03 October 2013
Information provided by the Police National Cyber Crime Centre (NC3)
International trends show that GP surgeries are currently being targeted by cyber criminals, and the NZ Police National Cyber Crime Centre (NC3) is concerned that New Zealand surgeries may also be vulnerable to such an attack.
A 'ransomware' attack leads to computers being locked and all data encrypted, making the system completely unusable. The offenders then demand a ransom to decrypt the data. It is not currently known if any of the surgeries affected have been able to decrypt the data themselves or if they have achieved that by paying the ransom of over $20,000.00. Police advice is not to pay; other ransomware attacks have not led to data being decrypted.
It is important to note that when servers are accessed in this way, confidential patient information, email accounts, usernames and passwords (if stored in plain text) and third-party systems can also be accessed.
What can you do?
It is very important that you:
- make sure all servers and firewalls are maintained with up-to-date software and patches and updates carried out automatically
- make sure that anti-virus software is maintained and updated daily automatically
- make sure there is a full back up for your data that is protected (from intruders) should your main system fail
- make sure all passwords are at least 8 digits long, with a combination of lower, upper case, numbers and special characters, e.g. Jr8633*@$
- do not save passwords on the system in plain text
- do not use the same password for multiple users
- do not share passwords or write them down next to your computer where other staff or customers can see them (even if they have to look for them)
- do not use the same passwords across different system logins (if one gets compromised, the rest will follow)
- do not email your username and password to anyone
- do not use the username “Admin” or password “password” (If you do, your data has probably already been compromised, scan your computer system now!)
- have a recovery plan in case your system becomes unusable through malicious software or physical damage.
If your system does get compromised, you will need to consider how you would recover and who you would need to tell. The Privacy Commission can assist with advice.
Prevention is better than cure, but then you already know that.