Cyber Security for Healthcare Organizations: UNCLASSIFIED
Protecting Yourself Against Common Cyber Attacks SEPTEMBER 2020 | ITSAP.00.131
As a healthcare organization, you work with highly sensitive information like personal health information (PHI), financial information, and research data, making you a high-value target for cyber threat actors. For example, PHI
is more valuable on the black market than other types of personal information. It is used to create fake insurance claims, purchase medical equipment, or fill prescriptions that can be used or sold. Cyber security might be a
new priority for you, but you don’t have to be an IT expert to protect yourself from cyber threat actors. For more information on cyber security topics, visit the Canadian Centre for Cyber Security website: cyber.gc.ca
To get you started with cyber security, we have summarized some common methods that cyber threat actors use to steal personal health data and intellectual property or disrupt the operations of healthcare organizations:
RANSOMWARE PHISHING DENIAL OF SERVICE (DoS) PASSWORD SPRAYING
A type of malicious software that locks you out of your Threat actors try to trick (phish) people into sharing A threat actor floods a target (e.g. a server) with traffic Threat actors use bots (Internet robots that perform
systems, devices, and files until you pay the threat sensitive information or downloading malicious to crash systems and make websites and internal repetitive tasks) and lists of common passwords to brute
actor. Even if you pay, you may not regain access or software. Be aware of emails, texts, or phone calls in services unavailable. Threat actors use this attack to force attack (submit as many passwords as possible until
prevent data from being sold or leaked online. If you which you are asked to provide personal information, disrupt services and research activities or distract you; the correct one is guessed) many accounts rather than just
are a victim of ransomware, your critical processes open attachments, or click on links. Threat actors while you’re trying to recover, they may be trying to steal targeting an individual account. You put yourself at higher
may be slowed down or stopped, and you may lose design these messages and phone calls to look and data. You may be vulnerable even if an attack is directed risk if you reuse a password for multiple accounts.
access to research or patient information. sound legitimate. at one of your service providers.
You can start to protect your organization’s networks, systems, and information with three steps: start with cyber security awareness, make a threat actor’s job more difficult, and secure your work environment. However, these are just some
of the ways to combat cyber threats. For more information on cyber security topics and best practices, visit the Canadian Centre for Cyber Security website (cyber.gc.ca).
START WITH CYBER SECURITY AWARENESS MAKE A THREAT ACTOR’S JOB MORE DIFFICULT
Take a proactive approach to security and increase your cyber security awareness Even if you take precautions to protect yourself, a threat actor may still find a way to access
through education and training activities. accounts and information. However, you can make your devices and accounts more difficult to hack.
Learn how to identify phishing attempts. Review some of the common characteristics of a Use a unique passphrase or password for each account. If possible, use a passphrase instead of a
phishing attempt, such as unfamiliar phone numbers or email addresses, spelling or password. A passphrase consists of a sequence of words and is easier to remember than the string
grammatical errors, requests for personal information, threats, or offers that sound too good of random characters required to create a complex password. Passphrases should include at least 4
to be true. words and be at least 15 characters long.
Exercise caution when opening attachments or links. Think twice before opening an During the COVID-19 If sharing computers or devices, avoid selecting the ‘Remember Me’ or ‘Save Password’ option when
attachment or link. Attachments and links may look legitimate or harmless, but they may be pandemic, the Cyber logging into accounts. Always log out when you are done. If you need help remembering your
malicious. Get in the habit of verifying that an embedded URL matches the link displayed in passwords, consider using a password manager (either browser-based or stand-alone app). Be sure
the email, typing URLs manually into a browser or search engine instead of clicking a link,
Centre has seen an to protect your password manager with a strong master passphrase. If a threat actor can guess your
and contacting the sender to verify that a request for information is legitimate. elevated level of risk to master password, they have access to your stored passwords.
Use additional resources. The Canadian Centre for Cyber Security website (cyber.gc.ca) has the cyber security of Enable multi-factor authentication (MFA). Don’t just rely on your passphrase. Add an extra layer of
security with MFA, which requires you to provide at least two different ways of validating your
publications, blogs, and infographics on various cyber security topics, as well as alerts and Canadian healthcare
advisories on relevant cyber security issues. identity. For example, you might use a password and a fingerprint to unlock a device. You can
organizations. usually find the option to enable MFA under your device or account settings. Using MFA is a step
that you can take to protect your accounts and information if your password is compromised by
phishing, brute force, or password spraying.
© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced, reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE.
� UNCLASSIFIED
SEPTEMBER 2020 | ITSAP.00.131
SECURE YOUR WORK ENVIRONMENT
Whether working from a designated office or remotely, you can reduce the likelihood and the possible impact of a cyber attack by adopting a few habits.
LEARN MORE
The tips covered in this document are a great
Use a secure Wi-Fi network. When working remotely, avoid Use security tools to support your efforts. Install anti-virus
starting point. If you want to learn more about some
using public Wi-Fi networks. If you must use one, avoid software on your computers, laptops, and mobile devices.
of the key points identified, check out the following
sending sensitive information or logging into sensitive Anti-virus software helps protect you against malware by
related publications, which are available on the
accounts. Using a virtual private network (VPN) is another scanning files and your system.
Cyber Centre website (cyber.gc.ca).
way to protect information if you are using a public network.
Protect your networks and systems with a firewall. A firewall is a
A VPN is a secure encrypted tunnel through which Cyber Threats:
security barrier that filters out known-bad traffic on your network.
information is sent. Cyber Threats to Canadian Health Organizations
For any tools that you are using, be sure to run updates regularly. (AL20-008)
Protect your own Wi-Fi network by changing the default
password that was given to you by your service provider. Don’t Take the Bait: Recognize and Avoid
Consider creating a guest network to reduce the number of Phishing Attacks (ITSAP.00.101)
people who are using your main network. Back up your information. Backing up your information ensures Ransomware: How to Prevent and Recover
that if anything were to happen, such as a natural disaster or (ITSAP.00.099)
Use protected domain name system (DNS) services, such as
a ransomware attack, you could still access critical information
Canadian Shield, that actively block known-malicious Protecting Your Organization Against Denial of
and systems, carry out research, and care for patients.
websites when you try to connect to them. Service Attacks (ITSAP.80.100)
When backing up information, be sure to use storage media that
Have You Been Hacked? (ITSAP.00.15)
your organization has approved (e.g. cloud-based storage,
or physical storage media like USB keys or external hard drives). Best Practices and Tips:
Use trusted software and applications. When at work, only Consider the type of information you are backing up; sensitive Best Practices for Passphrases and Passwords
use software and applications that are approved. If you need information should be encrypted or protected with a password. (ITSAP.30.032)
new software or applications, contact your IT department. If
you are downloading software and applications yourself, be Password Managers—Security (ITSAP.30.025)
sure to download them only from trustworthy vendors. Rethink Your Password Habits to Protect Your
Accounts from Hackers (ITSAP.30.036)
When you see update reminders for software and Manage accounts with security in mind. There are very few
applications, don’t ignore them. Updates ensure that bugs people who need access to everything. Ensure that only people Secure Your Accounts and Devices with
are fixed and security vulnerabilities are addressed so that who need administrative privileges have these privileges. Multi-Factor Authentication (ITSAP.30.030)
you’re not leaving yourself vulnerable to cyber threats. While it may be convenient to have a shared account with a How Updates Secure Your Device
Run updates on your devices and applications as soon password that multiple people know, you are introducing risks of (ITSAP.10.096)
as you can. a possible data or privacy breach. Ensure you have your own Security Tips for Remote Work (ITSAP.10.116)
account and password. Virtual Private Networks (ITSAP.80.101)
© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced, reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE.
