Hopefully by now you’ve heard of the Distributed Denial of Service (DDoS) attack on Friday, October 21st against the Dyn Domain Name System (DNS) servers that caused an ‘internet blackout’ to some of the most frequented and most popular websites. The DDoS attack flooded the DNS servers with so much traffic they could not respond.
What is DNS? The internet operates on these complex numbers called Internet Protocol (IP) addresses. Humans use names (like Twitter.com, LinkedIn.com, etc.) to route to internet sites. The DNS servers act as the ‘White Pages’ and convert names into numbers. Technology and systems use those numbers to go places and access data. If DNS servers don’t respond with IP addresses, then your system does not know where to go.
Here is an analogy. You love your kids/grandkids and can handle their all requests at one time. Now imagine you are the only person serving pizza at a party venue on a Saturday afternoon with ten birthday parties occurring at the same time. You would get overwhelmed and unable to answer to all the kids requests at once.
That happened to Dyn.There were millions of devices ‘screaming’ at the Dyn DNS Servers for IP Address translations and it overwhelmed the servers. Since some major groups use Dyn for their master DNS record entries, IP addresses could not be resolved and it appeared as if parts of the internet were broken.
Now that you know too much about DDoS and DNS Servers, how does this affect LTPAC medical groups?
The DDoS attack against Dyn was unique because it was not launched by a million people sitting at their computers sending the name requests, but used millions of “dumb” devices to send those requests. Devices like internet routers, security cameras, internet connected TV’s, DVR’s, etc. all part of the ‘Internet of Things.’ These devices were hacked and put under the control of the people responsible for the DDoS attack.
LTPAC practitioners are the definition of mobile workers. These professionals travel from nursing home to nursing home. They require internet access to do their jobs. Let’s look at a very common scenario: The practitioner connects to a wireless hotspot at a local coffee shop. It’s an open connection (no wireless password required). Does the practitioner have any idea how secure that wireless system is? When was the last firmware update loaded to address security issues? Last password change date? The practitioner has no idea. And now they have to think about the device being hacked and someone having full access to all the traffic between the practitioner device and the internet.
LTPAC medical groups now have to assume that ALL wireless internet connections (even those in a facility) are unsecure. Which means the internet communication a practitioner needs to do their job MUST be through encrypted channels. Need to access e-mail, office systems, secure messaging instead of text messages, etc.? All access to these systems must take place on encrypted communication transmissions.
And not all encryption levels are acceptable.The original 56-bit encryption has been broken. The industry standard today is to use Advanced Encryption Standard (AES) 256-bit encryption… until that is broken and the next level of encryption becomes the standard.
Additionally, most software and systems require adjustments to be used in an encrypted manner. All of which has direct (SSL Certificates, firewalls, etc.) and indirect (IT time, staff training, etc.) costs.
Every LTPAC medical group has another risk to be reviewed in their HIPAA Risk Assessment process specifically around mobile workforce communications.Every device that attaches to the network must be checked, updates installed and default passwords changed (don’t forget printers) as part of the IT Security risk review.
Exasperated yet? Be happy you’re not a large facility that has thousands of connected medical devices that must be checked and remediated. The medical community is at a disadvantage because of the high numbers of network connected devices.
Sometimes I think that Saturday with a hundred screaming kids wouldn’t be such a bad job…