OzEMedicine - Wiki for Australian Emergency Medicine Doctors

User Tools

Site Tools

Trace: personal IT security for health professionals
it:security

Table of Contents

personal IT security for health professionals

see also:

introduction

  • most doctors tend to have a complacent attitude to the security of their personal computer and mobile devices
  • until it is stolen and they realise that not only have they not backed it up adequately and that it will take a lot of man hours to configure a replacement device, but their personal lives and potential confidential information relating to their patients and colleagues may be in the hands of those one would prefer not to have access.
  • passwords less than 20 characters are said to be easy to crack using brute force techniques
  • having said that, it is likely that a thief stealing a laptop or other device is just wanting to convert it into cash and indeed they are unlikely to financially gain from any of the contents, as any sensible owner will take immediate steps to change account passwords and cancel credit cards if this data was stored on the computer, but nevertheless, such a loss will cause stress and much inconvenience and time wasting.
  • be aware that there are a few gotchas associated with theft of your personal belongings from work:
    • hospital insurance may cover loss of stolen goods within the hospital if no other insurance covers it (you may be up for an excess of $2500), but perhaps incidentals such as need to change car keys or house keys may not be covered.
    • the cost of having your car keys changed may be ~$2000 for some models, AAMI will only reimburse you up to $1000 and that is after the excess has been paid, in other words, AAMI may only be giving you $500 net to cover your $2000 key changeover and if you do not take “reasonable” steps to ensure the safety of your car by changing the locks and not driving it to a hospital car are until they are changed, they may not cover you if your car is then stolen!
    • a similar scenario would apply to your house keys if they are stolen.
    • your house and contents insurance is unlikely to cover any items used for business use

basic rules

ALWAYS show file extensions

  • by default Windows hides file extensions to make things look simpler - but this allows hackers to trick you very easily
    • they can email you with a “photo” attachment named MyHolidayPic.jpg.exe which is actually a malware executable file, but if you have extensions hidden all you will see in the attachment or in File Explorer is a harmless looking MyHolidayPic.jpg file which when you open will run the malware and give the hacker full access to your computer
    • see https://www.youtube.com/watch?v=AZkiKB6Fzf4 on how to do this hack so you are forewarned and forearmed

avoid being phished or quished

  • in general, do NOT click on a link in a SMS message or an email, or open a link from a QR code UNLESS you are absolutely sure it is safe, and even then, VIEW the URL BEFORE clicking on it very carefully to ensure it is what you would expect - check carefully for spelling issues or font changes which make it look like it is the correct website but is actually sending you to a malware website which can then either install malware onto your device or trick you into providing your log in details and password
  • ads on social media sites such as Facebook are renown for sending you to fake retail websites which mimic the real websites - if in doubt check their About page and look for suspicious clues, if it is too good to be true it probably is too good to be true.
  • even on Android phones you can click on a link to install an Android APK app which is actually malware giving full access of your phone to the hacker - see https://www.youtube.com/watch?v=F_ZmGIwkkH0

backup to at least 2 separate devices

  • if your data, photos, etc are important to you, make sure it is backed up adequately and frequently so there are at least 2 separate copies in different locations at all times
  • it is very easy to lose 1 copy unexpectedly through accidental deletion, corrupt files, hard disk failure, loss, or theft.
  • hard drives do fail - it seems Hitachi and Western Digital are much better than Seagate in this regard 1)
  • writing to an external hard drive formatted in NTFS from a MacOS computer may corrupt the drive formatting - do NOT do this!
    • use ExFAT formatting for external hard drives

protect and encrypt data

  • password protection
    • password protect sensitive Office documents and zip files
    • consider password protecting links to shared files on DropBox:
  • encrypt important data
    • see encryption of drives at bottom of this document
    • remember, using public WiFi allows others to see your data and passwords being sent to the internet - use encrypted internet file data (use https websites not http, or use a VPN)
    • encrypt files or folders which you sync to online cloud services such as DropBox, SkyDrive or GoogleDrive
      • see BoxCrypt - free for private use for up to 5Gb data on only 1 service and max. 2 devices - just don't lose your password!
  • erase data if device is stolen
    • set iPhone to automatically erase all data if > 10 failed PIN tries
    • consider installing remote access capability to remotely wipe the data - easy on an iPhone, not so easy on computers but possible using remote desktop technologies such as Log Me In
    • unfortunately this will not help if thieves steal it from you while you are using it as can happen in public places, or if they force you to unlock the phone

physically secure devices

  • don't take sensitive data in mobile devices such as laptops unnecessarily and if you do, ensure reasonable physical security measures to avoid theft

enable two-factor security for accounts

  • this reduces potential for your account to be hacked - as long as the hacker does not have your phone or has sim ported your phone!
  • BUT can be problematic for international travel:
  • it seems this may not suffice, in 2022, despite having 2-factor authentication to her phone for her MyGov account, someone created a bogus myGov account and then they linked this new profile to her ATO account using her tax file number (TFN), her date of birth, and another credential and then severed her ATO account from her genuine myGov account which prevented her from accessing her ATO tax refunds which were then re-directed to other bank accounts. As of 2022, all that is required to create a myGov account is an email address, no proof of identity is necessary and there is no limit on how many accounts can be opened.2)
  • sim porting
    • if a person has enough ID including our mobile number to convince a telecommunications provider to switch your mobile phone number to them and issue the person with a new sim card, when they activate it, your phone will go into SOS mode as your sim will no longer be active, and then if the person can access your email or bank accounts to do transactions, they have a phone to respond to your bank's or email provider's two-factor authentication such as for change of password
    • ACMA introduced mandatory rules for telcos in April 2020, aimed at preventing sim porting by requiring the companies to use robust multi-factor ID checks prior to transferring a number to a new service and this has reduced sim porting fraud by 95% but it is still happening and people are having large amounts of money transferred out of their bank accounts.
    • not much you can do to protect yourself from this one apart from limiting the amount of ID information about you online
      • if you use a credit card for online purchases, you normally need to add your physical address so that the credit card will be processed, hence where possible, you should use something that does not need your address to be submitted such as use PayPal and then have the postage sent to a PO Box or someone else's address so your physical address is not recorded online
      • do not use your real date of birth online unless absolutely necessary - ie. not on Facebook!
      • use a separate phone for all your important two-factor authentications and don't publish this phone number on any online site - especially not online purchases

portable mobile devices

  • the easiest way to get to your bank account is via accessing your email by stealing your smartphone and accessing it - either by taking it while it was unlocked or by using sophisticated tools
  • once they have access to your email account and your phone they can reset your online passwords and take control of your accounts and locking you out of your email accounts
  • DO NOT throw out smartphones / laptops / etc into e-waste unless you have deleted important apps such as banking apps, deleted email accounts on the phone, and reset the phone to factory settings
    • if you can remove the hard drive from a device, do so and physically destroy it with a sledge hammer before discarding, or, as a minimum, erase it using special secure erase software (normal erasing or deleting can usually be recovered by hackers)
  • If you want ultimate control of your phone and the best privacy and perhaps best security - consider a Google Pixel phone and change it to use Graphene OS
    • this is relatively easy to do as long as the phone is not locked to a provider
    • once Graphene is installed you can access most if not all Android apps and none of the Google tracking will be on there unless you put it on there
    • best of all, you can create multiple user accounts which are all sandboxed, so you could have one account in which Google Play store is enabled, and a separate account for all your banking and 2 factor authentication while the main account has neither of these so if your phone gets stolen, it is that much harder for the thieves to access your bank accounts
    • see https://www.youtube.com/watch?v=X-CKcQMt7v4
    • this will not be possible on a Samsung phone or an iPhone

iPhone and iPad

  • ensure you have the latest firmware installed
  • set a PIN code that will not be too easy to guess (ie. NOT 1234)
  • in Settings:General set the following:
    • Auto-Lock to 1-15 minutes or Immediate
    • Passcode Lock = ON, Siri = OFF (disable Siri bypassing PIN-locked phone status), Erase Data = ON (automatically WIPE / ERASE ALL data from device after 10 incorrect PIN code attempts - this is critical otherwise thieves WILL be able to hack your pin code)
  • in Settings:iCloud set:
    • Find My iPhone = ON (this will enable you to locate your phone via another Apple device or via iCloud if lost as long as it is on and has network access, it will also allow you to remotely wipe all the data, then you can contact your telephone network provider to cancel the microSim card)
    • account = your iCloud account (NOTE if you share your iTunes account with family members, ensure you have your own different iCloud account)
    • turn backup ON for all items you wish to backup to iClouds (in particular, Contacts, Calendars, Reminders, Bookmarks, Documents and Data), you may wish to not back up your Photostream to iCloud to save space as you only get 5Gb free.
    • Storage and Backup: iCloud Backup = ON
  • if you are negligent, lazy or just plain foolish and have not set a security pin to lockup the phone, you have a last chance to do this if it does become stolen or lost by using Find My Phone (assuming you have at least enabled this function and have an iCloud account set up and you know your log in and password to it) to set the pin and lock the phone and at the same time sending a message to the finder to call a phone number and this number can be called from the phone even whilst locked.
  • if you forget your PIN, here is how to remedy it but you must have access to a computer which has been used to sync that phone before - see http://www.gottabemobile.com/2014/04/30/what-to-do-if-you-forgot-your-iphone-passcode/
  • anyone with forensic software such as Elcomsoft iOS forensic toolkit / Elcomsoft Phone Password Breaker (EPPB) / Oxygen / Cellebrite can get past your iPhone/iPad password if they have your iPhone or iPad
  • hackers can also use tools such as iBrute to hack your iCloud account password and download your entire backup onto their iPhone
  • NOTHING on the internet is totally secure!!!

laptop and desktop computers

  • very basic security is to ensure all users must log onto the computer with a password or biometric fingerprint access
  • ensure only reliable and knowledgable users had admin rights, all others should have guest account rights only to reduce risk of viral attacks as well as physical attacks.
  • Of course, you need up to date antiviral software installed and a firewall installed to help prevent viral attack but even then you must be aware NOT to click on links within phishing scam emails, SMS or social media messages and don't respond to and give out passwords or the like to cold call phone calls which purport to be from Microsoft or the ATO, etc.
  • the above might seem OK but most computer literate guys can hack through all your information with ease if they have physical access to the computer
  • sure you can password protect individual important files such as Microsoft Word, Excel and databases, but these won't protect everything such as your email, contacts and general documents and in any case, these passwords tend to be quite low levels of security which can generally be accessed by a determined person.
  • furthermore, when you delete a file, the file is not actually deleted from the physical drive but only appears to be deleted - a computer savvy person can analyse the raw data on a drive to detect this data. If it is really important, after deleting the file, either add non-sensitive data to fill the drive up and over-write the data, or use special software to securely erase the data.
  • a particular risk is the use of USB drives which are extremely easy to have lost or stolen.
  • your piece of mind is likely to be far more important than this poor attempt at security, so YOU MUST ENCRYPT your data as well as ensure it is BACKED UP!!
  • if your laptop has security technology from Absolute pre-installed in the BIOS at the factory, then you have the option of paying a subscription for their LoJack for Laptops software to activate this technology which will allow you to remotely delte files and lock down the laptop as well as potentially locate it in a similar manner to your iPhone or iPad.
  • securing your Windows 10 computer for when it will no longer be supported after Oct 2025
    • see https://www.youtube.com/watch?v=66jdTanBpNQ
    • make a Windows 10 install USB drive (as below) in case you need to re-install - MS probably won't be hosting this access after Oct
    • in Windows Security:
      • ensure enable Tamper Protection is turned on
      • consider enabling Ransomware Protection for various document folders which may be important to you BUT I probably wouldn't do this as it may have adverse effects (and you should just regularly back these up)
      • in Firewall, block inbound connections for each profile - public, private
    • in Windows Features:
      • ensure SMB 1.0 File Sharing is turned off
      • ensure Telnet client is turned off
      • ensure TFTP client is turned off
    • in Windows System Remote settings
      • ensure Allow Remote Assistance is turned off
    • change some Registry settings to further protect your system
      • add NoAutorun to Exporer policies so malicious software on a USB drive wont automatically run when it is inserted
      • set Enable to false (0) in WindowsScriptHost settings to turn off running scripts
    • in Powershell:
      • run Set-ExecutionPolicy AllSigned then Y to ensure any file is signed properly before allowing it to run
    • remove obsolete software such as Adobe Flash or old Java
    • ensure your software is up to date
    • never hide file extensions in the explorer view - helps avoid social engineering exploits
    • never allow windows to automatically install printers or devices it finds on the network - helps avoiding Internet-Of-Things devices to be hacked and presented as “printers” to your computer to trigger unwanted behaviors.
  • alternatively, you can install Windows 11 even though Microsoft says your computer is not compatible:
    • only do this if your Windows 10 machine runs fast as Windows 11 may be even slower, and ensure you have backed up all your data before doing this
    • see https://www.youtube.com/watch?v=C_p3dBrr_Sg which uses the FlyBy11 tool to install “Windows Server” which doesn't do all the “incompatibility checks”

create flash drives to help repair your PC if it crashes BEFORE it crashes

  • you need two 8GB or larger USB flash drives
  • 1. make a Windows Installer Disk on one of the USB drives
    • this will allow you to check your hard drive, check your file system, run system restore, etc
    • download Windows Media Creation Tool (search for the Microsoft page and find Download Now for Create Windows installation media)
    • run the file
    • plug in your USB drive and note which drive letter has been assigned to it
    • choose Create installation media, usually tick the Use the recommended options for the PC box, then select USB flash drive then choose the drive letter for your USB drive
    • once it is finished, remove the USB drive, label it and put it in a safe place
  • 2. make a Hiren's Boot Disk
    • this installs a wide range of Windows apps and tools onto the USB drive which can be ran from the USB when it has been booted even if Windows is not functional
    • follow instructions at https://www.hirensbootcd.org/usb-booting/ but DON'T click on the large START DOWNLOAD (free) buttons on the page - not sure where they take you!
    • search for Hiren's boot USB and find teh one which takes you to https://www.hirensbootcd.org, find the installer file (was ISO2USB.exe but now is Rufus) and download it
    • on the website, do to Download at top menu, at bottom of page you should see HBCD_PE_x64.iso, download this file (ensure it is correct Windows version)
    • insert the 2nd USB drive, note the drive letter
    • run the Rufus file and it should automatically detect the iso file you just downloaded, choose the correct drive letter for the USB drive, Choose “Partition scheme” as “MBR” and “File system” as “FAT32”., give the drive a label, then click start button to install it onto your USB drive
  • to use these USB drives, you will need to insert the USB drive, reboot your PC and boot from the USB drive (you may need to hit F12 for Dell or ESC-F9 for HP during the re-boot process to bring up the boot options), select the USB drive to boot from
    • USB disc 1 will bring up a screen giving options to install windows or Repair - choose repair, then you get a few options such as troubleshoot, system restore, system iage recovery, command prompt, etc
    • USB disc 2 will give you access to all kinds of tools to help repair your PC including hard disk diagnostics and repair tools, partition tools, boot tools, etc

backing up Windows PC

  • Microsoft have deprecated their Windows 7 backup technology and replaced it with a new backup technology in Windows 8 and Windows 8.1 which they call File History
  • However, you can still use the Windows 7 system as it has been renamed as “System Image Backup” (in Windows 8 it was called Windows 7 File Recovery) which can be found in left lower corner of the Windows 8.1 Control Panel : File History
  • Windows 8 File History:
    • backs up files automatically (if turned on) to a designated external drive
    • if you disconnect your removable hard drive or the network share becomes inaccessible for a period of time, Windows will create a local cache of files to save on the drive when you next connect it
    • BUT ONLY backs up files in your “libraries”, desktop, contacts and favourites, and you can specifically exclude folders
    • to force another folder to be backed up, you can simply add it to one of your libraries
      • unfortunately, this may have the unintended consequence that all these files will then be displayed in your Metro app (for instance if you have a folder of all your photos as a backup but only have your best photos in a photo library, you will end up with ALL your photos displaying in your photo app if you include that folder in your library so it can be backed up)
      • you may prefer to just manually copy these other folders to an external drive
    • the backed up file can be accessed via either:
      • right click a folder or file in Windows Explorer and select history, or,
      • use the Restore personal files link in the File History Control Panel

encrypting disk drives

MS Windows computers

MS BitLocker software

  • unlike EFS, BitLocker does not depend on the individual user accounts associated with files. BitLocker is either on or off, for all users or groups.
  • thus to prevent other Windows users accessing your files, you still need to use another encryption tool such as EFS or VeraCrypt
  • if you are a MS Windows user buying a new computer or wishing to upgrade the operating system, then you should strongly consider buying the PRO or ENTERPRISE version of MS Windows 10 64bit (assuming you have a computer with 4Gb RAM or more to run the 64bit version, otherwise get 32bit).
    • the reason for this is that the PRO and Enterprise are the only versions to include BitLocker drive encryption software which will make your life so much easier than other encryption software.
    • see https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10
    • it will also allow encryption of your removal drives including USB drives
    • unfortunately, it may not be as easy as one would like, but that is the price to pay for piece of mind.
    • in particular, you may have to enter the very long recovery key if recover mode is triggered such as with any hardware change!
  • BitLocker requires the Trusted Platform Module (TPM), a special microchip in some newer computers that supports advanced security features.
  • unlike EFS, it can only be enabled or disabled by an Administrator user.

VeraCrypt

  • as of May 2014, True Crypt is no longer maintained and thus is no longer secure, however, Vera Crypt has taken this on and provides a new and backwardly compatible system
  • see http://truecrypt.sourceforge.net/ on how to convert existing TrueCrypt volumes to BitLocker volumes

Vera Crypt:

  • if you don't have BitLocker, or you wish to block other users accessing your files, then consider Vera Crypt which is a free for non-commercial use open source encryption software technology which can also be used on MacOS and on external hard drives.
  • to read a Vera Crypt encrypted file volume, Vera Crypt must be installed on the computer (this requires local admin rights, so unlikely you can use a hospital computer to read your encrypted files, although once installed, a non-admin can read/write to the encrypted volume as if it was another drive once Vera Crypt has mounted it as a drive using the correct password).
  • consider creating a backup of the header in case it gets corrupted and makes your data inaccessible even with a password
  • allows various types of encryption to be created:
    • file volumes on a drive which must be mounted as a drive via True Crypt software and password
      • can use hidden volumes but these can be problematic as adding data to the outer volume may corrupt the hidden volume accidentally unless you have set this not to happen each time you mount the outer volume.
    • non-system partitions - not recommended for beginners
    • system drives including the operating system
      • creates a Rescue Disk boot CD and uses the original password made at time of this disk. This allows:
        • boot from CD for those not wanting to install True Crypt boot loader onto the hard drive as they use alternate boot loaders
        • restoration of a corrupted HDD boot loader
        • restore corrupted master key of a normal or outer partition/drive
        • restore volume header of hidden volume
        • decrypt a corrupted encrypted operating system drive to allow MS Windows boot disk to repair it
      • can encrypt a Win7 64bit system drive but not a MacOS system drive
      • requires user to enter a pre-boot password authentication - you must have pre-boot support for USB keyboards enabled in the BIOS
warning - possible data loss
  • deleting the encrypted file volume is very easy to do accidentally as it seems like any other file but without an extension - deleting it will lose your data inside it!
  • the encrypted file volume is at risk of being corrupted and permanently inaccessible if you do either of the following:
    • place data in a hidden volume and forget to go through the correct process to protect it when mounting the outer volume and then add data to the outer volume
    • physically remove a removable mounted encrypted drive before using Vera Crypt to dismount it - very easy to pull the wrong USB cable out!!
removing Vera Crypt encryption
  • system partition - just decrypt
  • file volume - mount volume, copy any wanted files elsewhere, dismount volume, then delete the volume file
  • partition-hosted volume - use Computer Management to reformat the partition after extracting any required data from it and dismounting it.
  • device-hosted - use Computer Management to “Initialise Disk” and create a new partition

MS EFS folder encryption

  • an old encryption technology introduced in Microsoft Windows 2000 and the NTFS 5.0 file system
  • the encryption applies at the user account level, and thus is not suitable for encrypting the system files (unlike Bit Locker)
  • it is easily hackable (unless you also use BitLocker)
  • mainly only useful for preventing other users readily accessing your files.
  • the EFS system uses both public and private key encryption and CryptoAPI architecture.
  • if you have Windows XP or later and Home Premium edition or higher (but EFS is not fully supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium), and your drive is NTFS and not FAT32, then you may consider using EFS folder encryption
  • right click on the folder in My Computer, and select Properties then in the dialog box, under General, click on Advanced, then there is a checkbox to tick Encrypt data
  • if you do this, not even an Admin can open your files you create in this folder although they can view the contents of the folder
  • one of the distinguishing convenient features of EFS is that the files remain encrypted when they are transferred to a different folder or to a different NTFS drive.
  • access to these encrypted files may be lost if either:
    • system does not boot (you can't just attach the hard drive to another computer as the encrypted folder will not be readable)
    • the user's password has been reset by an administrator without entering the old password
    • the user profile has been deleted
    • the user is migrated to a different domain
    • operating system is re-installed
  • THUS BEFORE USING EFS, SET UP THE EFS RECOVERY AGENT AND BACK UP the private key and the associated recovery certificates for each user account who will be using encryption
    • if you do not have a back up copy and your operating system becomes corrupted or fails, you may NEVER be able to access the encrypted files although Advanced EFS Data Recovery software may be able to recover the data in certain circumstances
    • these should be exported to a removable media which is stored safely away from the computer
    • for best security, these should be removed from the computer
  • see Microsoft best practices
  • see How to encrypt a folder in Windows XP with EFS
  • see white paper on EFS (pdf)

external portable hard drives

  • these are now very cheap but unfortunately the far majority are mine fields for security disasters, unless you use the above encryption technologies.
  • a far better, albeit more expensive alternative, are the new drives with biometric fingerprint and built-in encryption, plus less likely to self-destruct when dropped than normal drives.
1)
http://www.gizmodo.com.au/2014/01/the-most-and-least-reliable-hard-drive-brands/
2)
https://www.abc.net.au/news/2022-12-18/ato-tax-hacked-via-mygov-services-australia-exploit/101781656
it/security.txt · Last modified: 2025/09/09 00:22 by gary1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki