Planning for disaster used to mean preparing a contingency plan for what to do in the event of a fire or a flood. Alberta has seen plenty of these types of events in the recent past, so this type of preparation is clearly relevant for physiotherapists. In addition to these more “traditional” disasters, the use of electronic systems such as EMRs and online databases to collect patient outcome information creates the risk of phishing and ransomware attacks which can have similar disastrous implications.
“Phishing scams are traditionally associated with misleading and deceptive emails, falsely claiming to be from a legitimate organization such as a financial institution, business or government agency in an attempt to have the consumer surrender private and personal information.”1 Common examples are those all too common emails telling you you’re the heir to a large sum of money and asking for your banking details so the author can transfer your inheritance to you… you know the type.
As mentioned in the April Technology in Practice article, a 2017 phishing attack on MacEwan University resulted in a significant financial loss. In that case, MacEwan staff received a credible appearing email from someone posing as a supplier directing them to alter the banking information used to transfer funds to the supplier.2 While adherence to policies and procedures could have helped prevent the loss, the reality is that scammers are good at fooling people – it’s what they do. Part of the solution to prevent these types of losses is to put in place measures that block these emails from reaching people at all (such as email security gateways) and blocking certain email attachments (more on these shortly).
Ransomware is malicious software created by hackers to infect a workstation or file server and encrypt all files so that they are unreadable. Soon after infection, the hacker(s) responsible demand a large sum of money to decrypt the affected files, effectively holding the infected system hostage until the ransom is paid.3 The WannaCry attack of 2017, which effected England’s National Health Service is a memorable example of ransomware.4
Recent statistics from the US government show that ransomware attacks have quadrupled each year since 2013, averaging 4,000 per day. The University of Calgary paid out $20,000 for a June 2016 ransomware attack on their email server.3 Such attacks aren’t limited to large institutions. The College of Physiotherapists of Alberta has heard from at least one member and small business owner who was the victim of a ransomware attack that impacted both their company EMR and billing software. The result was a business interruption while they attempted to sort through the issue and their response to the attack.
How does ransomware work?
There are three main ways that ransomware can infect systems over the Internet:3
- Email: malicious emails may contain a malicious attachment or a hyperlink to an infected website.
- Web Browsing: unsafe browsing practices can lead users to infected websites.
- Network Ports: unprotected network ports can allow potentially malicious port traffic. Your IT department should be capable of locking vulnerable ports.
Recommendations to protect your network and your data
1. Hire professional IT support
Physiotherapists are known for their skills at assessing and treating how the body moves and what stops it from moving. It’s an unusual physiotherapist who is also known for their expertise in IT. For most physiotherapists, protecting their business from hackers will involve some degree of professional IT support.
2. Adopt security measures that meet your system needs3
- Email security gateways and email scanning services: email gateways scan incoming email and remove potential threats on the server or appliance side before they arrive in your inbox. Email scanning services, such as Microsoft Exchange Online Protection, scans emails in the cloud before sending them to your inbox, decreasing the chance of an attack even reaching its target.
- Block certain email attachments: IT experts recommend that all companies block emails with these types of attachment extensions: .JS, .EXE, .VBS, .SCR, .CMD and .BAT. These attachment types are known to be used by hackers to deploy attacks.
- Patching: ensure your IT department is patching workstations and servers for security updates monthly.
- Remove users’ local administrator access: local administrator access leaves systems vulnerable to malicious code that would have been blocked without administrator privileges. Best practice is to give your IT “department” sole administrator access.
- Disable macros: ransomware is commonly embedded in Microsoft Office documents that trick users into enabling macros. Microsoft Office 2016 currently limits macro functionality, preventing users from enabling them on documents downloaded from the internet. If an Office document extension ends with an “m” it can, and probably does, contain macros. For example, .docx, .xlsx, and .pptx should be safe, while .docm, .xlsm, and .pptm can contain macros and can be harmful. Of course, some businesses use macro-enabled documents. You’ll have to exercise your own judgment.
- Software restriction policies: directories often used for hosting malicious processes include Program Data, App Data, Temp, SysWow and Windows Script Hosting (WSH). Have your IT department establish and manage software restriction policies.
3. User security training3
The easiest way for ransomware or phishing attacks to affect your organization is through your own users. Dangerous hyperlinks and attachments can be sent through email, social networks or instant messengers and usually come from trusted sources. Cybercriminals hack user accounts and send malicious code to everyone in the hacked user’s contact list. Train and yearly retrain all users on the types of attachments to avoid and how to practice good Internet searching skills.
Email and internet usage tips
- If you get an email from FedEx or UPS and it asks you to download an email attachment and run it, that’s a red flag. Legitimate businesses will never ask you to download and run programs attached to an email.
- The sender: if you’re not sure whether someone sent you a suspicious-looking email attachment, give them a phone call or ask them in person. If they didn’t send the attachment, they’ll appreciate the warning that their computer is infected or their email address has been hijacked.
- Link shortening services such as Bitly, TinyURL, and over 200 others, allow users to take a link that might be too long for a Twitter post and generate a shorter one that redirects.3,7 While these services are popular, you can’t look at a shortened URL and see where it leads, making them popular for hackers. By clicking on a shortened URL, you could be redirected to a web page containing malware that compromises your system.6,7 Shortened URL links are commonly used in social media. Employers may want to develop policies that prevent people from accessing social media on workstations or devices that link to the business network to help to mitigate this risk. You can also check a shortened URL for safety before clicking on it by using online services such as Unshorten.It or CheckShortURL.7
Most importantly, backup data!
Ensure thorough daily backups of all data and that those backups are working by restore-testing regularly. Both local and Cloud backups are recommended.3
In the event of a ransomware attack, (when your flies are held “hostage” until you pay a ransom) paying the ransom doesn’t necessarily ensure that you will get access to your files. Even if you do get access, you may not be able to trust that the files haven’t been altered. In a best-case scenario, you will be able to restore your systems based on your most recent backup, rather than paying the ransom demanded. With that in mind, you want to be sure that your system is backing up your data frequently. Ask yourself how many days worth of bookings, billings, and charting you would want to have to re-construct from memory.
Keep in mind that backups are an important aspect of recovery from both “traditional” disasters (fires and floods) as well as technology-driven disasters.
The world of cybercrime is rapidly changing. Stay up-to-date with the risks by routinely checking the resources available at www.GetCyberSafe.gc.ca and by consulting with a IT professional about your unique system needs.
Business owners may also want to check out the Government of Canada’s “Get Cyber Safe Guide for Small and Medium Businesses.”
If you think you have been the victim of a cyber security incident, check out the Government of Canada’s “Report a Cyber Incident” for tips on how to recover.
- Available at http://www.antifraudcentre-centreantifraude.ca/fraud-escroquerie/types/phishing-hameconnage/index-eng.htm. Accessed June 25, 2018.
- Wakefield, J. MacEwan University loses $11.8 million to scammers in phishing attack. Edmonton Journal. September 1, 2017. Available at: http://edmontonjournal.com/news/local-news/11-8-million-transferred-from-macewan-university-accounts-in-phishing-attack Accessed March 19, 2018.
- Mitchell, C. Ransomware: Understanding and avoiding system encryption attacks. Available at https://www.quercussolutions.com/blog/index.php/ransomware/. Accessed June 25, 2018.
- Morse, A. Investigation: WannaCry cyber attack and the NHS. National Audit Office, 2017. Available at: https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/ Accessed March 19, 2018.
- Google for Education. Stay safe from phishing and scams. Available at https://www.youtube.com/watch?v=R12_y2BhKbE. Accessed June 25, 2018.
- Hampton, I. Things a hacked URL shortening service could do to you. Available at https://royal.pingdom.com/2009/06/23/things-a-hacked-url-shortening-service-could-do-to-you/. Accessed June 25, 2018
- Tech Help Knowledgebase. How to check shortened URLs for safety. Available at https://techhelpkb.com/how-to-check-shortened-urls-for-safety/. Accessed June 26, 2018.