No “pwn” intended: how do I know if someone has hacked a site where I have an on-line account?

shutterstock_190390037

Part 7 of our series on Privacy and Data Security Best Practices.

“Pwned accounts”, you might be interested to know, is a term that went viral across the Internet thanks to a simple typo.  Someone reporting that a hacker had ‘owned’, i.e., illegally ‘took ownership’ of a web account, typed the word “owned” a bit too quickly and hit the juxtaposed keyboard letter “p” instead of “o”. Voila, a brand new geeky word was born.  Today, tens of millions of accounts have been “pwned”, i.e., “owned” by hackers from companies around the world. And you can find them being actively distributed as part of a lucrative underground business on “the dark Net”,  places on the Internet where most law-abiding folks don’t ever want to visit.

Pwned accounts are important for clinicians to be aware of because if they are not carefully handled, they can become an ‘Achilles heel’, allowing attackers to gain access to even more confidential data.

So, other than the affected company emailing you directly with a warning, how can you find out if one of your accounts might have been compromised?

The website ‘;–have i been pwned? , created by Troy Hunt, a well-known web security analyst, keeps track of over 3.7 billion accounts that have been hacked, exposing userIDs, passwords, and frequently other personal information. The site will look up any email address you enter to see if accounts associated with it have been reported to be “pwned”.

Keep in mind though, that the information on this database exists only because website breaches listed there are now widely available on the Internet.  If your email address is not listed in the database, this doesn’t necessarily mean that all of your accounts associated with it are safe. Sometimes it can take years before a company knows it has been breached.

So here are five steps to help protect yourself before you find yourself on the list, and especially if you find your account has been pwned:

  1. Change the password on any pwned accounts immediately, if you have not done so already.  Consider the incident to be a potential breach, and investigate accordingly.
  2. Even if a particular web service is of relatively little importance to you, these accounts, if compromised, may be used to gain access to much more sensitive information.  Called “credential stuffing”, this hacking technique relies on the fact that many individuals use the same or very similar passwords elsewhere.  Therefore protect yourself by NEVER using the same password twice for any account.  If you use the same or similar passwords for any other account, you are just asking for trouble.  How do you keep your sanity while maintaining all of all of these unique, complicated passwords? Use a password manager.
  3. If you use a password manager, let it generate very strong, unique passwords for you. Wherever possible, we use passwords with 16 or more complex characters for pretty much every account we have.  However, we never need to remember them because the password manager will automatically pop the user id and password into the login field on your browser or smartphone.  All you need to remember is the master password for all of your accounts.
  4. Use 2-step verification for Gmail, Facebook, LinkedIn, Office 365, your clinic EMR (if it doesn’t allow this as an option, they should), and any other web service that allows it.  And, of course, use a password manager that is designed to support 2-step authentication for its own master password.  “2-step” codes, sent via your smartphone or simple to use devices such as a Yubikey at the moment you start to login, changes every minute. This goes a long way towards protecting yourself from hackers collecting passwords through breached websites or malware.
  5. Check your web accounts, especially old ones, to make sure you have not configured the ‘password reset’ feature with what is now a little-used email address.  If hacked, that ancient email account could become a ‘back door’ to gain access to any other account that uses it for a ‘password reset’.  Use an email address that is very unlikely to change over time… a personal Gmail account, for example. And please make sure you have set that email account up with 2-step verification so that it doesn’t become the weak link, allowing hackers to change the password to all web accounts configured to send the ‘password reset’ message to this email address, locking you out, and giving them access.

What password manager should you use? It’s best to check the latest reviews, and carefully select it based on your clinic security policies.  There are free applications out there that can generate and store passwords, but because we value our accounts, we have elected to purchase yearly subscriptions to a robust commercial product that supports smartphones, 2-step verified master passwords, etc.

For more information on protecting your clinic’s accounts, see our Best Practices post entitled How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.

If you need help, contact us.

My clinic data has been breached. What do I do now? Four critical steps.

Part 6 of our series on Privacy and Data Security Best Practices.

I have just returned from the IAPP/ISACA KnowledgeNet conference in Vancouver this week, where the focus of the afternoon was on Privacy & Security in Healthcare. Some interesting facts arose from the forum:

  • The cyber security threat targeting healthcare information systems is real and is dynamically changing. Hackers are changing attack campaign strategies on a weekly and even daily basis.
  • It is no longer a question of whether your clinic or healthcare organization is going to be attacked by hackers, but how often.
  • If broken into, 60% of data is stolen within hours.
  • 80% of breaches remain undetected for months.
  • Malware and Ransomware are continuing to evolve. New and stealthier versions frequently bypass antivirus software.

So, let’s assume the worst.  You have walked into your clinic in the morning and found you could not access your EMR due to ransomware.  Unfortunately, this is not a hypothetical risk. Or, as an example, imagine that you have received a call from a patient who has discovered his confidential health information has been made available to someone who should never have accessed it, and he is certain your clinic provided it.

What to do?

Let’s begin by saying that, before any of this happens, make sure you have a plan to deal with it before it occurs.  Once you are hit with a breach, this is not the time to be looking for a plan or to begin making one up as you go. The SANS Institute strongly recommends that you be well prepared to handle this situation at a moment’s notice.

According to the Office of the Information and Privacy Commissioner of BC (OIPC), a privacy breach occurs anytime there is unauthorized access to or collection, use, disclosure or disposal of personal information.  What is unauthorized?  In British Columbia, this means any activity that occurs in contravention of the Personal Information Protection Act (PIPA) or part 3 of the Freedom of Information and Protection of Privacy Act (FIPPA). While cybersecurity threats are a very real danger, the most common privacy breach occurs when personal information of patients or staff is stolen, lost or mistakenly disclosed. This might include, for example, if a computer containing personal information is stolen or personal information is emailed to the wrong individual.

Doctors of BC, the OIPC and the College of Physicians and Surgeons of BC, have published a four-step guide to deal with breaches, called “Responding to a Privacy Breach – Key Steps for Physicians“.  More recently, the OIPC has published some very helpful resources on what to do when responding to a breach, including “Privacy Breaches: Tools and Resources“. Both documents focus on four key steps:

  1. Contain the breach. Take immediate action to limit the breach. In the case of ransomware, The Doctors Technology Office (DTO) at Doctors of BC has an excellent technical bulletin that may be of help. Additional resources such as the site managed by two European police agencies, Intel and Kaspersky called No More Ransom, and ID Experts ebook called What to do when your data is held hostage, may also be useful. For example, disconnect affected system(s) from the clinic network and the Internet, but don’t power them down.  That could make matters worse. Instead, get expert technical advice.
  2. Evaluate the risks. Other immediate steps may be needed. It is essential to determine what personal information was involved, the cause and extent of the breach,  who and how many individuals were affected by the breach, and what foreseeable harm might arise from it.
  3. Notification.  It is important to notify affected individuals if it is necessary to avoid harm or mitigate harm to them. Equally important is to know when, and how to notify them, as well as who else should be contacted. Make sure to read the OIPC’s recommendations in the document above, on what you should consider when determining whether to notify individuals affected by the breach.
  4. Prevention. Once immediate steps have been taken to mitigate risks, it is vital to thoroughly investigate the cause of the breach. This may require a detailed physical and technical security audit.  Doing this will help you to develop or improve whatever is necessary to safeguard data going forward.

The OIPC Tools and Resources document also contains a checklist we would suggest placing in your clinic policy and procedures manual, in case it is necessary to respond to a breach in your clinic.  The checklist will help you to decide whether or not to report a breach to the OIPC.  In general, reporting to the OIPC should be considered:

  • If the personal information is sensitive
  • If there is a risk of identity theft or other harm, including pain or suffering or loss of reputation
  • A large number of people are affected by the breach
  • The information has not been fully recovered
  • A similar breach has taken place before, or if it was the result of a systematic problem
  • Your clinic needs assistance in responding to the privacy breach
  • You want to ensure steps taken comply with your clinic’s obligations under privacy legislation.

Legal note to all of the above: This is intended for general information only. It is not intended to provide legal or other advice.  The key message here is: make sure you have policies and procedures in place that will help you to recover from a privacy breach, before it occurs.

Here are some additional best practice resources you can use to be proactively prepared:

If you need assistance, contact us.

Ransomware: Ten ways you can help protect your clinic

Part 5 of our series on Privacy and Data Security Best Practices.

A highly-respected physician here in British Columbia recently told me that many clinicians he has spoken to tend to view privacy leaks and unauthorized access as a government or health authority issue. While this may be the case, a threat has emerged that not only has the potential of instantly endangering the confidentiality of personal health information, but also the operation of your clinic, and your bottom line.

The threat is ransomware.

According to Symantec, more than 1600 incidents per day hit Canadian firms in 2015, the last time these statistics were reported. And the threat is growing.  Last summer, Solutionary, a large security services firm, reported that ransomware became the single biggest response engagement for the company during the previous quarter, and across industries, 88% of all detected ransomware engagements targeted healthcare. Some of the most well-publicized healthcare ransomware attacks last year, including an attack in Ottawa, involved hospitals. Indications are that with increasingly sophisticated exploit techniques, hackers are moving towards data-intensive businesses, including medical practices, hospitals, financial services and legal services industries.

It is not difficult to imagine why healthcare data breaches are far more dangerous to victims than other breaches. Even small 1-2 physician medical clinics can host 3,000-6,000 confidential electronic medical records.  While privacy risks are serious and could jeopardize your clinic’s compliance to PIPA if breached, ransomware can, in addition, hold computer systems and medical data hostage by encrypting files and locking out access until a ransom is paid. Frequently the ‘hostage note’ will indicate data will be destroyed unless this is done within a given time. The disruption to patient care could be significant. And ransomware software is rapidly evolving. One of the latest variants, Doxware, lets hackers hold computer systems hostage like other ransomware, but takes the attack further by threatening to release personal information publicly unless the ransom is paid.

How many clinics have already been affected in western Canada? We don’t know. It is quite possible that some clinics, like many Canadian businesses, have quietly paid ransoms to get control over their systems. According to one study, Canadian companies are 75% more likely to pay ransoms compared to the  US, UK and Germany, and that if they didn’t pay, 82 percent lost files.  The cost to pay ransomware extortionists has ranged from $1,000 to $50,000. And it is not uncommon for the same businesses to be hit more than once, by the same hacker or by others.

How can you protect your clinic?  The following 10 recommendations are based on suggested actions by Public Safety Canada and others.

  1. Backups: Backup and regularly test them to make sure you can recover your data. Having encountered very unfortunate cases where owners thought their backups were working, we cannot say enough how important this is. Backups must be secure, encrypted, and not connected to your computers or network.  If cloud-based (and this, of course, could be questioned from a privacy perspective), avoid persistent synchronization techniques that could be locked by some ransomware variants. This includes Dropbox, Google Drive and One Drive.
  2. Good Email Hygiene: Do not open ANY email attachments from unknown senders, and treat ALL with suspicion. Inspect the URLs or any links inside email body copy before clicking. Don’t click on ‘URL shortened’ links as it is impossible to know where you are being directed.  Don’t click on any email that seems ‘out of the ordinary’, especially from a CEO, president or managing partner. Instead, confirm it through a new email you create, or by phone or in person. If you can, configure your email server to block suspicious email attachments similar to that done by UBC, and destroy emails with known malicious URLs.
  3. Application whitelisting: Implement application whitelisting, an IT technique used to prevent malicious software and unapproved programs from running.
  4. Security patches: Keep your computers up to date with the latest patches. Vulnerable systems and applications are the targets of most attacks. This, of course, includes servers hosting clinic data. A compromised client computer is often just the entry point from where exploits are launched to attack other systems inside a secure network.
  5. Anti-virus: Make sure antivirus is kept up to date and running on all of your systems. Scan all downloaded software before executing it.
  6. Basic Computer Security: Limit access.  Never use an admin profile as a user.  Apply the principle of ‘Least Privilege’ to all systems and services to help prevent malware from spreading.  Never download software from unknown sites. Be extremely critical of ‘free’ software.
  7. Macros: Disable macros unless absolutely required. Consider using Office Viewer software instead of MS Word when viewing email from clients or vendors. Receiving malware from unknowing senders you trust is a well-known technique.
  8. Web Browsing: Use safe practices when browsing the web not only within the clinic but when you take your laptop or mobile device home. A laptop can by itself become a trojan horse if taken from an untrusted home environment or public internet location and connected back into your secured, carefully managed medical clinic.
  9. Network Security:  Install a commercial grade firewall with active web filtering. The cost will more than pay for itself if it prevents a breach.  Physically segregate critical data on different systems to limit risks.
  10. Focus on awareness and training:  Make sure your staff knows the risks involved, and what to do to prevent ransomware from hitting your clinic.  The most common contributor to successful phishing attacks is a lack of knowledge and human behavior. To protect your clinic from ransomware, an intelligent human firewall is one of the best defenses you can have.

The Doctors Technology Office (DTO) at Doctors of BC has an excellent technical bulletin that may be of help. Further advice can he found in advisories by Public Safety Canada (2013 and 2016), advisories issued last September by the US-CERT , the FBI , and No More Ransom, a site built through the work of several European police agencies, Kaspersky and Intel.

If you need help, contact usPrevention is much less costly.

In the next post in our series of privacy and data security best practices, we will discuss what you can do to reduce risks to your clinic in case of a security breach.

HOW YOUR CLINIC CAN QUICKLY ASSESS PRIVACY AND DATA SECURITY RISKS

Part 4 of our series on Privacy and Data Security Best Practices.

Last week we highlighted some issues and recommendations that arose when a medical clinic was audited by the Office of the Information and Privacy Commissioner for BC (OIPC). But how can you be certain your clinic is maintaining privacy and data security best practices that will help ensure your clinic is compliant with privacy legislation?   Here are two excellent tools. They require little technical expertise and cost nothing other than a few minutes of your time.

The Doctors of BC Privacy and Security Checklist

This simple set of 25 questions, written back in 2009 in collaboration with the OIPC and the College of Physicians and Surgeons of BC, provides a great starting point to assess how your clinic is managing privacy and data security.  If you can say “Yes” to these questions, you will have addressed important areas that should be of concern to all clinicians. Interested? Click here to download your copy from the Doctors of BC website. It’s part of their Privacy Toolkit, a great resource.

The OIPC Security Self-Assessment Tool

About three years after the Privacy and Security Checklist was published, the OIPC for British Columbia collaborated with the OIPC of Alberta and the Office of the Privacy Commissioner of Canada to create a tool intended for all organizations that must be compliant with personal information security requirements under the Personal Information Protection Act (PIPA) in British Columbia, the Personal Information Protection Act in Alberta and the personal Information Protection and Electronic Documents Act (PIPEDA) across Canada.

What is especially useful with this more comprehensive self-assessment is that it includes key questions that are considered minimum security requirements for all organizations, not just health clinics. These key questions can help to assess whether or not, from a security point of view, your clinic or organization is safeguarding data in compliance with legislated requirements under PIPA in BC and Alberta, and PIPEDA.

We highly recommend taking the time to do this security self-assessment. Click here to download your copy from the OIPC website.

Together, the above tools provide excellent starting points for asking the sort of questions with your staff and service providers that will help develop the culture of privacy we discussed in Part 1 of this series.

If you need assistance, contact us.

Is your medical clinic compliant with PIPA? Twelve recommendations from a recent case involving an OIPC audit

Part 3 of our series on Privacy and Data Security Best Practices.

An interesting case was just published last month concerning the first audit of a private business that the Office of the Information & Privacy Commissioner for British Columbia (OIPC) has undertaken through its Audit & Compliance Program, established in 2014.  Interestingly, the first private sector business the OIPC audited turned out to be a medical clinic.

The findings, which are published here, highlighted a particular situation which called into question the use of video and audio surveillance within the clinic. However, the audit covered much more than this.  Its goal was to review the extent in which the clinic was in compliance with British Columbia’s Personal Information Protection Act (PIPA), to identify risk factors in protecting personal information, and to provide recommendations to strengthen clinic policies and practice.  The audit uncovered a number of issues:

  • Significant problems were cited concerning the clinic’s storage, security and disposal of personal information. While a complete technology assessment of the clinic’s EMR was not part of this particular audit, one of the key concerns the auditors cited was that privacy risk assessments had never been done.
  • Paper records are stored on a shelf behind the reception desk, which is separated from the public, but they were not kept in a locked facility.
  • Clinic staff manually tore up paper records and disposed of them with regular garbage.
  • The clinic owner kept his door open and CCTV monitors could be viewed by other staff
  • Logs had not been kept of when, why and by whom CCTV or audio recordings had been accessed, reviewed or disclosed (e.g., to police).
  • The clinic had not conducted an internal audit of the access to and use of personal information.
  • The clinic owner was unaware of whether a confidentiality agreement relating to the protection of employee or patient personal information was in place with the software company managing the clinic’s EMR.

12 Recommendations that are worthy of everyone’s attention

It is well worth asking yourself, are you already doing the recommendations the auditors made concerning this particular clinic?

Recommendation 1: The clinic should update its Privacy Policy with six provisions that were missing from its present one, including, among others, stating clearly that personal information is collected in accordance with PIPA, and to ensure the definition of personal information is defined in a manner that is consistent with BC legislation.

Recommendation 2: The clinic should formally review its privacy policies at a minimum of every three years to make sure they are relevant and up to date.

Recommendation 3: The clinic should immediately cease the collection of personal information via video and audio recording equipment.

Recommendation 4: The clinic should create and regularly maintain a personal information inventory related to the collection of personal information from patients and employees. The sensitivity of the information, the type of information collected, where it is stored, why it was collected and how the clinic intends to use it should be included in the inventory.

Recommendation 5: The clinic should develop formal procedures and conduct at least annually privacy risk assessments to ensure that a) adequate safeguards are in place to protect collected personal information and b) collection is limited to only the personal information necessary for the purposes identified.

Recommendation 6: The clinic should develop and provide regular privacy training and education to all staff, with initial training to occur within three months of receiving the audit.

Recommendation 7:  The clinic should formally review this training and education at a minimum of every three years and update as necessary.

Recommendation 8: The clinic should develop and request that all clinic staff sign an agreement related to the protection of personal information at the completion of privacy training. This agreement should be reviewed and re-signed annually by all clinic staff.

Recommendation 9: The clinic should shred paper records containing patient or employee personal information when disposing of the records.

Recommendation 10: The clinic should store paper records securely in locking cabinets or behind locked doors and lock cabinets and doors when access to records is not necessary.

Recommendation 11: The clinic should develop formal procedures and conduct regular audits of access to and use of personal information within the Clinic.

Recommendation 12: The clinic should immediately ensure that a confidentiality agreement is in place with its EMR software support company with respect to the protection of employee and patient personal information.

The entire report makes interesting reading.  As part of this ongoing series of blogs on privacy and data security best practices, we will share some great methods which you can use to self-assess your clinic for compliance with PIPA.

In the meantime, if you need help, contact us.

 

10 Practical Steps to Help Clinicians Comply with Privacy Legislation

Part 2 of our series on Privacy and Data Security Best Practices.

If you do not have one already, this is a great time to think about developing a robust privacy and security training program for your clinic.  Here are ten simple steps that will help you get started:

Before you get started: put someone in charge.  Clinicians are responsible for the personal information in their control. To comply with PIPA, every health care practice should have a designated Privacy Officer.  For medical clinics, Doctors of BC, CPSBC and OIPC recommends that this be a physician.

What’s next?  A great starting point is Doctors of BC‘s “Ten Steps to Help Physicians Comply with PIPA“, the Personal Information Protection Act for British Columbia.

These steps were developed, complete with a complete Privacy Toolkit, in collaboration with the Office of the Information & Privacy Commissioner for BC (OIPC), and the College of Physicians and Surgeons of BC (CPSBC).  Even though they were developed with physicians in mind, it is focused on private health clinics that are required to be compliant with PIPA. Therefore these guidelines also provide excellent advice for private dental clinics, chiropractors, and other healthcare professionals.  In a nutshell:

  1. Be familiar with PIPA’s privacy principles. Doctors of BC’s Ten Principles for Protecting Information in Physician Practices is a nice, concise guide.
  2. Ask yourself, what personal information do you collect, and how do you manage it?  
  3. Ask yourself, is how you are handling this information meeting PIPA obligations? Chances are this is not a problem. But you must be compliant.
  4. If there is a problem, do something about it!  No matter how small or large the clinic, every staff member should be considered when developing your privacy and security program.
  5. Do you have a Privacy Policy?  Do patients and staff know about it?
  6. Make sure your security measures adequate to handle the highly sensitive nature of your clinical records.  Ask yourself, what would be the impact on your clinic if your patient information was compromised through a security breach.
  7. Make sure both staff and anyone contracted to handle personal information on behalf of your health care organization are aware of what they must do to protect privacy.  Staff education is essential.
  8. Have forms and communication materials in place to inform patients about your clinic’s privacy policy and information practices. The BCMA has sample forms that you can adapt for your clinic, located in the Privacy Toolkit, found here.
  9. Ask yourself, do your contracts adequately address privacy implications of having third parties, including IT support and EMR service providers, handle your patient data?  Contracts should clearly indicate the purpose in which contractors are allowed to access and use personal information and forbid any other use or disclosure.
  10. Ask yourself, would you know what to do if a privacy complaint occurs?  Or if you become aware of a security breach?  If you are not sure, get advice.

 

Does all of this seem a bit daunting? Actually, developing a robust culture of privacy and security in your clinic isn’t difficult. Clinics have developed very effective privacy and security policies completely on their own. But the important thing is to get started, and get started now. Before a costly privacy or security incident occurs.

If you need help, contact us.

 

 

Creating a culture of privacy and security

Part 1 of our new series on Privacy and Data Security Best Practices

We are complicated creatures of habit. We tend to do things, more or less, because that’s the way we have always done them.  We observe this across our society, including our work environment.  A strong privacy and security culture in a healthcare clinic is both a mindset and a process of operation.  A security culture that is integrated into daily thinking and decision-making can result in a near-impregnable health information system.

Conversely, a security culture that is missing will result in uncertainty, and ultimately security incidents that no clinician can likely afford to take on. This often happens when everyone is working in silos, which anyone in the privacy and data security field can tell you, is where managing confidential information can fail.

What can be done?

Do what you must in order to minimize the disconnect, apathy, silos and self-interests that undermines security.  A huge part of this involves a training program that is periodic and consistently applied to all staff.  Privacy and security training for locums, casual and part-time staff is frequently forgotten in a busy clinic. Whenever this is done, it doesn’t matter how strong your firewall is, or how professional your locums and casual staff are. Your patient’s confidential information may be put at risk simply because staff may not be aware of what they must do.

Privacy and security training involves more than asking staff to use complicated passwords. It involves imparting a thorough understanding of how confidential information is handled across the unique workflow of your clinic, its potential impact on privacy and data security, and personal responsibilities to protect it. Typically this includes

  • A thorough introduction to privacy principles, as they apply to your clinic
  • Safe computing, with a good understanding of potential threats
  • Physical security, including securing work areas and resources
  • Safe remote and mobile computing
  • Protecting and handling confidential information

For training to be effective, it needs to be based on a robust framework of clinic privacy and security policies. To be relevant and practically useful, these and specific procedures guiding staff should be designed to meet the needs of your practice. Doing this right will go a long way towards ensuring your confidential patient information is kept safe.

If you need help, contact us.

We can quickly assess your clinic for risks, implement appropriate measures, assist in training your staff, and free up your time to do what we cannot do, looking after your patient’s clinical needs.