Protecting Your Office Network

Let's take a moment out to talk about protecting your office network. First thing to consider is who are your likely potential attackers? And these can be criminal gangs or even criminal individuals, effectively hackers. Because once again PHI is unfortunately kind of valuable so it's worth it sometimes to steal it and then post it online, which then gets purchased and they make money for stealing from you and you of course have to report a data breach. Another big issue for healthcare providers, including dental offices, is actually insider threats. This can be malicious or a mistake. Now the main threats to a dental office network are, like I say, data breaches. There's also malware which is short for malicious software. And, believe it or not, HHS considers what's called ransomware to be a data breach. We're going to cover ransomware in some detail later. But in effect, it's not stealing your data, it's encrypting it so you can't get to it.

 

But still it's considered a data breach under HIPAA. And another thing to look at are scams and social engineering. So what do you want to do to actually protect the network? Okay. For one thing. A secure network design is really helpful. What that means is basically if it's well laid out, it's easier to defend and it's easier also to monitor. In effect, it's like setting up a map of roads in a town. If you've got everything going in such a way so that it's not confusing and you know where things are, it's easier to keep an eye on and easier to secure it. A lot of a network designers might set up something called "choke points," which in English means that effectively, traffic will always go through one certain point. And because it's going through one certain point, it can be analyzed as it's going through or filtered, as the case may be.

 

That way you can keep it a little safer because you can effectively check what's happening. A related concept is something called network segmentation. That's breaking up your network into little pieces. You can think of that sort of like the watertight compartments on a submarine. So if something happens and one watertight compartment gets flooded, it doesn't sink the ship - the sub - instead that one compartment gets flooded and the other compartments are effectively walled off. Network segmentation is like that. It's broken into little pieces. Now there are two network segments in particular which we'll very quickly touch upon. One is if you decide to offer something like guest WiFi access for patients waiting in your waiting room, you want to make sure that's definitely on a separate, like I say, network segment also referred to as a "subnet" by people in the industry. That just means subsidiary network.

 

Like I say, it's just a network segment. The idea with that, if you have this guest WiFi access, it's got to be completely separate from anything else. You want to make sure guests obviously can't access your main files and certainly not any other patient information. Another one is something called a DMZ, which stands for demilitarized zone. The idea with that is it's basically setting up one of these network segments sort of at the front door. So something that interacts with the Internet directly, let's say your email server for example, that's separate from the rest of your network. So basically information coming in goes through this DMZ as it's called with the, like I said, the email server is sitting. So if the email server does get attacked, the attack is separate from the rest of the network. Usually what'll happen is you'll have some protective device behind it, like a firewall, which will keep the attack centered around the email server and keep it from getting into your network and attacking everything else.

 

Another thing you'd like to do is change all of your default settings on pretty much everything you've got on your network. The reason for this is that default settings can be looked up pretty easily. If you're curious one fun website related to this is something called routerpasswords.com. And if you haven't yet changed it, you can look it up. Your router's password will be on there. You look it up by manufacturer and model and boom, there it is because that's the reason they work outside the box. They'll have default settings so that they can function right away. That's great in terms of functionality, not so good in terms of security. The next concept is encryption. Encryption you've probably heard of. It's taking data - this could be printed stuff; this could be pictures, movies, whatever it is - and using an algorithm to scramble it into what looks like gibberish (also referred to as "ciphertext"). Now what's used to scramble it with this equation is something called an encryption key, which is basically a string of characters. The longer the string, the harder it is for an attacker to break. You may have heard of something like 64 bit encryption or 256 bit encryption. We mentioned a bit earlier in the program that bits are each of those ones and zeroes from binary code. Now the idea here is 64 bits is 64 of them, 256, 256 of them, and like I say, the longer it is, the more possible combinations there are and the safer of the data is because it's harder for an attacker to break it. Hope that all made sense. Now in effect, what you do with the encryption: there are different ways to do it. You encrypt it and decrypt it with the same key.

 

That's called symmetrical encryption. There's another called asymmetrical encryption. We encrypt with one and decrypt with another. These differences aren't hugely important, but it just lets you know that there's different ways this can be used and encryption is really helpful because once again under HIPAA and under most state data breach laws, if information - PHI or otherwise - is encrypted, it's considered secure and not subject to the laws, so long as those encryption keys aren't stolen along with the data. Now speaking of encryption, you're going to want to check your wireless network encryption. That's basically the encryption running on your router, because a lot of routers today are running really insecure encryption, which allows an attacker to just simply go through it. The most current encryption is called WPA3, which stands for WiFi Protected Access Three. That was introduced in June of 2018. It's possible you may not see devices on that right away. If you have a chance, it's always good to use. It's far and away the safest option. Earlier options include WPA2 and WPA with what's called the advanced encryption standard or AES. Those are the standards since about 2006. They're not completely worthless, but they're not great at this point. Attackers can break through them pretty easily and the earliest was something called WEP, which is Wired Equivalent Privacy. That was the very first type of encryption used for wireless routers. And, I hate to call something worthless, but at this point, yeah, it's not so good. It was the first one out of the gate and basically attackers figured out ways to get around it in days. So if you have WEP running on your router, that's a bad thing. Now a router can be checked pretty easily. They all have an associated IP address page, which you can look at.

 

It's often written on the side of the router or there might be something in the packaging or you can even contact the manufacturer. Just look at the website and you can get in there and take a look and make sure once again, no WEP. If at all possible, WPA3 is the best way to go. Now another thing you want to do something called system hardening. I know it sounds really exciting. What that basically comes down to is if you don't use it, get rid of it. Now what that comes down to is any applications - once again, programs that you're not using - get them off your system. Any users who used to be on the system but aren't anymore, get them off the system. Anything that's on there that you don't actually use, get rid of it. Why? The reason for this is that an attacker, when looking at a system, doesn't have to go through stuff that's working currently.

 

If there is a 10 year old program sitting on the system that's nobody's touched in six years, great. The attacker can still go through it and meanwhile no one's the wiser because no one's even looking at the thing. But for them it's still a doorway in. So, anything that you have, get rid of it. Another key thing to do is something called patch management, which basically means keeping your software up to date. When manufacturers send out software updates, they're referred to as patches; they're patching the software. Why does this matter? Well, at the end of the day, all software has flaws. On average, I believe there was a flaw about one every 180 lines or so, and the very best programmers in the world is still make a mistake about once every 3000 lines. So what? That doesn't sound like much. Well, consider this: the phone that's probably sitting in your pocket right now has between 20 and 30 million lines of code in it, doing all the cool stuff it does.

 

Computers can have even more. Do the math. It's a lot of potential problems there. And effectively what happens is the manufacturers will find out about software errors, flaws, bugs as they're called, and will fix these and when they fixed these, the system becomes safer. The vast majority of attacks actually come after things have already been fixed. Because one problem with these releases of these patches is basically the good guys, the developers, will tell you, okay, here's what we just fixed. The thing is the bad guys take a look and go, "Okay, cool. Here's what we'll target for all the people who haven't updated their systems," which is a lot of people. So if your systems are up to date, the vast majority of attacks aren't going to work against it. They'll literally just bounce off. Now one thing also to remember is you also want to do this with something called firmware.

 

Firmware is a type of software which is on devices. It's basically the inner workings of a device. It's not like regular data-type software, or a regular program. It's literally sitting right on top of it. So the router itself uses firmware to operate. Your computer has firmware to operate and that stuff also gets updates. So something like a router, which has an operating system, still has to be kept up to date. Now also another concept that's related is endpoint security. And once again, endpoints are things like computers, mobile devices, printers, medical devices - anything that you're interacting with directly is considered an endpoint in a network. Because if data is otherwise well protected, attackers may well go after poorly secured endpoints as a way to sort of get a hook into the system and then move in from there.

 

Now another thing to look at is what's called "access control" and this breaks down into identification, authentication, and authorization. At this point you should be going, "Dude, what are you talking about?" Okay, let's break this down. Identification is effectively who you say you are. So, when you're logging into a system, it's your username. My username, let's say it's "Scott." Okay, identification Scott. Then I have to prove that I'm authenticated to get in that particular network. That's generally a password. So, I give my password. I've been identified, I've been authenticated, then there's the question of authorization. In effect, once I'm on the network, what am I allowed to do? Now this is where it's really important to limit access rights. Critical concept - it's in effect who can get to what. There's a concept in security called the Principle of Least Privilege. What that means in English is that anyone who's on the network only has access to stuff they actually need to access.

I mean it's easy to just set up an account where everybody attaches to everything. The problem is if an attacker compromises an account like that, the attacker then has access to everything or you know, unfortunately there are instances where there are insider threats in dental offices. I've seen statistics noting that it's one in four dental offices are potential victims of embezzlement at some point during their lifetime. So that's obviously something you want to watch out for, which means that anyone using the network should have less privileges rather than more privileges. And one related concept is something called Admin or administrator privileges. Those are the types of accounts that can download, modify and delete programs. That's actually kind of a standard thing when you open up a computer, it typically has an Admin account on it. The reason being that you can download stuff onto your system.

 

The thing is within a network, those are really, really dangerous. The reason for that is once again, if an attacker compromises it, it means they can just download anything they want onto your network, delete your stuff, change it around if they want to - all of which will get you in trouble with OCR and HHS and HIPAA. So, at the end of the day, administrative accounts should be used as infrequently as possible. The other types of accounts are called standard accounts or guest accounts, depending on the type of system. They're not at all hard to set up. They work exactly the same except, like I say, you can't download, modify and delete programs. So make that. If you have Admin accounts in your network, there's one, maybe two of them at most and make sure they're turned off unless they're absolutely needed. What I mean by that is if someone has an admin privileged account, they don't use that normally like day to day just to browse stuff.

 

They use a standard account and they have the admin account specifically for when they need it and only the. Now another concept to look at as backups. Backups are great because they prevent potentially catastrophic data loss and system damage in the event of an accident or malware like ransomware - which once again encrypts data. And the thing is with backups, make sure it's not just the data you're backing up. You also want to back up your various software, your system settings, et cetera because let's say there is something that happens that's really catastrophically bad into your system. Let's say the ransomware does more than data. Let's say there's a fire, flood, locusts, alien invasion (whatever it is), and it messes up everything in your system. If all you've got is your data, you're in a rough spot because then you don't have the stuff to actually use the data in.

 

But if the software and system settings are backed up as well, you can effectively rebuild your network and get back to work. Now backups themselves should be what's called multi-tiered, offsite and encrypted. Plain English: multi-tiered just means more than one version. So if you've got a local one in your office, you also want to have something cloud-based. Let's say what happens to your office is a fire. The backup onsite will burn up along with the rest of your computers. And, if you've got something offsite, then you can make sure you can access it. Encrypted is basically always a good idea under HIPAA. It's often required for certain types of data and just as a safety measure, if your backups get stolen and they're encrypted, once again, it's "secured." A backup, should be tested and verified on a regular basis.

 

In effect, you want to make sure it actually works. One of the worst things that can happen is if you have a backup and you never look at it, you actually need it and there's something wrong. So, make sure that you actually check it out to make sure it's working properly. And then finally, make sure that your backups are not directly connected to your main system at all times. That's again for the aforementioned ransomware, because ransomware by nature, once it gets into a system, tries to get to every point in the system and encrypt it and then tries to charge you for it. Now the big deal with that is of course if your backups are directly connected, there'll be encrypted too, which would be bad. So a concept that I should mention in passing here, something called defense in depth. That's the idea that you don't have just one thing defending you. So you don't just have, say your employees are trained to not look at bad stuff.

 

Okay. That's one. Then you've got a firewall, which is guarding sort of your front door. That's another. Another firewall is guarding each computer. That's another. Let's say you've got antivirus software, which is looking for bad stuff coming in. That's another. Each step in the process is more of a guard. So the outer part of your network is sometimes referred to as the perimeter. It's sort of a conceptual boundary separating your network from the outside world, i.e., The Internet. You may want to think of it sort of like a castle wall all around you and outside is the Internet which is, by nature, a somewhat bad neighborhood. Now I mentioned antivirus programs - antivirus, sometimes referred to as anti-malware, will target malicious programs. The idea is it's looking for sort of snippets of code that it recognizes as being bad and it blocks them.

 

Firewalls are used basically as a filter. The idea with a firewall is data's flowing through it and it's keeping an eye out for where's it coming from, where's it going to, what type of data is it? And it will block the stuff - it's given rules, it'll block the stuff it's supposed to and allow this stuff it's supposed to, as well. And the thing is, keep in mind with those, with a firewall, there are different types. The most basic firewall will look at each of these data packets - the little pieces of data that are broken up and then reassembled on the other side when you're sending stuff from place to place. There are types that will look at the data packet but in relation to other things around it and there are other things that even we'll look at some of the insides of what's in the packets, deciding what to block and what not to. And firewalls can vary quite a bit in price and capability.

 

Certainly take a look and see what is a good fit for your network. Speaking of the network, you also want to monitor it because at the end of the day, no matter how many protections you put at this perimeter, you're not going to be able to block everything. Unfortunately, that's not really the way this works. So in terms of monitoring the network you want to have, what we refer to as "network traffic analysis." So that's the stuff moving around and your network coming in and out. Moving around inside it. You want to make sure you can take a look and see what's working there. Now two basic things to use or what are called IDS and IPS. That's intrusion detection software systems and intrusion prevention systems. Now the big difference with those is a detection system, when it sees something, will give you a notification that something looks weird.

 

A prevention system will try to stop it. Now they come in two basic types. There's one that's signature based which is similar to the way antivirus software works and that it's looking for a snippet of code that looks funky and it puts a stop to it. Behavioral based will take a little bit of time to ramp up but basically looks at what's normal for your network and, once it's got a sense of that, when it sees something that's out of the ordinary, it will react to it. Once again either notifying you or trying to block it. Generally speaking, I prefer behavioral based systems because they catch a lot more stuff that's useful. With the signature based systems you sort of get a cat and mouse game going back and forth with the bad guys where they will test out their different malware effectively to see if it gets picked up by different products and, if it doesn't get picked up, they'll try and send it into your system where, if it acts weirdly, the behavioral based systems might still catch it. Now another concept is something called logs. You definitely want to have logs if nothing else so that you have a paper trail to show them the HIPAA investigative folks should they show up. Logs are basically little recordings of what happens on different devices. Firewalls can create logs, IDS can create logs, anti-malware can create logs. The thing you realize with those is you don't just want to turn everything on because it just keeps creating data over and over again. So you may want to discuss with a security professional what logs you find useful for your system to let you know what's really happening. Both like I say, in terms of an audit and also, should there be a security incident, the logs are key to letting you know what happened and stopping it from happening again. Speaking of which, if you're talking to security professionals, one thing you may want to look into is something called an MSSP, which is a managed security service provider. A lot of companies will do that and they'll handle smaller offices, making sure that you don't have to do everything yourself all the time. Now we mentioned the idea that the behavior based IDS/IPS is more effective. One thing I should mention with that is that there've been some recent studies which have shown that once an attacker gets inside this "perimeter," once again, they almost always switch over to legitimate tools rather than try to use more malware. Malware's sort of the way in. Once they're inside, they use normal stuff so that it doesn't stand out and look weird. So that way if something is "signature based" looking for malware, it's not going to find it.

 

This is where behavioral based systems can be far more effective. Now a few more additional tools I just want to mention in terms of protecting your office network. One is called a data loss prevention system and that will basically tag data to keep it from getting outside your system. So it'll tag something like any PHI data, stop. Anything with a social security number, stop. Billing information, stop. So it can't get outside your network. One thing to realize with a data loss prevention system and realistically any monitoring system, they can't read encrypted data. So that's really helpful in terms of a mistake sending it out. If you've got someone who knows what they're doing, they'll encrypt data before sneaking it out. That's for more malicious people and DLP systems won't be quite as effective there. Another thing that will be effective against them is something called a honeypot.

 

A honeypot is either a dedicated device, like an old computer or something, or software based where to someone looking around the network, it's going to look like a tempting target that isn't terribly well protected. And in effect when the bad guy/insider/whoever takes a look at this, it sort of gives a little alert to your network administrator, letting them know, "Oh by the way, someone's in here who shouldn't be." That way, it's sort of a little tripwire for you and let's you know someone's in the network. And there it doesn't matter if the data's encrypted or not. The fact that they're fishing around and go to this honeypot - which no one would normally go to - means you get a warning. One other concept that's actually really useful is something called "application whitelisting." Now in effect that works like the exact opposite of the way a signature based system works.

 

Like, once again, antivirus software where it looks for something bad and then blocks it. Application whitelisting blocks everything, unless your network administrator approves it. So in effect, instead of like blacklisting where a bouncer, throws you out once you've misbehaved, whitelisting is basically like an invite only party. Until you get an invite, you can't work on the network. That's really good at stopping a lot of attacks. Obviously, some attacks will try to mimic legitimate things (that's a whole separate issue), and you've got to make sure you keep those up to date because if you do bring in a new legit program, it's got to be whitelisted before it'll work.

Who potentially poses a risk to your office network?

  • Criminal gangs and/or individuals
  • Insiders (either maliciously or by mistake)

What are the main threats to a dental office network?

  • Data breaches
  • Malware (HHS considers a ransomware infection to be a data breach)
  • Scams/malicious social engineering

What are essential security measures that you can implement to protect your data?

  • Use secure network design – a well-laid out network is both easier to defend and easier to monitor
  • Change default settings
  • Use Data encryption – also be sure that your office’s routers are using current encryption for the data passing through them (WPA3 as of June 2018)
  • “Harden” your System
  • Keep your software up-to-date
  • Secure your network endpoint devices (i.e., computers, mobile devices, printers, etc.)
  • LIMIT ACCESS RIGHTS (i.e., who can get to what)
  • Create regular backups (and don’t forget to test them to make sure that they’ll work, if needed)
  • Utilize “Defense in Depth” (layered security)
  • Monitor the electronic traffic moving through the network