Website Security

Why is website security such a big issue for businesses and medical practices?
One recent high-profile example of medical hacking is the pathology lab, Australian Clinical Labs, which made headlines for all the wrong reasons in October 2022 after patient Medicare numbers, credit card numbers and sensitive patient information were posted on
the dark web. In the same month, Medibank revealed the records of some 4 million customers were compromised in a large scale cyber attack with many customers concerned they would be targeted by scammers.

In August 2023, a cyber attack in the US shut down computer systems in several hospitals, resulting in ERs being shut down and ambulances being diverted.
And even for small operators, the stakes are high.
According to a 2023 report from the Australian Institute of Criminology, in a survey of 13,887 computer users
– 27% reported being victims of online abuse and harassment
– 22% had been a victim of malware
– 20% had been a victim of identity crime and misuse
– 8% were victims of frauds and scams
– 47% of respondents experienced at least one cybercrime in the 12 months prior to the survey, including 34% who had experienced a data breach
– 22 percent of respondents who owned or operated a small to medium business said their business was negatively impacted by cybercrime.

Why do people hack websites and how exactly are medical practice websites at risk?
People hack websites in a variety of ways and for a variety of reasons.

Here are some common schemes.

1. Phishing
Phishing is a common technique, where a hacker creates a web page in order to steal money or personal information of users via forms.
This information is then on sold to other hackers or can be used set up fraudulent credit cards.

2. SQL malicious attacks
SQL is one of the most common attacks for extracting and re-organising data in a database. If a hacker manages to permeate and SQL database, this can effectively allow them access and control of databases and to use the information gain access to a website and customer information. 

3. Brute force attacks
A brute force attack is where the hacker tries many different combinations of usernames and passwords until they can get into the system and assume the identity and extract money from unsuspecting people. Essetially i. f a website is not secure, someone could brute force the website logins (where they can sign in with 1000 bulk logins at a time).

4. Domain Name Spoofing (DNS spoofing)
DNS Spoofing is where a cache is poisoned by hackers to infect DNS servers and shows a different website all together.

5. Voice cloning
Another scheme doing the rounds in is voice cloning, where a familiar voice is extracted from a person’s voice via their website video or a voice message. It is then
cloned and sent to loved ones.

Why do hackers impact medical website specifically?
Hackers have many reasons why they would hack a medical website.
Patient information is one of the key reasons why hackers target medical providers. This could be either to either resell the data, hold ransome the site owner or to scam the individual patients directly with email marketing campaigns.
Another common reason is that they resell the back end of the website to other hackers on websites in the dark web to do there malicious works.
“Just this year DigiMed had one medical client whose website we cleaned, rebuilt and relocated hosting after the server used by the client’s previous marketing company had been hacked,” says Xavier Murtagh, Digimed’s Digital Strategy and Cyber Security Expert.
“There were no existing patient medical or financial information stored on their website. But it still meant that a third party could collect new patient data from enquiries relating to new appointments with the doctor. This information could then potentially be used to sell other hackers, help provide information to set up fraudulent credit card account, bragging rights on hacking forums (for the hacker), extol a political message and/or potentially steal/sell backlinks to competitors (advertise your competitors/other websites within your websites code).

Can website owners be liable for cyber attacks?

With so many hacking and website scams rife globally, company directors are now duty-bound to ensure their company has adequate cyber security and an ability to recover from an attack, or they can face action by the regulator ASIC.
“None of us has control over the security of a third-party provider,” says ASIC Chair Joe Longo, speaking at the Australian Financial Review Cyber Summit, recently.
“Cyber preparedness is not simply a question of having impregnable systems. That’s not possible,” he said.
“Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”
“No website is 100% impenetrable,” agrees Xavier.
“But cyber security is not just a buzzword anymore. It’s increasingly becoming a compliance issue and it’s important for businesses to demonstrate they are taking adequate measures to harden their websites and protect their clients’ data and privacy.”
So what are small businesses to do – especially when there are limited budgets and there’s not a huge IT department to lean on?

DigiMed is now delighted to offer all existing and new clients an affordable security product.

These annual $700 (+GST) packages which work for all WordPress websites include-
– Protection against click-jacking attacks (by default the plugin settings only allow frames if the frame is hosted on the same domain as the page itself)
– Protection against cross-site scripting (XSS) attacks by restricting the website from being embedded in frames from other domains.
– Protection against mixed content on a web page. The “block-all-mixed-content” directive ensures that all mixed content (HTTP resources on HTTPS pages) is blocked, maintaining a secure connection.
– Protection against any attempt to load objects on the web page, which are blocked by the browser in default settings.
– Limiting the referrer information sent to other domains, reducing the risk of data leakage
– Enforcing strict transport security The “Strict-Transport-Security” header ensures that the website is always accessed over a secure HTTPS connection, preventing downgrade attacks
– Prevents browsers from guessing the content type, reducing the risk of executing malicious files
– Expert support and guidance
– Customisable settings and flexible configurations specific to the clients server
– Multiple layers of security for the website
– Enhanced privacy and data security

To get started with our website hardening plan contact our team today.

Read our latest posts on LinkedIn here.