An Analysis of Cybersecurity Practices in the Healthcare Industry

Humans or HIPAA?

When it comes to healthcare organizations addressing the HIPAA compliance of their business, many feel prepared and comfortable, readily checking that “compliant” box. But addressing the human part of security falls by the wayside too often.  Compliance and cybersecurity, which includes human security, both need to be a part of your overall strategic plan.

“If I have security, I’m ok with compliance, right?”  No, but you’re not alone in assuming that addressing one will take care of the other.  It is an easy mistake to make, and one that many healthcare businesses too often make.  Compliance and cybersecurity work together to keep you up, running and protected from a technical and federal regulations standpoint, but address different components.

When This Doesn’t Mean That

HIPAA compliance will take care of the laws and regulations that you need to adhere to.  Cybersecurity addresses the gaps or weaknesses in a business that makes that entity vulnerable to hackers.  If a breach occurs, your HIPAA compliance will be addressed by government agencies to make sure you were in accordance, and this will protect you legally in some respects.  So, in this regard, they work together to protect you, but cybersecurity must be your first line of defense.

With an increased value being put on healthcare data by cybercriminals, the target gets bigger every day on the business’s back.  Right alongside those increased values is the matching rise in the number of data breaches each year.  Healthcare data is sold for 10-20 times that of stolen credit card numbers, so where do you think hackers are focusing?  Just like most businesses, they go where the money is.  To add to the damage being done, they are not just focused on data theft, but also overall disruption to the business with targeted employee attacks.

Healthcare must begin to look at cybersecurity with the same reverence that they hold HIPAA compliance in.  Protecting your business and patient data should be an effort that combines both strategies.  If your IT provider isn’t discussing this with you, it doesn’t mean that they aren’t doing it already, but don’t assume. Ask questions, work together and make a plan that secures your business as a whole, not just segments of it.

 

The post Compliance & Cybersecurity Go Hand-In-Hand appeared first on HIPAA Secure Now!.

Tax Security 2.0: The Taxes-Security-Together Checklist

It seems like everyone is getting on-board with Cyber Security and for good reason.  Bad-actors (Hackers) are getting more and more sophisticated and we as business owners need to make a change.  Bad-actors know how to get around most of the tools we use to stop them because the tools are so out-dated.  Anti-virus and firewalls have been around for over 30 years without much change to the process of stopping attacks.  The biggest reason is because from the beginning Security was never about having a set-it-and-forget-it mindset, this is wrong, we need to have a layered approach to security, and this is what’s missing, especially in small businesses.

 

Most small businesses have the mindset “if I get the latest antivirus and firewall I’m good” or “my IT provider has me covered“.  These are all wrong thinking, you need to have the mindset that they can get in, and they may already be in and I just don’t know it yet.  Usually when a ransomware attack happens, it is after a hackers has already been in your system for a while,  the ransomware is their parting gift.  You must create policies and procedures that you continuously evaluate at least every six months.  You also need to continuously train your employees, not just a annual training, that doesn’t work anymore.  Every 39 seconds there is an attempt to break into a computer and these attacks are performed by sophisticated AI robots, not individuals, so they never tier, so you must put you best foot forward.

 

The IRS has created Tax Security 2.0 – A “Taxes-Security-Together” Checklist

Leaders from the IRS, state tax agencies and the tax industry today called on tax professionals nationwide to take time this summer to review their current security practices, enhance safeguards where necessary and take steps to protect their businesses from global cybercriminal syndicates prowling the Internet. 

Take a look at this video and see how the IRS is stepping in and urging Tax professionals of all sizes to take this serious.

 

It is starting to become the LAW, no more are the days of just installing an antivirus and hope for the best.  Now the government is starting to step in and force companies to do more, to step up your efforts and if you don’t there are hefty fines to pay and in some cases like HIPAA, jail time.

 

So I urge all of my fellow business owner, office manager and alike, take this seriously, do just think that this will just pass someday, because it won’t, it’s getting worse.

HIPAA – Then & Now

The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).

With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.

23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.

The Digital Age

Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.

Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.

Hackers Exploiting Healthcare

According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.

So, why are hackers setting their sights on healthcare organizations? There are several reasons.

PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.

Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.

Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.

Acknowledging the Cybersecurity Problem

With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from cybercriminals?

Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.

In December 2018, HHS issued cybersecurity guidelines in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.

In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.

How Do We Fix This?

  1. Don’t wait around for a regulation. We cannot wait around for HIPAA to change. Nor Congress to pass a federal law to better protect the privacy of patients and consumers.
  2. Take a look around. It is critical for Covered Entities and Business Associates to tightly examine the patient data they are protecting. Cybercriminals don’t just seek financial information,  but rather, information that could yield a large profit for them. Information such as a birthdate, a Social Security number, or anything in between can prove to be more valuable. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
  3. Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
  4. Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
  5. HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.

Technology will continue to advance, and hackers will continue to do the same with their skill. It is up to us to continue to evolve our cybersecurity practices, which in turn will help better protect PHI.

 

The post Why We Need to Go Beyond HIPAA appeared first on HIPAA Secure Now!.

Hipaa Officer

Identity Thievery Programs Enable You To Defend Yourself From Id Theft

 

Because of the rise of id theft occurrences being reported yearly, many organizations are applying their very own id theft programs to supply citizens education to battle this spiteful crime. Since being a victim of id theft could be a existence-altering experience, both emotionally and financially, understanding how to prevent the appearance of this crime through id theft programs will help you as well as your families live an ordinary and happy existence without another person meddling with your own personal information.

Even though the government has worked night and day to battle id theft, busting these crooks might take many years, or sometimes, they even live their very own lives without having to be caught. Because of this, different private and public banking institutions with id theft programs, like the Federal Trade Commission’s “AvoID Thievery: Deter, Identify, Defend”, are educating individuals to avoid id theft while giving help individuals who’ve victimized.

 

FTC’s National Id Theft Program

Because the U . s . States has got the greatest rate of id theft compared abroad, the Federal trade commission has worked fulltime to distribute on the internet and print informational materials to make sure all consumers know about this crime. With more than 20 million copies from the information guide distributed, the Federal trade commission id theft program is reaching one household at any given time to lessen the appearance of id theft in the united states.

Private organization which help consumers fight id theft will also be while using Federal trade commission id theft program to empower citizens in protecting themselves from the damages brought on by this crime. The “Deter, Identify and Defend” Program educates people and links with other organizations both in public and private sectors including police force agencies, consumer groups, federal agencies along with other trade associations to provide consumers choices on where to inquire about help.

The Federal trade commission id theft program releases an informational package for those organizations fighting id theft which include a how-to guide with instructions on educating customers to aid organizations facilitate outreach programs. Additionally, it features a sales brochure these organizations can certainly reproduce to provide to individuals who attend workshops and education sessions. To capture the amount of damage id theft may cause an individual’s existence, a ten-minute video of victims can also be incorporated within the program to describe to individuals how you can fight this crime.

While using Federal trade commission id theft program might help other organizations hold workshops and distribute educational materials about fighting id theft. Since education may be the only answer to staying away from this crime, consumers is now able to aware regarding how to identify these complaints and take immediate actions when they be a victim of id theft.

 

Computer network security

This isn’t something you can pencil in and get to when you have time, cyber maintenance has to be something you commit to. We all have those moments when we realize that we had the best intentions to stick with something, but its priority fell by the wayside. We start off strong, then taper off until we forget completely.

When it comes to your cybersecurity, there isn’t a shortcut or short-term guide to safeguarding your information and identity, so taking time to address it is not only necessary, it is going to pay off in the long run.

Sharpie this in

Book time on your calendar in the way you would for personal or home maintenance.  You schedule haircuts and change the batteries in smoke detectors, so consider establishing the same type of habits when it comes to your online information.

Take this time to update passwords, ensure that your software is all updated to the latest version and that you have two-factor authentications enabled where it is an option.  Call your credit card companies and ask about their security policy – and do they have methods in place to protect you from being hacked?  Enabling alerts on purchases and payments via text or email will help you to tackle any issues immediately rather than long after the damage has been done.

The bottom line is that you need to take time out of your schedule to deal with this. It’s not always convenient and it’s not always what you feel like doing, but you need to make it as much as a priority as any other maintenance in your life.

The post Make Time for Cybersecurity appeared first on HIPAA Secure Now!.

Cyberwarfare

 

In 2018, 71% of ransomware attacks targeted small businesses, according to a report by Beazley Breach Response Services. It’s clear that small businesses are a cybercriminals favorite target, yet many remain unprepared to handle a cyber-attack.

Is it that small businesses don’t care about cybersecurity?

It wouldn’t be fair to make that assumption; however, small businesses do often overlook cybersecurity concerns. This could be the result of many different things. For example, small businesses often do not have the resources to dedicate to cybersecurity. In fact, some of those businesses don’t have a dedicated IT individual/company at all. In some instances, small businesses may be carrying the “it won’t happen to me mentality” – despite plenty of statistics stating that small businesses are the most susceptible to a cyber-attack. And then there is the complexity of the topic. Many organizations don’t understand cybersecurity. Mix the lack of understanding with the other reasons that cybersecurity is often overlooked, it’s easy for small businesses to put it on the back burner and forget about it.

Out of sight, out of mind

Another reason it’s hard to get organizations to care about cybersecurity is that “if they can’t see it, it isn’t there”. It’s easy to take physical security of your organization seriously. You know that you must lock the office door when you leave, or that leaving medication unlocked and unsupervised could lead to its disappearance.

Unfortunately, cybersecurity doesn’t work the same way. Organizations can be told about cybersecurity risks and best practices, but not being able to physically see the danger makes it difficult to care or prioritize those safeguards above others. Think about it, you’ve used the same password for everything, for years. It’s not a difficult password so it’s easy for you to remember. You’ve heard that complex passwords are important, and you know you should never use the same password across multiple accounts, but you’ve been doing this for years and nothing bad has happened, so it’s probably not a concern for you. Cybersecurity is often out of sight, out of mind.

Healthcare organizations are especially vulnerable

The healthcare industry is the most targeted industry by cybercriminals. Many of the reasons for this are the same reasons that attackers target small businesses. Healthcare organizations also see a lot of turnover, which could translate to cybercriminals as new employees to target, many of which, may not be properly trained.

The value of healthcare data to a cybercriminal is also unparalleled. Medical records bring in big bucks on the dark web, allowing these attackers to see large returns for even just one successful attack.

Don’t wait till it’s too late

The worst mistake you can make is to think you’re not at risk, or not think cybersecurity is a high enough priority to do something about it. Small businesses need to take what we’ve learned about cybercriminals targeting them as a warning and act before they too become another statistic.

Cybersecurity tips

1. Recognize You’re a Target – First and foremost, you must accept that you are a target for cybercriminals. Every organization, small or large is a target and no industry is off limits. If cybercriminals see value in attacking your organization, they will.

2. Security Risk Assessment – It’s important to understand where your organization’s security gaps are. Perform a Risk Assessment to determine what safeguards should be in place but are not. For example, policies, data backup procedures, inactivity timers on your computers, etc.

3. Security Awareness Training – Employees must be trained on cybersecurity and understand how to spot malicious attempts made by cybercriminals. Employees should know how to spot a phishing email and the dangers of clicking attachments or URLs within emails, as these are common methods for a hacker to get in.

4. Complex Passwords – Passwords must be complex, reasonably long (at least 10 characters), and different across all accounts. Simple passwords can easily be cracked by cybercriminals through a brute-force attack, putting your entire organization at risk. Using repeat passwords across various accounts is also dangerous since one compromised password could give a hacker access to all your accounts.

5. Use a Password Manager – Managing several difficult passwords can be a difficult task, but password security should not be compromised for convenience. Using a password manager is a great way to ensure all passwords are secure. The best part is, you only need to remember one master password.

6. Enable Two-Factor Authentication – Sometimes referred to as 2FA, or multi-factor authentication, two-factor authentication is another layer of security for accessing your accounts, aside from you entering your credentials. 2FA requires a second form of authentication for you to successfully log in. For example, you may have to enter a 6-digit code sent to you via a text message to prove it is really you who is trying to log in.

7. Perform Updates – Ensure your software is being updated when updates become available. Software updates are often issued to fix a vulnerability found in the software. Not performing updates can often leave you susceptible to attacks that could have been prevented.

8. Regularly Backup Your Data – Do not underestimate the importance of routinely backing up your data. A cyber-attack could occur at any minute, and when it does, your data could be at risk. If your data becomes inaccessible or corrupt, through a ransomware attack, for example, you’ll need to be able to get that data another way – from your backups.

9. Audit accounts for suspicious activity – Make sure you’re performing audits on your systems. For example, if you have an EHR, you should be auditing it regularly looking for unusual activity, such as logins after hours, users accessing abnormal amounts of medical records. If inappropriate activity is occurring, the quicker you catch it the better off you’ll be.

10. Cyber Insurance – As cybercriminals continue to become more sophisticated, attacks will continue to occur. It’s no longer a matter of if your organization will be attacked, but when. Security incidents are incredibly costly, sometimes putting organizations out of business. Costs could include a breach coach, forensics, breach notification, credit monitoring, crisis management, and more. Verify that your organization has cyber insurance (this coverage is often not included in your standard policy) to protect you in the event of a security incident.

The post 10 Cybersecurity Tips for Small Businesses appeared first on HIPAA Secure Now!.

dark web

Warning – You’ve Been DataMined!

 

 

It impacts vast sums people every day when we’re blissfully not aware.

Today’s high-tech world is drowning in data but is starved for understanding. Data mining is the quest for significant patterns and trends. It is also been known as poor people stepchild to statistcial analysis.

To provide you with a good example you want to target to purchase food and also you make use of your store card for discounts and fast checkout. It provide the store an eye on how frequently you shop, what foods you want and also at what prices within this situation it is a win-win situation. This continues thoughout your entire day while you bank visit the mall, service station, and so forth.

However details are more and more collected without your understanding or consent. “Black Boxes” how big cigarette packs happen to be set up in 40 million vehicles to watch speed, seatbelt use, and much more. Only 5 states currently require the buyer be advised of the fact.

 

The trade-off is somone has an eye on where and when you drive,your food intake, what over-the-counter medications you purchase,regardless of whether you smoke or otherwise,in which you fly with whom, what you love to read watching and put money into.

Anyone item isn’t invasive however when birth certificates, credit histories, property deeds, military records, and insurance claims are pulled together it paints a really intimate picture. Increase the mix that an average joe is viewed by surveillence cameras 75X each day.

 

Previously decade a surge of technologies have occurred and also the pressing appetite of marketers for details about consumers makes data collection less voulutary and much more worrisome.

Data mining is very large business. Companies vacuum up data from private and public records, aggragate it evaluate it then sell it to buyers varying from private companies towards the CIA. If the error exists there’s no understanding from you as a result it can not be fixed.

Data thefts are rising incorporated are banks, charge card companies, and also the greatest from the data brokers Choicepoint. When their records were breach they left huge numbers of people prone to id theft.

In conclusion technologies are not going anywhere soon so we love convience but we should be aware and turn into vigilant. In fact it is here we are at Congress to step-up and get the job done to produce a fundamental bill of legal rights for those information. This can give to us necessary protection.

 

Identity Thievery can there be expect victims?

 

 

Among the less popular Id thievery sources originates from none

apart from your charge card company as well as other supply of an information leak and in addition Visa fine processing companies for breaches of security rather of enhancing the affected company improve their security. the majority of the bigger information mill indeed secure however a burglar breach may happen to the most dependable of companies you cant ever be completely protected from Id theft, and also you certainly do not want your a good credit score in danger.

There’s a truly amazing quantity of data breeches each year, from a multitude of sources, for example obtained from The Id Theft Resource Center (a nonprofit organization) backed with a grant provided by the U.S. Department of justice through the Office for that Victims of Crimes, they don’t publish any information that isn’t

verified.

 

Creative works

 

Here are a few statistics for 2018 of exposed records:

 

Banking/Credit/Financial final amount of files uncovered-  1,709,013

 

Business-  415,233,143

 

Education-  1,408,670

 

Government/Military-  18,236,710

 

Medical/Healthcare-  9,927,798

 

Final amount of records exposed-  446,515,334

 

 

 

You’ve certainly heard of all the firms that promise or perhaps guarantee to safeguard your identity they often include different levels of insurance from $10,000.00 to some awesome million in case your identity is stolen, They’ll pay millions of if you’re able to convince their satisfaction that you simply endured millions of or even more in losses because of the Id thievery but beware some major companies limit their liability to expenses incurred legally or through other services THEY deem as necessary because of the failure or defectiveness of the service, in almost any situation they’ll generally pay only for legal costs or any other charges connected using the failure of the service, the price of these programs varies depending largely the quantity of insurance, so if you choose to use one of these to assist in protecting your identity inspect the guarantee carefully.

 

Identity thievery basics

 

Id theft is among the latest buzzword inside our society in recent occasions. Id theft describes hiding one’s original identity and unlawfully misusing another person’s identity. The individual pretending to become another person tries to earn money at the expense of others and bakes an abusive utilization of fake identity. The appearance of this type of crime has elevated partially because of the expansion within our communication network where individuals interact or learn about only the presence of body else but haven’t met them person. Since you don’t recognize your partner by looks it’s simpler for identity thieves to walk into others shoe and gather vital information for his or her own selfish motives. Id theft also occurs from distance if somebody may call or talk to every other person simply to gather some private information after which misuse the information provided.

 

Emergence of Internet aside from supplying many facilities and as being a blessing for individuals has additionally added a great deal to this already established crime.

With increasingly more business houses using Internet and computerized systems for his or her official workings elevated quantity of significant data are actually available on web. In addition to the acquiring vital statistics associated with a corporate house or any important individual information, identity thieves do disguise to fool others and acquire some information such as the charge card number or even the ssn. Thievery of charge card number and ssn can lead to an excellent loss and trauma for that victim. Because the offender can use the charge card for withdrawing money from others account as well as the crimes committed through the crook could be related to the victim because the crook was utilizing a fake identity of body else.

This growing type of crime has elevated concern of numerous and individuals are actually finding methods to combat such malicious actions that create loss to innocent citizens. Aside from following a general instructions and counting on social systems to avoid such crimes certain individual efforts are also needed to safeguard one from identity thieves. You have to be careful to not provide any private info on Internet or other public communication systems that may be utilized by anybody. Once perfectly confirmed verification some good info might be shared if it is very urgent. Also you ought to not depend on other people without careful verification from the identity of your partner.

It’s dependent on great regret that such identity thieves many a occasions bank upon the sentiments of excellent citizens and fool these to have fast money. Many such installments of false identity happen to be reported in recent past where individuals make believe you be somebody in great necessity of help so when some virtuous person comes forward to assist them to they simply breach others making personal profits at the fee for others.

 

Lately once the world was struck by a regrettable natural disaster of tsunami the aid of world put in through every means. Government organizations of nations struck with this calamity had set websites to create people conscious of the damages incurred and collect the aid of them when they could lead towards the well-being of victims. Following a genuine websites many fraudulent websites were also located simultaneously to bank upon people’s sentiments for private interests. Such occurrences and many more turn it into a moral responsibility of each and every citizen in the future forward and help in curbing this social crime.

 

A recent report by KLAS and CHIME looked at the cybersecurity practices of healthcare providers, based on recent guidance issued on cybersecurity practices in the healthcare industry. The results? Although some best practices seem to be on the radars of organizations of all sizes, overall findings suggest that small practices have some work to do.

In their white paper, KLAS and CHIME look at a document recently released by the 405(d) Task Group, which was put together by the Department of Health and Human Services (HHS) following the Cybersecurity Act of 2015. The document “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), outlines 10 cybersecurity practices that organizations should focus their attention on.  Remember, don’t just take your IT service providers word for it, if your practice is “ALL GOOD” or not, I have heard it all before later to find out different.  Have your practice assessed by an outside company. This is the only true way to know where you stand, and know how resilient you are against business interruptions regardless if is a cyber attack or system outage.  You NEED to know so you can be prepared.  This is call a Business Impact Analysis, this is not something that IT service providers do so seek to have it done by a third-party professional.

10 Cybersecurity Practices

  1. Email Protection Systems
  2. Endpoint Protection Systems
  3. Access Management
  4. Data Protection and Loss Prevention
  5. Asset Management
  6. Network Management
  7. Vulnerability Management
  8. Incident Response
  9. Medical Device Security
  10. Cybersecurity Policies

KLAS and CHIME used responses from over 600 providers gathered in the 2018 Healthcare’s Most Wired survey to assess how healthcare providers are doing in their adoption of these cybersecurity best practices.

How are organizations doing with their adoption of cybersecurity practices and how can you improve yours?

Below are the key findings laid out by KLAS and CHIME on how organizations are doing with the 10 cybersecurity practices recommended by the Task Group.

  1. Email Protection Systems – Practices of all sizes seem to be doing well with their email protection, with most organizations having deployed email protection systems.
  • Are you protecting your email? Email protection includes filtering and encryption services to help keep attackers out. With email being the most common attack vector, email protection is critical, but only one component of keeping attackers at bay when it comes to email threats.
  1. Endpoint Protection Systems – Similar to email protections, practices of all sizes are also doing well with deploying endpoint protection systems. It is worth noting however, that 20% of small organizations have not implemented an intrusion-detection and prevention system (IDPS), an important first line of defense in protecting endpoints.
  • Are you protecting your endpoints? With mobility becoming more common in the workplace, it’s critical to ensure that ALL endpoints are properly protected. Endpoint protection includes antivirus, encryption, mobile device management (MDM), and more.
  1. Access Management – Most organizations acknowledged that they have adopted access management policies, however, less than half of small organizations have implemented multifactor authentication (MFA). There has been little adoption for adaptive/risk-based authentication for organizations of all sizes.
  • Are you managing access? Managing user access is critical, especially in the healthcare industry. As cybercriminals continue to target the healthcare industry, they will continue trying to crack employees’ credentials, send phishing emails, etc. It is important to make it difficult for attackers to get in, thus implementing controls like MFA is critical.
  1. Data Protection and Loss Prevention – Data loss prevention (DLP) tools are in place for most organizations, including 70% of small organizations. All organizations stated that they back up their data, however, the majority do so offsite rather than in the cloud.
  • Are you addressing data protection and loss prevention? Patient data must be shared securely, meaning that data must always be protected including at rest, in use, and in motion. Policies and procedures should be in place to address this process, which is a basis for DLP. Encrypting your data and ensuring you have backups available is essential for businesses of all sizes.
  1. Asset Management -The survey collected little information when it comes to how organizations are managing their assets, however, almost all respondents said they are properly disposing of devices with PHI.
  • Are you managing your assets? Knowing what devices are used within your organization is extremely important, however simply tracking what devices you purchased is no longer enough. Organizations should know what operating system their devices are running, MAC and IP addresses, locations, patching information and more. Policies should be in place that outline how you’re managing assets, including how you’re properly disposing of them when the time comes.
  1. Network Management – Nearly all organizations have network access controls (NAC) to monitor devices that are connected to the network. Organizations are doing well with firewalls and device security, which are widespread, however less than half of small organizations reported having their networks segmented.
  • Are you managing your networks? Managing your network is incredibly important at keeping cybercriminals out. It is absolutely necessary for all organizations regardless of size to have their networks properly segmented, that way if an attack were to occur it would not spread to the entire network. In addition, protecting your network with firewalls and device security should be a top priority.
  1. Vulnerability Management – 90% of large organizations running vulnerability scans at least quarterly, while 60% of small and medium-sized businesses are. Despite the Task Group recommending large organizations run penetration tests, small organizations are more likely to do so. Some small organizations reported that resource constraints prevent them from involving multiple business units in their remediation.
  • Are you managing your vulnerabilities? Vulnerability scans will look for and identify vulnerabilities found within your organization. Adding in penetration testing through internal or external teams will also help you with your vulnerability management, allowing for a deeper look at your vulnerabilities. Policies should be implemented so that after you have conducted a vulnerability scan, you will be prepared to prioritize and remediate the identified vulnerabilities.
  1. Incident Response – Most organizations have an incident response plan in place, however only half of them conduct an annual enterprise-wide test to see if that plan is successful.
  • Do you have an incident response plan? Having an incident response plan is yet another critical cybersecurity practice for organizations of all sizes. This plan should include policies and procedures for handling an incident, quickly and efficiently isolating and mitigating security events, how to handle breach notifications, etc. In addition to having an incident response plan in place, it should be tested at least annually to verify that the plan works the way you intend it to.
  1. Medical Device Security – Medical device security was found to be a top security concern for survey respondents due to the challenges that are present with them, like their potential to be breached and put patient safety at risk. The top two security struggles identified with medical devices include out-of-date operating systems that cannot be patched and a lack of inventory of assets due to a large number of devices that need to be secured.
  • Are you securing medical devices? Although it may be easier for small organizations to secure their medical devices due to a lower volume of devices and strong policies for doing so, organizations of all sizes should make this a priority. While difficult to do so, do your best to keep an inventory of your medical devices and verify that the list is current. If a vulnerability is known for a device and you are aware of that device and its location, you can begin addressing that vulnerability.
  1. Cybersecurity Policies – Small organizations are less likely to have cybersecurity policies in place, such as dedicating an individual to be the chief information security officer (CISO), or a bring-your-own-device (BYOD) policy.
  • Do you have your cybersecurity policies in place? A strong cybersecurity program includes policies and technology to support them. Don’t overlook the importance of implementing cybersecurity policies. KLAS and CHIME state, “While various policies underly each of the previous nine cybersecurity practices, organizations’ overall security policies should include the following elements: proper classification of data; definition of roles and responsibilities within the organization (including proper governance); employee education; definition of acceptable data and tool usage; definition of proper use of personal and employer-provided devices; and creation of a cyber attack response plan.”

Although not all cybersecurity best practices are being ignored in the healthcare industry, it is safe to say that there is work to be done, especially within smaller organizations.

Remember, it’s not only the government and your state of compliance you need to worry about, it’s cybercriminals too.

For more information regarding the cybersecurity best practice guidance, put together by the Department of Health and Human Services, check out this recent webinar!

Or if you need help implementing these measures contact Sentree Systems, Corp. We have the expertise to get your practice inline before it’s too late.  317-939-3282 or sentree_support@sentreesystems.com or for more information and tips on what you can do download our FREE report on how to minimize your risk of Ransomware attacks.

The post An Analysis of Cybersecurity Practices in the Healthcare Industry appeared first on HIPAA Secure Now!.

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282