Archive | Cybersecurity

Guidance on cyber security and data security of Dental Practice digital records

Dental Practice Magazine (Article by Steve Bromham of Save9) is aware that a number of UK practices are increasingly worried about the impact that any theft of computer equipment or loss of patient healthcare records stored on these systems might have on their business continuity. In response to this - clarifying the professional and legal obligations for safeguarding patient healthcare data is something that we understand many practice managers would find most helpful.

This article aims to help dental practices understand their legal and statutory obligations in safeguarding patient records - and it also offers guidance on implementing a simple 3-step plan for better management of the associated risks and how to devise a simple IT business continuity plan - should a disaster strike. The risk management technique explained in this article can also be applied to other non-IT operational aspects of business continuity in a dental practice.

DPM's editor recently discovered that a dental practice - based in South London - suffered an attempted break-in. Luckily the assailants appear to have been spotted by a member of the public whilst the break-in was in progress and they escaped the scene. However - what the criminals left behind was a trail of destruction - the practice's rear entrance PVC door panel had been melted away using a portable gas cylinder and blow-torch that had been left behind. Thankfully - this incident did not result in any computer equipment theft or any loss of patient healthcare data - however, the practice manage took this as a 'wake-up call' and is now putting plans in place to improve their physical security, digital security and IT business continuity.

Following the attempted break-in - a number of questions were raised by the practice management team in connection with digital security and business continuity. All were focused on what might have happened if the criminals had been successful in obtaining confidential patient records. How quickly could the practice IT systems get up and running following a fire or loss of patient management systems? What legal and financial repercussions might the practice have suffered - if PCs or servers had been stolen and confidential patient data had been compromised?

Business Continuity - from an IT perspective

Reflecting on this real-world scenario - one plausible outcome of the attempted break-in could easily have been the theft of a number of desktop PCs and perhaps a server or two. From an operational perspective - unless the practice operates an off-site backup solution or already utilises a cloud-computing based patient records system (e.g. healthcare records stored in an off-site data centre or at a main HQ site) they would have found business continuity adversely affected.

Even when automated or manual off-site backups are in place - the purchase of replacement computers, the installation of correctly licensed software, the setup of networking by an IT provider and the loading of online or tape backup data onto replacement PCs and servers can be a very time-consuming process that stops the practice from digitally managing patient bookings and accessing healthcare records - at least until the systems are fully operational.

Almost any break-in or cyber-attack that results in loss or reduced access to essential computing equipment or patient data will most likely result in patient service disruption and potentially an information governance non-compliance issue. No 'automated rapid backup and recovery' solution in the world can help you make up for the lost time and resources required to purchase replacement client computer equipment or re-instate applications and data on your network (accessing either cloud computing or on-premise servers) as your practice attempts to get back into its normal working routine. Unless of course - you have an up-to-date duplicate of every single computing device or data storage system in safe storage - plus all the oral healthcare records that reside on them safely mirrored in a separate geographical location that can be re-instated within minutes. This is technically possible - but not a luxury most can afford or even wish to entertain - when considering the risk:reward ratio investment decision required.

In summary -following a physical or virtual break-in (e.g. hacking via the internet or suffering a malware infection on practice computers) the delivery of patient care and treatments can be immediately delayed or in a worst case scenario; suspended indefinitely. The added complication of losing confidential patient data introduces a potential raft of legislative and care standard non-compliance scenarios - with intervention from the likes of the ICO, CQC and NHS Digital (formerly HSCIC) - possibly resulting in legal action against individual(s) or the organisation and the threat of financial penalties or practice closure.

So, now the scary stuff is out of the way - what can you do to improve practice business continuity and protect patient data from an IT perspective? Here's our recommended 3-step plan...

(1) Firstly, you need to understand the legal and statutory obligations that your dental practice must comply with when it comes to safeguarding the security and integrity of patient records.

(2) Then you need to assess your potential risks, their likelihood and the impact on the business; from a 'CIA' perspective; Confidentiality, Integrity and Access of patient data - all within the context of your professional obligations - confirmed in the first step above. There are lots of freely available charts and colour-coded spreadsheets that can help you discover and articulate these risks. Don't do this alone - get input from your colleagues and an IT support provider.

(3) Finally - your priorities need to be agreed with a basic plan of action devised to mitigate the higher-impact and most-likely risks as soon as possible - covering these nine generic IT areas...

  • Files & Databases
  • Email & DNS (Domain Name Service) Services
  • Software Applications
  • Cloud Computing Applications
  • Desktops, Laptops, Smartphones & Server Computers
  • Networking (Wired & Wireless)
  • Firewalls & Routers
  • Malware Protection
  • Backup & Recovery Systems

There are usually a number of lower-likelihood risks that you may decide to simply accept without any intervention at all - this is part of the risk management process, as most dental practices do not have the time, resources or ability to mitigate 100% of all IT risks; it's almost impossible to achieve.

Note: this is not an exhaustive list of IT functions - there are many digital services I've excluded (e.g. websites, phone systems, server virtualisation etc.) however what we have above is a good starting point for most practices to begin with.


Continue Reading

PCI cyber security compliance for charity retailers

PCI DSS Compliance The Payment Card Industry Data Security Standard (version 3.1) dictates that internally managed network security scanning and a log auditing process must be established by all retailers who handle major credit and debit cards. More specifically - they must perform routine systems vulnerability scans and auditing of server and network access log files - which sadly isn’t in place within many charity retail operations - probably because of the technical complexity and costs involved. This article advises charity retailers on what they can do towards maintaining PCI DSS v3.1 compliance - with the aim of safeguarding customer payment card details from unauthorised access - by finding vulnerabilities before they become a business problem. Credit Card and Hacker Image Image Attribution: Computer vector designed by Freepik Wikipedia: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. Having no PCI DSS Compliance Software in place can sometimes be down to a lack of in-house IT team knowledge (if the charity even has its own IT department), limited understanding of precise PCI DSS obligations or simply lack of time and resources. A popular misconception is “We're OK - it’s our bank’s responsibility to sort the security scan once a year” and this may be why PCI DSS obligations are not formally managed and routinely reviewed by the IT department or their senior management team - who are ultimately responsible. Verizon – a damning report on PCI DSS non-compliance in the retail sector Our view also appears to be backed up by recent research from Verizon - it found the majority of UK organisations accepting payment cards fail to maintain Payment Card Industry Data Security Standards (PCI DSS) compliance. According to the Verizon 2015 PCI Compliance report - only 9% of merchants were compliant on Requirement 11 alone (11.4 is referred to later on in this article). There are three areas on PCI DSS v3.1 compliance in this article - where Save9 hopes to help charity retailers improve upon - these are:
  • Vulnerability Scanning
  • Audit and Log Reviews
  • Incident intrusion detection and reporting
Save9 has a detailed understanding of the obligations placed on retailers by the PCI and can help charity retailers avoid non-compliance by sign-posting them to a suite of low-cost vulnerability scan and logging solutions - frequently referred to as PCI DSS Compliance Software in the industry. “Our retail shop’s card transactions are now handled in the Cloud – so I guess it’s not our problem?” You’d be guessing wrong. According to the PCI their official PCI DSS SAQ (Self-Assessment Questionnaire) applies to cloud-based payment processing platforms too and it is specifically referred to as SAQ P2PE (this needs to be verified by your respective cloud retailing system provider though). Their requirements apply to any hosted third party solution because local networks and till systems in shop LANs (Local Area Networks) need to be securely protected and routinely monitored - e.g. to detect and prevent intrusions - even though data processing and storage is handled remotely in the cloud by a third party. In theory, any cloud-connected shop till has a level of vulnerability if payment transactions are routed externally from a point of sale (including ‘secure networks’ protected by firewalls, private network links, encrypted SSL or VPNs) because data can be intercepted before it reaches the encryption stage - or the encryption process can be compromised by malware secretly residing on a retail system – additionally screen capture or data interception malware can exist on PC-based till systems, without the IT department’s knowledge. The worrying reality for most charity retailers Following discussions with a number of IT managers in the third sector - who look after their in-house IT and remote shop networks in charity retail environments - we are of the opinion (anecdotally of course) that most charitable institutions in the UK have not gone through any of the three internal processes required to meet PCI DSS requirements 6, 10, 11 & 12 (specified in version 3.1 of the PCI DSS requirements guide). Our view is that IT managers in charity retailers should proceed with caution if they believe there’s no need to take action on the advice given – i.e. to routinely deploy vulnerability scans, implement access logging measures and introduce an intrusion-detection strategy. Excerpts from the PCI DSS version 3.1 compliance document (categorised under the three processes explained above) can be found below... Vulnerability Scanning – PCI DSS Requirement 6...
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium or low)) to newly discovered security vulnerabilities.
Guidance: The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information.
Audit and Log Reviews – PCI DSS Requirement 10
10.1 Implement audit trails to link all access to system components to each individual user.
Guidance: It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user.
Incident intrusion detection and reporting – PCI DSS Requirements 11 & 12
11.4 Use intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion detection, intrusion prevention, firewalls, and file integrity monitoring systems.
What should charity retailers do next - particularly if they have limited IT resources? Save9’s recommendations are to signpost you to some low-cost but highly effective cybersecurity software solutions - with an indication of licensing costs: A. Vulnerability Management & Penetration Testing for PCI Compliance: GFI LanGuard network vulnerability scanner licences (annually renewable) - Approximately £30 + VAT per annum then £15 + VAT per annum thereafter (example - per till PC). B. Audit and Log Review for PCI Compliance (one server node): GFI EventsManager - Server log monitoring, management and archiving - Approximately £225 + VAT then £115 + VAT per annum thereafter for upgrades and maintenance. C. Incident intrusion detection and reporting for PCI Compliance Reporting: GFI EventsManager Active monitoring add-on for event log based intrusion detection and reporting - Approximately £80 + VAT then £40 + VAT per annum thereafter for upgrades and maintenance. Beyond our technology recommendations above – please make sure time is allotted for meeting and reviewing the scan results and log audits - at least every quarter. Ideally this should be performed by your retail operations management team and an IT Manager (and/or IT Security Manager). You’ll probably need a couple of hours’ needed for each session; excluding any emergency measures that need to be factored in for network breaches – which should be outlined in your in-house Incident Response document. Note: Save9 can obtain an additional 9% discount on GFI’s costs for registered UK charities. We can also help devise a PCI DSS Incident Response document, to help square-off PCI DSS compliance. Note: this response procedure also needs to be tested once per annum according to the PCI DSS v3 standard. Assurance testing is a completely separate topic all together, but I hope this article helps charity retailers implement better cybersecurity measures to safeguard customer payment card details, avoid a potentially embarrassing public relations disaster and negate those costly fines for non-compliance on PCI DSS v3.1 standards.
Continue Reading