Eyeworld

your laptop or PC to guard the potential entry point for security threats, Mr. Francis said. "Then there's data center security so you can stop information from going out. If they get in that's one thing, but you don't want them to exfiltrate information," he said. There are tools that will help to detect if someone is trying to exfil- trate data, and once your security is compromised, being alerted is key. "Sometimes these attacks take time, they can take months to fully execute." If you have strong detec- tion tools and you're able to detect it at one of the "moats," then you can potentially halt the attack. "Teach your employees not to surf the web and not to open any emails that they're even remotely worried about. If you're worried about it, get your IT person to look at it," Mr. Francis advised. In addition, do not put off software updates, he warned. "A lot of organizations call it patch Tues- day; that's when Microsoft typically releases the latest patches." When it comes to patient data specifically, Mr. Francis said that it is important to limit the number of people who have administrative credentials and have access to patient data. "Once administrative credentials are compromised or stolen, then they've really got the keys to the kingdom," he said. OB Contact information Bruno: sbruno@horizoneyecare.com Francis: cfrancis@veracode.com have some sort of urgency attached to it to make you click on the link or the document that they've sent you. It's the clicking of the link that sets off the attack," he explained. One of the easiest ways to deter- mine if you're being phished is to hit reply and look at the email address. If the actual sender sent it, there will be a real email address as opposed to some random one that you're not familiar with, Mr. Francis said. Everyone will get hacked at some point, Mr. Francis said. "No one is immune. There's very little that most of us can do." He continued, "Anti-virus soft- ware is useless. It protects about 15% of new threats, and that's because it's lucky." Anti-virus software typically looks at past cyber attacks, and it's slow to incorporate those past cyber attacks into the software, Mr. Francis said. Not all is lost Fortunately, data security is not a lost cause; there are more sophisticated ways in which data can be protected. One of them is through a defense in depth strategy. "Think of a castle with a moat around that castle. Defense in depth says have five moats around your castle, you have a perimeter that you need to shore up," Mr. Francis said. Firewalls, intrusion prevention systems, intrusion detection systems, and things like that on the perimeter stop some attacks. Other ways to protect data are through network layer protections and endpoint security that are on Employees no longer get to pick their passwords. They are assigned and regularly changed. According to Mr. Francis, the rea- son for changing passwords frequent- ly is, "When you've been hacked and they've got your password, they can continue to use your account. Once you've changed your password, they can no longer use it until you've been hacked again." The biggest lesson the practice has learned is to pay more attention to their data security. "There are so many demands on your financial resources that you're constantly trying to figure out whether or not you should spend more money on making your practice more secure," Ms. Bruno said. "I think that when you get that message on your computer screen that you have no access to your information, you will wish that you had taken the time and spent more money to make sure that did not happen to you. "We have learned that we need to continually engage cyber security experts to have them regularly assess our systems and tell us where the holes are, then do what we can do to plug them," she said. No one is immune Apart from ransomware, phishing attacks are also common, Mr. Francis said. In cases of phishing, "the at- tacker may send you an email that appears to be from someone you trust like your boss or a business that you're working with. The email seems legitimate, and it will typically 8 Ophthalmology Business • December 2017 continued from page 7

• Blank Page
• Blank Page (1)