Protecting Your Office Network

The primary electronic threats to a dental office network include data breaches, theft of office funds and/or resources and business interruption attacks.

Data breaches can occur as a result of attacks from either inside or outside of your office, or simple human error. External attacks will typically get started as a result of deception, which we will cover in Part II. Once an attacker has gotten into your network and perhaps accessed someone’s account, they will often try to steal login credentials giving them greater and greater access. These attacks will often target the PHI available in your system and sometimes the information needed to access your office’s bank accounts.

In addition to the very real concerns surrounding PHI, intruders inside a network will often try to get financial login details in order to access office accounts and withdraw as much as they can before you or your bank can catch on. A children’s dental practice in Missouri hit with this type of attack was robbed of $205,000 via wire transfers.44

One type of increasingly prevalent financial attack, called a business email compromise, uses a fake email that appears to come from someone you know at one of your vendors and simply “updates” the wire transfer information associated with that vendor. When your office pays the vendor’s legitimate future invoices, the payments will go to the scam artists.45,46 With respect to this particular scam, be sure to confirm any changes in financial information with the vendor by phone (using the number you have on file, not the one in the email) before making any changes.

Business interruption attacks are designed to make it impossible to access data and/or block you or your patients from using some or all of your system’s resources. The main types of business interruption attacks are a distributed denial of service attack (DDoS) and ransomware. A DDoS attack uses hordes of compromised computers across the Internet to overwhelm your website or other parts of your system with so much electronic traffic that it effectively becomes unusable. An attacker will generally demand a payment to stop the DDoS, though numerous security vendors offer protective measures that are relatively effective against them.

The most prevalent type of ransomware will encrypt the files on your system and then demand a ransom (generally in a difficult-to-trace type of online currency like bitcoins) for the decryption key.47 Of course, even if you were to pay the ransom, there’s little incentive for the attackers to actually unlock your data. As with other malware, ransomware attacks start with an ill-advised click on a weblink, attachment, or even an infected USB drive. We will discuss what to look out for when receiving email or browsing the Web in Part II. Thinking before you click (or plug in a stick drive) can go a long way towards preventing an attack like this. In addition to staying vigilant, preparation and prevention are the key considerations in thwarting a ransomware attack. Like the vast majority of malware, ransomware tends to get into a system through older flaws in software that has already been patched by its developers. If your software is kept up-to-date, these attacks are much less likely to succeed. Another critical step is backing up your data (which we will also discuss in Part II). That way, even if you’re hit with ransomware, you can restore your system with your back up files.

A ransomware pop-up window.
A ransomware pop-up window.
Image Source:

Basic protective measures for computer networks include “perimeter” defenses, network monitoring, physical security measures and secure processes. We will cover secure processes in Part II. In the meantime…

Perimeter defenses are focused on stopping attackers before they can get inside your network in the first place or blocking them from accessing protected parts of the network.

Basic firewalls are configured with a set of rules that instruct them whether to accept or reject electronic traffic based upon its source, destination and type of traffic. More advanced firewalls can also look at the traffic in relation to other traffic associated with it, whether it’s coming from essentially an approved sender and, in some cases, the content of the traffic itself. They can be placed just behind the router that effectively acts as the front entrance for electronic traffic coming into your network, on individual computers and servers, as well as at different points in your network to control the type of traffic that can access certain data or resources.

Anti-virus software works by identifying “signatures” (portions of computer code) found in malware. If the anti-virus software encounters a signature it recognizes, it can either block or quarantine the offending program. Attackers are constantly altering malware to try and evade anti-virus software. As a result, anti-virus software – while very helpful – will not completely protect a system by itself. There are a number of effective anti-virus products available,24 as well as labs that regularly test them for effectiveness.48

Whitelisting prevents programs from working on a network unless a network administrator has approved them first (sort of like an invite-only event). It’s effectively the opposite of a blacklist, which blocks programs once they’re indentified as bad. Instead, programs will only work once they have been added to the whitelist. While this can be very effective at keeping out malware, the whitelist has to be kept up-to-date. Unless they’re added to the whitelist, legitimate programs won’t be able to run on the system either.

Subnets (short for “subsidiary networks”) are the result of dividing your network into segmented parts, like the watertight compartments on a submarine. Similar to the way a single flooded compartment won’t spread throughout the submarine, an attack infecting a single subnet can be contained before it spreads into other parts of your network. One type of subnet that can pose a significant potential threat if it isn’t properly secured is a guest network for non-employees, like one offering free Wi-Fi access to patients in your waiting room. If you do decide to use one, it must be kept completely separate from the rest of your office network, with no way to access any office files from the guest network.

A DMZ (short for “demilitarized zone”) is a type of subnet that effectively sits just behind the entrance to your network. It contains the parts of your network that are directly exposed to the Internet (like your email server), with a firewall between them and the internal network. The idea is that Internet-based attacks can be contained in the DMZ and stopped before spreading throughout the rest of the network.

An air-gap is kind of what it sounds like: keeping a particular computer or other asset physically disconnected from the rest of the network (and not connected via wi-fi, either). The theory behind this – even if it gets into the network – an electronic attack can’t bridge the air gap to get at the protected computer or asset. Sometimes this method is used to safeguard computers, external hard drives, etc. holding especially sensitive information.

Unfortunately, no system is completely secure. Network monitoring tools analyze systems internally, with the intent of uncovering any intruders as quickly as possible. The monitoring process starts with knowing what’s actually on the network. There are a number of tools that can help your technical staff essentially map out the network and what’s connected to it.49 It’s also essential to keep an updated list of every computer and device with access to your office network, as well as a list of exactly who can access what. In addition to the dedicated tools designed to monitor and analyze the electronic traffic moving through a network are a number of security tools that can affect that traffic. Here are a few:

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) analyze electronic traffic as it flows through your network. These systems can use digital signatures similar to the ones in anti-virus software or use a behavioral-based approach. The latter entails analyzing the electronic traffic to get a baseline of what “normal” looks like in your network and then reacting when something out of the ordinary occurs. The primary difference between them is a detection system will send you an alert when it encounters something, while a prevention system will try to block it.

Data loss prevention (DLP) software looks for identifying markers found in sensitive data (i.e., credit card numbers, PHI, billing info, etc.) so it can prevent it from moving outside your system. As with other network monitoring tools, DLP software cannot analyze encrypted electronic traffic, but it can be effective in preventing accidental disclosures of sensitive data before it gets outside of your network.

A honeypot is effectively a trap designed to uncover intruders in a network. It can be a dedicated device or software-based and, to someone fishing around a system, it will look like a vulnerable computer or drive with tempting data on it. When an external intruder or malicious insider accesses the honeypot, it alerts the network administrator there’s an intruder poking around the system. That way, steps can be taken to analyze the intrusion and/or boot the intruder from the network.50

Logs are electronic records of specific events that occur within an organization’s systems and networks. They can be critical to detecting (or reconstructing) a security incident. System audits would be very difficult to perform without them. Logs can be generated by servers, network security equipment, firewalls and other systems and can generally be set up in a wide variety of ways, including what types of events are logged. Given that they effectively create new log data nonstop, it’s important to balance what data you would like to have with what your system can actually handle.

Physical security is a key element in protecting your network. Physical access often equates to network access for even a moderately skilled hacker. And, of course, physical data like handwritten and printed PHI, x-rays, etc. are all vulnerable to an intruder inside the office. Physical security controls fall into three basic categories:

  • Deterrent – to scare off potential intruders, like a warning sign indicating the presence of an alarm system or security cameras,
  • Detective – to catch intruders, like a motion sensor or security camera system, and
  • Preventive – to stop the intrusion, like a gate or locked doors and windows.

One preventive measure you should implement is to physically keep your servers in a separate room or server closet under lock and key and bracketed to the floor. Also, it may sound like something out of a bad movie, but… if your office is in a building that has drop ceilings, be sure that they can’t be used to sneak in after hours.

It’s also essential to properly dispose of physical records. Dumpster diving actually does exist. Be sure to shred (use a cross-cut shredder) or otherwise destroy any such records so they cannot be reconstructed before they are disposed of. Remember, if you hire a company to dispose of PHI, you can also be responsible for what happens to it.38

Speaking of disposal, keep in mind that all printers and copy machines have hard drives that can be hacked into. Dispose of them like you would a computer hard drive.

It’s also important to effectively check your defenses. This is where vulnerability assessments and “pentesting” come in. Vulnerability assessments center around scans that should be run regularly on the various systems in your network. They essentially check those targeted systems to ascertain what’s happening with them, finding weaknesses and “holes” (missing security patches, misconfigured software, etc.) on your systems and networks before the bad guys do. The scans are designed for detection only, though they can be quite helpful at finding out if something unusual is going on. A number of effective vulnerability scanners are available.51 The next step, of course, will be fixing the identified vulnerabilities before they can be exploited.

Pentesting is short for “attack and penetration testing.” Pentests are used to test an organization’s ability to withstand a simulated attack on its systems. They can be used to test the effectiveness of network monitoring, physical security measures, security awareness training and an organization’s response to a security incident. While that sounds pretty cool, pentesting is better suited to organizations with more developed security programs. By nature, pentests are designed to find one way into a network, so the testing won’t offer enough information to be a useful early step for a newly forming security program.