Cybersecurity and Technical Patient Privacy Protection.

Abstract

Plastic surgery offices are subject to a wide variety of cybersecurity threats, including ransomware attacks that encrypt the plastic surgeon's information and make it unusable, as well as data theft and disclosure attacks that threaten to disclose confidential patient information. Cloud-based office systems increase the attack surface and do not mitigate the effects of breaches that can result in theft of credentials. Although employee education is often recommended to avoid the threats, a single error by a single employee has often led to security breaches, and it is unreasonable to expect that no employee will ever make an error. Recognition of the 2 most common vectors of these breaches-compromised email attachments and surfing to compromised websites-allows the use of technical networking tools to prevent both email attachments from being received and employee use of unsanctioned and potentially compromised websites. Furthermore, once compromised code has been allowed to run within the office network, that code must necessarily make outbound connections to exploit the breach. Preventing that outbound traffic can mitigate the effects of a breach. However, most small office network consultants design firewalls to only limit incoming network traffic and fail to implement technical measures to stop the unauthorized outbound traffic that is necessary for most network attacks. The authors provide detailed techniques that can be used to direct information technology consultants to properly limit outbound network traffic as well as incoming email attachments.