systems that they need to do their jobs, that makes it much harder for ransomware that this user is responsible for that ransomware detonation. The ransomware can't easily get into those other areas of the systems where the user doesn't have access. So least privilege helps reduce accidental and intentional damage and helps contain the damage caused from a ransomware attack. Creating a secondary account for administrative or privileged access and use goes hand in hand with the idea of least privilege. It is perfectly reasonable and appropriate for someone in your environment or maybe many people in your environment to have administrative rights to their computer. If they want to install an update to the EMR or some other piece of software on your computer, you often have to have administrative rights on your computer to install that piece of software or that update. So it's reasonable under some circumstances for users to have administrative rights or elevated permissions. But the account they use every day to do their job should not be the account that has those privileged, those extra privileges or administrative rights. So if my regular user account is msmith, maybe I should then one example would be create a second account called msmith-adm, ADM for administrative or something like that. And when and only when I need to utilize those administrative rights or those extra privileges, would I sign in with that secondary account? But my regular account, the one I use every day, does not have those rights. The last item on my cybersecurity essentials list is removing unsupported software and hardware from your environment. This is one of those things that I come across all the time. Somebody doesn't want to spend money to buy the new version of, insert whatever piece of software or hardware you want next. Updating to new hardware and software costs money. But keeping old unsupported software and hardware around is a big no-no and asking for trouble. If you can't get security updates and patches for those systems, they should be replaced or removed altogether. I do acknowledge that there are some situations where that concept is just not possible. You may have had an on-prem EMR eight years ago and you've now moved to some cloud-based system, but you still need to access that old system for who knows how many more years to come. And that old system is running on an operating system or on hardware that isn't supported anymore. But you can't replace it because you have to keep it for some purpose. When you find yourself in a situation where you truly cannot remove or upgrade an unsupported piece of hardware or software from the environment, there are many steps you can take to isolate that system as much as possible to dramatically reduce the risk that that unsupported piece of hardware or software poses to your environment. One place that you would typically work to isolate that system is at your perimeter firewall, the connection to the internet. Make sure that the firewall doesn't allow traffic to or from that, quote, risky or unsupported system. Lock that traffic from getting to and from the internet so that if something, that's one way of helping to isolate that computer. And then take that particular device, that computer in my example, and make sure that you go from a mock. A very common security model is to allow all traffic in and out and then block things that you know are risky. That's a much easier, it's not as secure, but it's a much easier and very common approach to blocking traffic in a firewall. In a situation where you want to isolate a system, you need to go with the other approach, which is block everything and only allow the very specific things that you know you need. It's a kind of a hassle. It takes extra time and energy to get that set up. But when you have an unsupported piece of hardware or software in your environment that you can't protect properly, limiting the traffic that can go to and from that device to only the bare essentials will dramatically reduce the risk that that device poses. That concludes my list of security essentials or non-negotiables. Next, I'm going to spend a couple of minutes talking about two providers and service providers or vendors that I think do an amazing job of helping address some of those cybersecurity essentials. The first is KnowBe4. This organization is very well known for their email security awareness training. They have a huge catalog of computer-based security training. A product or service like KnowBe4 is relatively inexpensive. Most people will discover it's going to be in the two and a half-ish dollars per person per month range. It varies, of course, depending on different people's situations, but it's in that neighborhood, two and a half dollars per person per month. The KnowBe4 system takes a little bit of time and effort to get it set up and integrated properly. And when I say a little bit for my team setting it up for one of our clients, it's a couple of hours. Not a huge investment of time and energy. Once it gets set, once you've gone through that and gotten it set up, the ongoing effort, if you will, is very minimal. Typically, it takes an IT resource to get things set up, but after that, virtually anybody in your organization can be assigned with the responsibility to manage the security campaigns, to generate the reports and that sort of thing. But what KnowBe4 is most commonly used for is to build a system where they will send fake phishing emails to your staff on a regular basis, trying to provide them an opportunity to make a mistake, to click on the link they shouldn't have, that sort of thing. And when they do, they get immediate feedback showing that they clicked something they shouldn't have, and these are the clues, the things they should have been aware of that would have told them not to have made that mistake. And then on the back end, a lot of data is collected, and you can see how effective this training is. It's very common to do a baseline or the initial launch of a campaign like this to all of your staff, and you'll discover between 20% and 35% of the people click on something they shouldn't have. And after just a month of this system sending these emails and teaching them what to be doing and not to do, that number will quickly drop to 15% or 10%. And after a few months, you'll typically discover that there are one or two individuals in your organization who just keep doing the wrong thing. And at that point, now you know which staff needs extra attention, extra education, the folks that you really need to focus your efforts on. The Know Before system offers a comprehensive as well as executive summary level of reporting, so you can get all into the weeds and the details if you want, or you can simply get a report that says, last month we had a 3% click-through rate or something like that. One of the best parts of the Know Before product is it does, in fact, provide the ongoing training, the ongoing assessment, and the reporting that allows you to make data-driven decisions. Most cybersecurity insurance policies are requiring that you have some sort of ongoing security training for your staff. In my experience, the Know Before product offering allows you to check that box. So either this lets you check the box that says you're doing what you're required to do, or by offering this, you'll get a reduction in the premium cost for the insurance policy. Know Before, absolutely my recommendation for that security training solution. We've talked about multi-factor in a number of places today. Duo, which is a member of the Cisco family, they're owned by Cisco. Duo is, I believe, one of, if not the leading provider of multi-factor authentication solutions. Their product will work in a Windows environment on servers and laptops and desktops. It works on Mac OS desktops and laptops. It often, it usually works on Mac OS usually will integrate with the major remote access gateway or VPN providers. So you can add Duo's multi-factor authentication solution to your remote access solution to all of the things we were talking about earlier. Duo is what we implement for the vast majority of our clients to address those needs. The core functionality, the parts that most people think are most essential and most required are available in the Essentials Edition, which is just $3 per user per month. So you look at the Know Before product and the Duo product, and you're looking at less than $6 a month to provide a huge level of security in your environment. It takes just one person making one mistake to cause catastrophic damage. And that's $6 or less per person per month was a rounding error compared to the expense and the hassle and the cost of that catastrophic mistake. Duo also provides an excellent and free app that can go on your smartphone. I talked earlier about the push notification. This is one of the areas where Duo really shines. When you're presented with that multi-factor authentication prompt, it can simply pop up something on your smartphone or your smartwatch, and you can just click a green button to approve it rather than having to dig something out of your pocket and type in that six-digit code or something like that. So Duo is also absolutely positively highly recommended by me and my team for providing that multi-factor authentication. OK, now we're going to look at some additional layers of security. These are things that I believe bring value and do, in fact, increase your security posture, but they aren't necessarily no-brainers or maybe that the cost, whether, again, that cost could be measured in monetary terms or in reduced efficiency or productivity, or sometimes the cost is just the hassle factor. But some of these items are ones where the added level of security may not be warranted, may not be justified by the cost, wherever that cost is. But these are things to consider. If, in your environment, you can implement these and they don't provide a significant burden, don't impose a burden or have a high cost for you, these are great ways of increasing those adding additional layers of security. So first thing, geo IP filtering and blocking. The idea here is that if you can block incoming connections into your corporate environment from IP addresses or from people who are outside the United States, that can be an excellent layer of security, assuming, of course, you don't have patients or customers or people who need to log into your environment from outside the United States. But most of us don't have that, are in a situation where all of our patients are in the US, so blocking the ability for some bad guy in China or Russia from attempting to log into your system is a great way to reduce the number of people who can try to break in. So consider blocking incoming connections to your corporate network from IP addresses originating outside the United States. Or if you're using LRH, like so many medical practices are today, I think they're based in the Philippines, you might, in fact, allow access from IP addresses in the United States and the Philippines, but block the rest of the world. So while I listed outside the US, really it's just about blocking countries or areas where you know it's safe to, there's no reason people will be coming from those areas. Likewise, block access to your email systems from IP addresses outside the United States. If all of your users who access your email live and work in the US, why should somebody in another country be able to sign in and try to access that email? Most of the bad actors are going to be coming from outside the US, so keep them from even being able to try to log in. The third bullet under geo IP filtering, it is our common best practice in our client environments to block traffic originating within our client offices that are going to a list of, I think there are about 13, what we consider highly risky countries. For example, let's consider Russia, a highly risky country today. What this means is that anybody inside the corporate office, if they're trying to access a resource, a website or something else that lives in Russia, they would not be allowed to do that. That traffic is blocked. It's hard to imagine that anybody in your practice truly needs to access a Russian website to do their job. So that shouldn't hurt anybody by blocking that traffic, but this slows down the bad guys if they manage to get into your office and they want to connect to some computer in one of these highly risky countries to download their tools to do additional damage or something, blocking that traffic slows them down. Enable multi-factor authentication everywhere possible. Again, this seems like kind of a no-brainer and there's a good chance you're already doing this, but if you can implement multi-factor authentication in additional places, every place you turn it on just continues to increase your security posture. So many of our clients have multi-factor authentication requirements for logging into their computer, even if they're sitting right there in front of their desk. So we're not talking about remote access, we're talking about in-person access, but implementing multi-factor in that environment definitely increases security. Implement multi-factor for all email access. Earlier, I talked about implementing multi-factor for accessing email from outside your corporate environment. That was a non-negotiable and an essential. Well, in turning that on for access within your office does increase your security posture. If it's worth the trade-off of the hassle, there's another opportunity to increase your security. And of course, enable multi-factor authentication for all of your cloud services, your EMR, your EHR, bank account, et cetera. Any place you can turn it on, you should be turning it on. The third additional layer of security I've got here is enhanced and recurring staff training. We already talked about basic end-user training is a non-negotiable. Well, there are probably key people in your organization who are in a position to do greater damage than others. So think people who are involved in the finances of your organization. Those people probably, because of the nature of their job and the nature of the access, the things they have access to, they really are good candidates for enhanced training or extra attention to make sure that they have the training they need and will make the proper decisions. They tend to be the biggest targets and the bad actors are going to focus on those key staff people. So it makes sense to give them extra attention. Ensure you're taking advantage of all the security settings and offerings from your email system provider. This seems sort of obvious, but it's astonishing how often we engage with a new client only to discover that 19 of the 20 security settings that are built in the Microsoft 365 ecosystem have not been turned on. Usually it's because people didn't even know those settings were available or the settings were there. So make sure you look to see what security settings and offerings are available from your mail security provider, whether it be Microsoft or Google or whoever else might be handling your email and make sure you've turned on all the things that you can. And check back regularly. Microsoft and Google and others are constantly adding new security options. Sometimes they turn them on by default, sometimes they don't, but pay attention to what's there. Many of these things are free and all it takes is somebody going in and turning them on. The next topic, next item, implement separate networks. Often that's done through a technology called a VLAN or a virtual local area network. Implement separate networks for distinct systems and or functionality. So the simplest, most obvious example is like if you have guest Wi-Fi and most organizations offer a Wi-Fi solution for people visiting, that guest Wi-Fi traffic should be on a separate network or a separate VLAN from all the rest of the traffic. This means that if some bad actor gets connected to your guest Wi-Fi, they have absolutely no ability to access any of your secure systems any more than they would if they were coming in from another country. So separate that guest Wi-Fi traffic from your normal corporate secure traffic. And any other systems that can be separated into separate VLANs, often that offers additional layers of security. Any computer or server in your environment that is directly accessible from the internet. And again, the idea, a good example is that on-prem patient portal. That is another excellent example of where that server should be in a separate network or a separate VLAN from the rest of the systems. And that in that case, usually it's put in what's called a DMZ, the demilitarized zone. It's sort of a zone that's halfway between the outside untrusted public world and your inside corporate secure world. Between that lies this area called the DMZ. And you're gonna make sure that your firewall is strictly managing what traffic can go between the different networks to make sure that if a bad actor manages to break into that patient portal system, that they're then unable to freely jump around to other computers in your environment. That there's a firewall blocking some of the traffic and reducing their ability to move laterally across your organization. And I'm realizing I'm running long on time. So I'm gonna go a little bit faster. Sorry about that. Subscribe to improperly implement the enhanced security services from your firewall vendor. Most business class or enterprise class firewall vendors offer an additional subscription service that does things beyond the basic functionality. Think something that's sitting there monitoring all the traffic going in and out of the network, looking for malicious or suspicious content. That layer of security is an excellent, it adds a good level of security, but it does have a cost. Usually that subscription is not unduly expensive. It could be $1,000 a year. It might be a little bit more, it might be a little bit less, but again, while that is not pizza money, that is a small price to pay compared to the cost of a major security incident. Perform external penetration testing and address the vulnerabilities that it finds. I recommend this is something that could be done at least every six months. There are a lot of third-party service providers that will do just this very one thing. It tends not to be terribly expensive. I think it's probably best to not have your IT service provider, if you have an outsourced IT service provider, to be the one doing the testing that's sort of asking them to check their own work. And while that isn't meaningless, it's not as good as having some other independent third-party test to make sure that they're keeping your system secure. And most of you, as part of your PCI compliance, because you'll be able to take credit cards, most PCI compliance portals will have a built-in sort of simplified or basic version of a penetration testing available for free as part of that. So just look in your PCI compliance portal for an excellent way of doing a free penetration testing. Last two items, implement group membership-based access controls. This is one that sometimes it's hard to sell folks on going through the hassle of getting it set up in the first place. It can be a lot of work upfront, but it absolutely positively pays off over time. The simplicity of managing security when it's done through group membership-based controls rather than individual users, it's much easier to manage, it's much easier to audit, and it just makes onboarding and offboarding new employees much easier. So group-based membership access controls. Last but not least, eliminate or restrict non-company owned and managed devices from accessing your corporate network. I know that we've all got, most of us have workers who work from home, and it can be very financially appealing to allow them to use their personal computer to remote into the office to do their jobs, but this is not a good idea. Personal devices, computers that are not company owned and managed, you have no idea whether those computers have proper antivirus and other protections, if the bad guys have managed to break into them, and if you allow those devices to connect to your corporate network and access your sensitive data, you are making it much easier for the bad guys to access your corporate network and your data. Some of the biggest security breaches that have made the news over the last 10 years have occurred by the bad guys breaking into a employee or a contractor's home computer and then leveraging that home computer's access to the corporate network to get into the corporate network. So keep work devices, do work on work, do your work on company owned devices and keep personal stuff like checking your personal email to personal devices. And thank you, that is the conclusion of what I've prepared. I think now we're gonna do some question and answers. Well, we have come up to the top of our hour, so we will conclude on time, but we appreciate it. And if you wanna go ahead and Stephen and just advance to the last slide so folks can see that email address you set up so that people could email you directly. This was an amazing amount of content and very detailed and very appreciated, especially in this day and age. So we do wanna thank you, Stephen Hammond, our presenter and our moderator, Barbara Tauscher, and to you, our audience. This session was recorded and will be available to you in the near future via GI Leap, ASG's online learning platform. This concludes the presentation on cybersecurity. We hope this information is useful to you and your practice.

cybersecurity

medical practices

Stephen Hammond

IT Group Northwest

cyber threats

multi-factor authentication

data backups

software updates

geo IP filtering