The Essential 8: what are they and why should I care?

We’re in an age where cyber security is everyone’s responsibility. However, when you take a realistic look at the number of cyber security professionals over the last few years, it’s growing at a rapid rate of 30% plus per year, which is four times faster than the average employment growth of all occupations in the United States.

Interestingly, this will see Australia short of around 50% of cyber security needs over the next four years, and in the US there will be a shortage of 3.5 million professionals compared to what the market actually needs over the next 12-24 months. If we add to this the fact that almost half of the Australian industry has no more than five years in the industry there is absolutely reason for concern.?

Healthcare remains the most affected industry for data breaches around the world, as well as the costliest with 2022 research showing healthcare had the highest average data breach cost of any industry for the twelfth year in a row. With this in mind, it’s imperative that you are putting the cybersecurity in place to protect the systems, processes, people and patients within your practice. For ensuring continued vigilance, all cybersecurity practices should also be implemented in parallel with the introduction of a strong security culture focus and regular training and education.

So, how can GPs maintain a strong cyber security profile while doing their day job successfully? Enter the Australian Cyber Security Centre (ACSC)’s Essential 8.

What is the Essential 8?

Over a decade ago, Chris Brookes and the team at the Australian Signals Directorate (ASD) ACSC published a list of 35 strategies to support cyber and IT professionals in mitigating cyber incidents. These mitigations have evolved into a schema of prioritisation according to their effectiveness and assigned one of the following categories: ‘Limited’, ‘Good’, ‘Very Good’, ‘Excellent’ and ‘Essential’. I’m sure you can guess where I’m going with this; of the 35 items, four were identified as ‘Essential’, later evolving to eight. Hence, the Essential 8.

What are they?

It’s important to note that while only eight were identified as ‘essential’, organisations should review all 35 strategies to understand if they should be mapped against their organisational make-up and industry.

Here’s a rundown of the Essential 8:?

#1 – Application control

A staggering 94% of cyberattacks in Australia which have targeted small and medium sized businesses have focused on desktops, laptops or servers, and involved the execution of code that was not identified by anti-virus software.

The application control mitigation strategy ensures your organisation is using practices that limit applications running on devices to only a list of allowed applications. This prevents the possibility of malicious software being run. This practice is also known as whitelisting - restricting applications being installed or enabling these to be better managed through application management software.

#2 – Patch applications

A software patch is released by a vendor when changes are applied to update, fix or improve an application, and this can include fixing security vulnerabilities.

There are plenty of vulnerability and patch management tools on the market which can help you keep track of potential vulnerabilities that may impact your organisation. These tools ensure devices on your network remain up-to-date with the right security software and measures, and do so within a reasonable timeframe, and can also remove end of life software. You should ideally look to patch extreme risk vulnerabilities within a 48-hour period to keep your applications safe from intruders.

#3 – Patch operating systems

This essential strategy is similar to the previous one, however this focuses on the operating systems that support the devices on your network. For Microsoft users, ‘Patch Tuesday’ occurs each week, and monthly security updates are usually performed on the second Tuesday of each month (US time zone).

For example, the May 2023 patch performed on Microsoft’s operating systems contained 38 security vulnerabilities across the Microsoft Windows operating systems, and six of those were considered ‘critical’ as they allowed remote code execution, the most severe type of vulnerability.

Again, the recommendation is to apply patches to extreme risks vulnerabilities within a 48-hour period, however I also recommend testing these patches before network deployment to ensure that they don’t halt critical business operations in the process.

There will be times where your operating system moves to extended support or end of life, in which case patches won’t be released and it’s time to upgrade the operating system completely. Ensure you check your operating system provider website or IT provider for this information, however it’s strongly recommended to refrain from using operating systems which are no longer supported.

#4 – Multi-factor authentication (MFA)

Authentication can be used by your practice to ensure you are who you say you are, and to ensure you have the right level of access. Multi-factor authentication takes this to the next level by asking the user to validate themselves using at least two methods of authentication. For example, a password and authentication app, or biometrics such as a fingerprint.

Access to internet-facing services, privileged sites or confidential and/or sensitive information should be protected using MFA, and both successful and unsuccessful authentication attempts should be logged with alerts when signs of compromise are detected.

If you have a spare five minutes, you could assess how exposed your existing credentials may be through cybercrime analytics website SpyCloud.

#5 – Configure Microsoft Office macro settings

A Microsoft Office macro is a small program designed to automate repetitive tasks in Microsoft Office applications for creating efficiencies and saving time such as creating tables or applying formatting layouts within Microsoft Word. These macros can be shared widely, even globally; however, when a Word document from outside the organisation is received, it may contain malicious code exposing devices to unwanted cyber attention or risk.

If you believe users do not require certain macros, you should disable their ability to install and use these macros. You should also only use macros which have been digitally signed by a trusted partner or have been sent from a trusted location.

#6 – User application hardening

This mitigation strategies focuses on assessing whether all hardware (e.g. laptops, desktops, devices) have the correct applications to enable the end user to carry out work activities effectively and efficiently.

Considering the majority of breaches are caused by human error, user application hardening aims to minimise access to and actions users can take with applications on their hardware. This could include ensuring only those who critically need access to financial information can view this.

You could consider removing or restricting applications that are no longer needed (for example unused browsers), restricting irrelevant processes or content, disabling unnecessary features (for example PDF viewers), and enabling a high level of monitoring and detection around these events to identify if there are signs of compromise.

#7 – Restrict administrative privileges

This mitigation strategy also focuses on which users can access tasks, and access and view network locations, applications and software, and the extent to what they can do when using these (for example, editing or deleting information).

Configuring roles and permissions appropriately within your practice ensures the right people can view and access the right information.

Administrators will often have highly elevated privileges to applications and software, and this should be configured appropriately to trained and experienced individuals. This should also be reviewed regularly for validation and appropriate access, and all events and activity should be monitored and logged. Due to the high-level access administrators often have, they should avoid accessing the internet and their email when logged into hardware with their administrative credentials.

#8 – Regular backups

This one’s a no brainer – safely actioning regular online and offline backups?of data, in particular sensitive, confidential or important data, is critical to safeguarding your practice in the event of a breach. It’s important that any backups are performed in line with the most recent legislation surrounding data handling and privacy.

If your practice has critical applications and configurations, you can also perform backups on software and configuration settings. The frequency and retention of backups usually depends on your practice’s business model, infrastructure and budget for doing this, however it would be good practice to perform daily backups. Retention of backups would usually be around a three-month period.

If you do carry out backups within your practice, it’s worthwhile testing these to ensure data can be restored appropriately. Rehearsal activities should be on separate systems and practise at regular intervals.

How do I know if we meet these?

The ACSC has created a Maturity Model which allows you to self-assess your security measures and determine how sufficient the mitigations you have in place are. Maturity levels range from ‘zero’ (least mature, high-risk cyber security posture) to ‘three’ (highly mature cyber security posture with strong mitigations and supporting tools in place).

How do I approach this?

As with any framework or model, it’s important to take a risk-based approach for determining what your ‘high risk’ areas are and how these can be solved.

Your risk appetite and security posture will determine the number of remediations you may need to implement for safeguarding your practice. It is also recommended to speak with your IT support network and suppliers around the security robustness of critical applications and infrastructure to ensure all organisations involved in delivering healthcare in your practice are on the same page.

Remember, context is everything and patient care and preserving life is our priority, but it must be balanced with effective and outcome-driven considerations for security.

To find out about cybersecurity software designed for medical practices, you could check out MedicalDirector Shield.