The security threat that we can’t protect you from
Cybercriminals are changing their tactics. It’s no longer enough to rely on strong passwords alone—keeping your data safe from the latest security threat requires more from you.
Aisling Smith·
Can you imagine the panic you’d feel seeing your email address and password floating around publicly on the internet? Your heart rate and stress levels would likely rise through the roof as you wondered how many people had come across the information and whether anyone had already used it to log into one of your accounts. Then you’d have to scramble to do damage control.
For too many unlucky folks, this became a reality last month when cybercriminals dumped billions of credentials onto Telegram (a messaging app). Soon after it occurred, it was brought to our attention that this chaotic mess of data even included user access information for several Cliniko accounts.
These credentials weren’t stolen due to Cliniko being breached—be assured that our systems remain as secure as ever. These data leaks occurred due to “infostealers”, a kind of malware that’s currently on the rise. As soon as we learned about this incident, we immediately checked the affected accounts to ensure that no unauthorised access had occurred and notified the account owners, so no harm was done—this time. But the threat remains very real and with infostealers becoming more common, this kind of data theft is going to keep happening.
So here’s everything you need to know about infostealers and how to avoid falling victim to them.
What is malware?
Infostealers are a specific kind of malware. Malware is a blended word for “malicious software” and refers to invasive programs that can cause harm to your computer. This is the calling card of cybercriminals and exists in many different forms, with the ultimate aim of allowing hackers to extort money from you or steal your sensitive information. The access granted by malware may also be used as a stepping stone to breach corporate networks as well.
Malware can infiltrate your computer through spam emails, attachments, or even by visiting the wrong website, so it’s important to be extremely careful about what you click on. Don’t open anything from people you don’t know and be cautious about following links.
What are infostealers?
While infostealers aren’t new, they’re currently back in the spotlight. They infect your computer the same way that other malware does, but the unique thing about an infostealer is that it then installs itself into your web browser. From there, it quietly watches your movements and harvests your data.
Having a front row seat in your web browser allows an infostealer to gather a lot of extremely valuable information about you, including your search history, cookies, financial and personal information. It records what you input to any form you fill in and can steal any passwords that you’ve saved to your browser. This is one of the most insidious things about infostealers—they’re excellent at capturing credentials, which is a big deal. Your usernames and passwords are extremely valuable to cybercriminals. In fact, there’s another kind of cyberattack called “credential stuffing”, which is where credentials that get breached in one attack are used in subsequent malicious attacks.
Infostealers are hard to detect and you won’t necessarily know that you’ve been compromised, even as your online activity is tracked and recorded. The data that it collects then gets sent back to the attacker controlling the infostealer, who might use it themselves, sell it off to other cybercriminals, or dump it in a public space like Telegram.
What happens if my account information ends up in a data dump?
The consequences of a security breach can be far-reaching, especially when you work in allied health. A breach has implications for the confidentiality of your patients’ digital records, your professional reputation, your finances, and potentially your compliance with privacy regulations. At a minimum, it will cost you time and money to resolve.
Having strategies in place to help defend yourself against security breaches can save you a lot of problems down the road!
What tools can I use to protect my accounts?
Don’t just rely on a strong passwords
Until now, a strong and unique password has been an excellent first step to keeping you safe—and we’ve always encouraged this when we’ve spoken about security hygiene.
Whilst this is still a wise move and good protection against some forms of malware, if your computer is infected with an infostealer, strong passwords won’t make one iota of difference. You could have the most original and unguessable password on the planet . . . and the infostealer would still be able to harvest this information from your browser.
Part of good security is being adaptable, as best practices are always changing, and it’s now clear that to be truly protected, you’ll need to have additional security measures in place beyond just a solid password.
Enable MFA on your Cliniko account
So, if strong passwords alone are no longer enough to protect your data, what should you do instead?
The good news is that multi-factor authentication (MFA), also known as two-factor authentication (2FA), can help considerably.
If you’ve read our security articles before, you’ll know that we love MFA (and love to talk about it!). But there’s a reason why we bang on about it so much—MFA gives you a powerful extra layer of protection that no other security process can match.
MFA requires anyone trying to access your account to know more than just your password; they also need to enter a code that gets sent to a second device that you’ve nominated (like your phone or your iPad). This provides an additional security barrier that’s extremely effective. Even if you’ve got malware on your computer, MFA means that you’re protected, as a hacker won’t likely have access to your phone.
Enforce MFA across your team
Like a parent insisting that the kids finish their broccoli, if you’re an administrator of a Cliniko account, you can require all your team members to enable MFA. This is an easy way to ensure that everyone at your practice is doing their bit for data security. Sometimes people tell us that enabling MFA feels like a nuisance, but it doesn’t need to be. If you use the same browser on the same device, you’ve got an option to keep yourself logged in and we’ll only ask you to enter MFA codes once every 30 days. And surely the security of your patient data is worth those few extra seconds that it will occasionally take to log in!
Don't stop with Cliniko
We highly recommend that you enable MFA anywhere it’s available (your bank, phone company, utilities, booking sites you use, etc.). Anytime MFA is offered, jump at the chance to set it up! A breach in one place that results in your credentials getting leaked ultimately makes you vulnerable elsewhere. When it comes to security, you’re only as strong as your weakest link, so it’s worth taking seriously everywhere—not just with your patient data at work.
Check whether your email address might have been involved in a breach
It’s a good idea to regularly check your email address(es) on Have I Been Pwned. This website informs you if your email address has been involved in any known incident where data has been publicly exposed—it gives you the date and details of each breach, which allows you to take steps to protect yourself. You’ve also got the option to subscribe to the website’s notifications, which will then alert you of any future breaches that affect you. Alternatively, a service like iCloud Keychain automatically checks this for you.
That being said, it’s still possible that your data could have been exposed in a breach even if your email address doesn’t show up on Have I Been Pwned—a data dump you’re exposed in might be new or flying under the radar.
As security threats continue to evolve, our preventative measures need to stay up to date to match them. We hope this advice gives you some ways to evaluate what you’re currently doing and tweak your processes if necessary.
Two-factor authentication (2FA) is one of the best tools you have to prevent unauthorised access to your online accounts. Learn how 2FA works and why you should be using it to protect your patients' privacy.
When you’re working in healthcare, you can never be too careful with your patients health information. Here's the five things we recommend you do to keep your patient records as secure as possible.