In an ever-changing threat environment how can we protect both PHI and other sensitive information? One method that is rarely used outside of large corporations is the art of deception.
Utilizing deception as a tool for defense in the practice is easily done and costs little. One of the most commonly probed areas of your practice is wireless networks. Most practices will have an internal wireless network and a separate public “Wi-Fi” network. Generally these are extremely easy to differentiate for a threat actor (bad guy).
A simple method to use deception in protecting the wireless network is to add a third network. FOr example:
- Smith Dental Patient Wi-FI: This is a segregated wireless network for patient use.
- Smith Dental Employee Wireless: THis is a second segregated network that is simply a standalone access point.
- PamsSalon : This is your actual employee/internal wireless network.
Why Deception works
How does this work? An attacker will ignore the Patient Wi-Fi and dedicate the attack to what appears to be the employee network. Substantial time and effort will be used against the decoy network instead of the true internal network which contains sensitive data.
In the event an attacker should breach the decoy network, the only damage done would be to the decoy access point which holds no sensitive information. A more advanced deception tactic is to place an obsolete workstation or server on the decoy network. Naming the machine “Practice Server” or another attractive name and then monitoring it for attacks, giving you early warning while risking no real data. In the Information Security arena this is called a “Honeypot”.
Whatever your practice’s strategy is for network defense, consider adding a little deception to the mix.
For those that have been through our training or heard me speak to one of their organizations, you know I touch on the subject of Network Connected Devices. These devices are already in many practices and have been for some time. If you remember a few years ago Vice President Dick Cheney had minor surgery […] Continue reading →
I’ve been told that during presentations that I do for dental societies, study groups, and practices, the portions that stick with audience members the most are those where I delve into real world examples of Information Security failures. So in the spirit of good stories with a learning (what not to do) component. I […] Continue reading →
The Internet Of Things …. It’s the latest term showing up in both tech and regular media. IOT is simply a term that refers to connected “devices” that are not what we normally refer to as “computers” but communicate with each other. What are Internet of Things Devices IOT devices include TV’s, Blue Ray Players, refrigerators, […] Continue reading →
Ransomware, that dreaded and feared sub-species of malware we all loathe. It’s been around a while now, and the days of single machine encryption and single Bitcoin payments are over. Yes like some living, breathing and toothy beast, Ransomware has evolved. Continue reading →
Social Media Security or lack of it can be a major resource for hackers. Criminals that want your data (and money) are like water. When in motion they will take the path of least resistance. That is not to say hackers are lazy, but more to the point is that hackers and other information criminals […] Continue reading →
An often overlooked area in data security is Physical Security. In the eyes of the government auditor (or attorney) it does not matter if the patients ePHI is stolen by a group of extremely savvy Russian hackers, or someone walks into the practice and steals a laptop or backup device, if effect either is a […] Continue reading →
Criminals dishonest is showing. Here is a specific instance of a Kansas Cardiology facility has been hit with Ransomware. After paying the ransom, the criminals involved said ummm…send us more money. For the Original Article Click HERE. Excerpt from the original article below. “According to the report, hackers got access to the system and locked up the […] Continue reading →
Unless you like frustration, you probably don’t handle all of your organizations IT work. Most likely you have either a dedicated IT person/s or use an outside vendor. Most small business’s operate in this manner including healthcare practices, and there is nothing wrong with these support models. You should be sure however; that whoever is […] Continue reading →
The number and severity of ransomware attacks has been increasing. Companies and individuals who have been paying the ransoms have enabled the criminals that create these malicious programs, to ramp up development and make the attacks more sophisticated. Risk Will Always be there While it is impossible to completely eliminate the risk of getting a […] Continue reading →