Best Practices for Risk Management

HIPAA – Then & Now

The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).

With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.

23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.

The Digital Age

Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.

Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.

Hackers Exploiting Healthcare

According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.

So, why are hackers setting their sights on healthcare organizations? There are several reasons.

PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.

Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.

Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.

Acknowledging the Cybersecurity Problem

With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from cybercriminals?

Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.

In December 2018, HHS issued cybersecurity guidelines in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.

In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.

How Do We Fix This?

  1. Don’t wait around for a regulation. We cannot wait around for HIPAA to change. Nor Congress to pass a federal law to better protect the privacy of patients and consumers.
  2. Take a look around. It is critical for Covered Entities and Business Associates to tightly examine the patient data they are protecting. Cybercriminals don’t just seek financial information,  but rather, information that could yield a large profit for them. Information such as a birthdate, a Social Security number, or anything in between can prove to be more valuable. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
  3. Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
  4. Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
  5. HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.

Technology will continue to advance, and hackers will continue to do the same with their skill. It is up to us to continue to evolve our cybersecurity practices, which in turn will help better protect PHI.

 

The post Why We Need to Go Beyond HIPAA appeared first on HIPAA Secure Now!.

Hipaa Officer

Identity Thievery can there be expect victims?

 

 

Among the less popular Id thievery sources originates from none

apart from your charge card company as well as other supply of an information leak and in addition Visa fine processing companies for breaches of security rather of enhancing the affected company improve their security. the majority of the bigger information mill indeed secure however a burglar breach may happen to the most dependable of companies you cant ever be completely protected from Id theft, and also you certainly do not want your a good credit score in danger.

There’s a truly amazing quantity of data breeches each year, from a multitude of sources, for example obtained from The Id Theft Resource Center (a nonprofit organization) backed with a grant provided by the U.S. Department of justice through the Office for that Victims of Crimes, they don’t publish any information that isn’t

verified.

 

Creative works

 

Here are a few statistics for 2018 of exposed records:

 

Banking/Credit/Financial final amount of files uncovered-  1,709,013

 

Business-  415,233,143

 

Education-  1,408,670

 

Government/Military-  18,236,710

 

Medical/Healthcare-  9,927,798

 

Final amount of records exposed-  446,515,334

 

 

 

You’ve certainly heard of all the firms that promise or perhaps guarantee to safeguard your identity they often include different levels of insurance from $10,000.00 to some awesome million in case your identity is stolen, They’ll pay millions of if you’re able to convince their satisfaction that you simply endured millions of or even more in losses because of the Id thievery but beware some major companies limit their liability to expenses incurred legally or through other services THEY deem as necessary because of the failure or defectiveness of the service, in almost any situation they’ll generally pay only for legal costs or any other charges connected using the failure of the service, the price of these programs varies depending largely the quantity of insurance, so if you choose to use one of these to assist in protecting your identity inspect the guarantee carefully.

 

A recent report by KLAS and CHIME looked at the cybersecurity practices of healthcare providers, based on recent guidance issued on cybersecurity practices in the healthcare industry. The results? Although some best practices seem to be on the radars of organizations of all sizes, overall findings suggest that small practices have some work to do.

In their white paper, KLAS and CHIME look at a document recently released by the 405(d) Task Group, which was put together by the Department of Health and Human Services (HHS) following the Cybersecurity Act of 2015. The document “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), outlines 10 cybersecurity practices that organizations should focus their attention on.  Remember, don’t just take your IT service providers word for it, if your practice is “ALL GOOD” or not, I have heard it all before later to find out different.  Have your practice assessed by an outside company. This is the only true way to know where you stand, and know how resilient you are against business interruptions regardless if is a cyber attack or system outage.  You NEED to know so you can be prepared.  This is call a Business Impact Analysis, this is not something that IT service providers do so seek to have it done by a third-party professional.

10 Cybersecurity Practices

  1. Email Protection Systems
  2. Endpoint Protection Systems
  3. Access Management
  4. Data Protection and Loss Prevention
  5. Asset Management
  6. Network Management
  7. Vulnerability Management
  8. Incident Response
  9. Medical Device Security
  10. Cybersecurity Policies

KLAS and CHIME used responses from over 600 providers gathered in the 2018 Healthcare’s Most Wired survey to assess how healthcare providers are doing in their adoption of these cybersecurity best practices.

How are organizations doing with their adoption of cybersecurity practices and how can you improve yours?

Below are the key findings laid out by KLAS and CHIME on how organizations are doing with the 10 cybersecurity practices recommended by the Task Group.

  1. Email Protection Systems – Practices of all sizes seem to be doing well with their email protection, with most organizations having deployed email protection systems.
  • Are you protecting your email? Email protection includes filtering and encryption services to help keep attackers out. With email being the most common attack vector, email protection is critical, but only one component of keeping attackers at bay when it comes to email threats.
  1. Endpoint Protection Systems – Similar to email protections, practices of all sizes are also doing well with deploying endpoint protection systems. It is worth noting however, that 20% of small organizations have not implemented an intrusion-detection and prevention system (IDPS), an important first line of defense in protecting endpoints.
  • Are you protecting your endpoints? With mobility becoming more common in the workplace, it’s critical to ensure that ALL endpoints are properly protected. Endpoint protection includes antivirus, encryption, mobile device management (MDM), and more.
  1. Access Management – Most organizations acknowledged that they have adopted access management policies, however, less than half of small organizations have implemented multifactor authentication (MFA). There has been little adoption for adaptive/risk-based authentication for organizations of all sizes.
  • Are you managing access? Managing user access is critical, especially in the healthcare industry. As cybercriminals continue to target the healthcare industry, they will continue trying to crack employees’ credentials, send phishing emails, etc. It is important to make it difficult for attackers to get in, thus implementing controls like MFA is critical.
  1. Data Protection and Loss Prevention – Data loss prevention (DLP) tools are in place for most organizations, including 70% of small organizations. All organizations stated that they back up their data, however, the majority do so offsite rather than in the cloud.
  • Are you addressing data protection and loss prevention? Patient data must be shared securely, meaning that data must always be protected including at rest, in use, and in motion. Policies and procedures should be in place to address this process, which is a basis for DLP. Encrypting your data and ensuring you have backups available is essential for businesses of all sizes.
  1. Asset Management -The survey collected little information when it comes to how organizations are managing their assets, however, almost all respondents said they are properly disposing of devices with PHI.
  • Are you managing your assets? Knowing what devices are used within your organization is extremely important, however simply tracking what devices you purchased is no longer enough. Organizations should know what operating system their devices are running, MAC and IP addresses, locations, patching information and more. Policies should be in place that outline how you’re managing assets, including how you’re properly disposing of them when the time comes.
  1. Network Management – Nearly all organizations have network access controls (NAC) to monitor devices that are connected to the network. Organizations are doing well with firewalls and device security, which are widespread, however less than half of small organizations reported having their networks segmented.
  • Are you managing your networks? Managing your network is incredibly important at keeping cybercriminals out. It is absolutely necessary for all organizations regardless of size to have their networks properly segmented, that way if an attack were to occur it would not spread to the entire network. In addition, protecting your network with firewalls and device security should be a top priority.
  1. Vulnerability Management – 90% of large organizations running vulnerability scans at least quarterly, while 60% of small and medium-sized businesses are. Despite the Task Group recommending large organizations run penetration tests, small organizations are more likely to do so. Some small organizations reported that resource constraints prevent them from involving multiple business units in their remediation.
  • Are you managing your vulnerabilities? Vulnerability scans will look for and identify vulnerabilities found within your organization. Adding in penetration testing through internal or external teams will also help you with your vulnerability management, allowing for a deeper look at your vulnerabilities. Policies should be implemented so that after you have conducted a vulnerability scan, you will be prepared to prioritize and remediate the identified vulnerabilities.
  1. Incident Response – Most organizations have an incident response plan in place, however only half of them conduct an annual enterprise-wide test to see if that plan is successful.
  • Do you have an incident response plan? Having an incident response plan is yet another critical cybersecurity practice for organizations of all sizes. This plan should include policies and procedures for handling an incident, quickly and efficiently isolating and mitigating security events, how to handle breach notifications, etc. In addition to having an incident response plan in place, it should be tested at least annually to verify that the plan works the way you intend it to.
  1. Medical Device Security – Medical device security was found to be a top security concern for survey respondents due to the challenges that are present with them, like their potential to be breached and put patient safety at risk. The top two security struggles identified with medical devices include out-of-date operating systems that cannot be patched and a lack of inventory of assets due to a large number of devices that need to be secured.
  • Are you securing medical devices? Although it may be easier for small organizations to secure their medical devices due to a lower volume of devices and strong policies for doing so, organizations of all sizes should make this a priority. While difficult to do so, do your best to keep an inventory of your medical devices and verify that the list is current. If a vulnerability is known for a device and you are aware of that device and its location, you can begin addressing that vulnerability.
  1. Cybersecurity Policies – Small organizations are less likely to have cybersecurity policies in place, such as dedicating an individual to be the chief information security officer (CISO), or a bring-your-own-device (BYOD) policy.
  • Do you have your cybersecurity policies in place? A strong cybersecurity program includes policies and technology to support them. Don’t overlook the importance of implementing cybersecurity policies. KLAS and CHIME state, “While various policies underly each of the previous nine cybersecurity practices, organizations’ overall security policies should include the following elements: proper classification of data; definition of roles and responsibilities within the organization (including proper governance); employee education; definition of acceptable data and tool usage; definition of proper use of personal and employer-provided devices; and creation of a cyber attack response plan.”

Although not all cybersecurity best practices are being ignored in the healthcare industry, it is safe to say that there is work to be done, especially within smaller organizations.

Remember, it’s not only the government and your state of compliance you need to worry about, it’s cybercriminals too.

For more information regarding the cybersecurity best practice guidance, put together by the Department of Health and Human Services, check out this recent webinar!

Or if you need help implementing these measures contact Sentree Systems, Corp. We have the expertise to get your practice inline before it’s too late.  317-939-3282 or sentree_support@sentreesystems.com or for more information and tips on what you can do download our FREE report on how to minimize your risk of Ransomware attacks.

The post An Analysis of Cybersecurity Practices in the Healthcare Industry appeared first on HIPAA Secure Now!.

The United States Is a Big Target for Cyber Attacks on the Energy Grid and the reports that came out of the recent 2018 Cybersecurity Summit held at the Washington Post Live Center on Oct. 2, 2018, are terrifying. Every small business owner needs to seriously consider what would happen to their business if the energy grid goes down.

The War Has Already Started

Arthur H. House, who is Connecticut’s chief officer for cybersecurity risk said that the state of Connecticut is already under attack. Connecticut utility companies experience more than a million daily probes of their operating systems from unauthorized users that include hostile, foreign attackers. These probes are the ones that were detected and deterred. It is not known what amount of probes go undetected. What is known is the number of daily attacks is exponentially increasing.

Expert Opinions are all Doom and Gloomchief officer

U.S. Homeland Security Secretary, Kirstjen Nielsen, referred to the Russian hacking efforts as preparing the battlefield for a major attack. Karen Evans, who is in charge of energy security and emergency response at the U.S. Energy Department, said that our electrical grid and energy infrastructure are the primary targets for hostile cyber attacks. General Petraeus former CENTCOM commander and director of the CIA said that if an extremist group obtains the ability to attack and shut down a major portion of the American energy grid and keep it down; this is the equivalent of being hit with a weapon of mass destruction.

Cyber Attacks are Worse than Natural Disasters

With a natural disaster such as a major hurricane, there is a limit to how long the event lasts. With a cyber attack on the energy infrastructure, the attacks may continue and return multiple times. They may begin in one part of the country and spread across the rest of it.

American small business owners need to plan for the worst-case scenarios that do not solely rely on your local power grid. Sentree Systems helps clients with data protection by storing critical system-backups off-site and in multiple redundant locations, which increases your chances of a faster and complete restoration. Alternative energy systems, such as solar panels that work with enough batteries for power storage can also help lower these risks. Consult with Sentree Systems to make a plan for what you are going to do if the grid goes down.

 

commander and director

Even though many companies may be working with smaller overall IT budgets, the portions of these IT budgets that are allocated towards security is increasing. This is happening because the perceived risks and the actual risks are growing dynamically. It is a matter of self-defense.

Avoiding Security System Sprawl and Gaps

It is important not to be wasteful in planning for IT security and make sure the application of budgeted funds is producing the best results. Security system redundancy and system sprawl across multiple networks are common problems. This not only costs a company more; it can actually increase the security risks that the security systems are trying to reduce.

Such wastefulness and any security gaps are uncovered by a comprehensive IT security review by Sentree Systems serving customers in Indianapolis and all across Indiana in cities and towns like Plainfield, Noblesville, Avon, Carmel, and Fishers.

Having Adequate IT Security Monitoring

This is achieved by a combination of outside consulting assistance from Sentree Systems working with in-house IT security staff. This is a 24/7 job that should never be neglected

Best Practices for Managing IT Security Budgets

Using too many security solutions combined with a lack of properly-trained IT-security staff causes big problems. Instead, here are the best practices to follow:

  • Work with a single IT security vendor like Sentree Systems that provides a comprehensive solution.
  • Reduce redundancy in security systems to have a more cost-effective solution.
  • Conduct regular security audits to uncover problems proactively before a disaster occurs.
  • Make the security audit recommendations and fund them with the proper amount of budgeted support.

By working with a single-solution provider like Sentree Systems, a cost-effective security program can be put in place that reduces wastefulness and gets the job done. Email info@sentreesystems.com or call 317-939-3282 to schedule an IT security review.

Not all things need to be online. In fact, there are some systems and information that should never be online and instead be secured by a private offline network. This strategy is known as using an “air gap” between systems and the public Internet.

Improved Security Using Offline Systems

Using an offline network for critical path functions and data security reduces the risk of a data breach. This is an excellent strategy, however, it is not 100% secure. In any security review, the IT security experts look at outward-facing systems that connect directly with the Internet, opportunities to manage system networks offline to improve security, and the risk of “human engineering” hacking attempts. Human engineering security breaches come from the tricking people into doing something that allows a security breach. Using an air-gap strategy needs to be enhanced with increased personnel security, such as extensive background checks, limiting personnel access to systems, and physical security barriers to access sensitive data.

Offline Protection of Personal Data

Any organization that handles personal data, such as credit card information or medical records, has a severe obligation to make sure the data is protected. Access to this information should be managed on a need-to-know basis. For example, credit card data only needs to be used for secured transactions. If it is stored by a company that information should be stored offline and secured by encryption.

For medical records, there are severe penalties for data breaches under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In some cases, these penalties have been in the many millions of dollars. This means anyone handling such data needs to protect it like they are guarding the gold at Fort Knox. This is the kind of information that benefits from offline storage using a private network, with point-to-point information tunnels that pass data from one place to another only when it is encrypted in order to only permit authorized access to the data.

Conclusion

The risk of experiencing a data breach when there is unnecessary exposure of data to the public Internet can be better managed by taking the sensitive data offline.

Consult with Sentree Systems about how to manage an online presence combined with a private offline network for better security. Every business of any size can benefit from this approach.

The U.S. Department of Health and Human Services maintains a database that tracks every data breach of medical records where more than 500 records have been compromised. SafeticaUSA reports that, during 2016, the data breaches were caused by improper disposal of memory storage (2.3%), loss (5.4%), theft (19%), hacking (31.8%), and unauthorized access/disclosure of information (41.5%) by employees, which happens sometimes by accident.

Misuse of this information obtained by a data breach is rampant. Criminals can use this personal data in many nefarious ways including blackmail and identity theft. Businesses that do not protect personal and private data are liable for its misuse. They can face fines and civil lawsuits in the multiple millions of dollars.

The SafeticaUSA study noted that the average cost for a single data breach is $7 million and that 100% of businesses share business data in ways that are not safe. When employees leave a company, 87% of them take company data with them increasing risk exposure.

California

Indiana’s Data Security Record

In the SafeticaUSA study of medical record data breaches, which reviewed the occurrences in 2016, California was the state with the largest number of incidents, followed by Florida, Texas, and New York. Indiana came in fifth place by having 12 major data breach incidences during 2016. In terms of the number of compromised private records, the state of Indiana, with 257,174 records breached, was in tenth place on the list of states with the highest number of data breaches.

Conclusion

Data breaches are a serious problem that puts every business at risk. Personal medical records are very vulnerable and the dangers are increasing. Proactive strategies to reduce this risk include conducting a data security Risk Assessment, implementing a data loss prevention solution, and advocating that the best practices are used for data security by affiliates, contractors, and business partners.

Contact Sentree Systems for a Risk Assessment to improve security and reduce the chance of a serious data breach.

The beginning of a new year is a great time to have a comprehensive data security analysis and to create a new strategic data security plan. There is plenty to be worried about when it comes to data security. Data security is something that needs to be constantly monitored in order to be effective. New threats are coming up every day.

Luckily, a small-to-medium-sized business does not have to go at this alone. In fact, having a service contract with a specialist in data security is probably one of the smartest things a business can do.

Here are a few significant things to consider when making a strategic data security plan for 2018:

Internal Security Breaches

It does little to stop a security breach if the entire focus is on external attacks and the security breach comes from within. Authorized users have been known to simply make copies of sensitive data files and walk out the door with them. Disgruntled employees can wreak havoc on data security when leaving a job.

Best practices include using high-quality background checks, restricting access to data on a need-to-know basis, and being able to immediately terminate access for any user.

Ransomware

Ransomware is a type of malware that when a user downloads it, it installs itself, and then encrypts the data on a system to lock the users out. An extortion demand is made for a payment in anonymous cryptocurrency like Bitcoins in order to get the encryption key to unlock the data. These extortion demands range from a few hundred dollars to millions. There is not even a guarantee that paying the ransom will get the data back.

Best practices to avoid this risk are to maintain real-time data backups that are made and then kept in protected storage offline. If a ransomware attack occurs, these backups can quickly bring the organization back to current working-status.

Two-Factor Authentication

All external-facing systems need to have a two-step authentication process using one-time use authentication code for the second step. The benefits of this strategy are significant in blocking unauthorized access. The way it works is an authorized user logs in with a complex password and then the second step sends a text message to a secured mobile device that is used by that person to complete the login process. If the mobile device is lost or stolen the second-step is canceled.

Sentree Systems Corp. is a highly-qualified data security consulting company that works with small businesses in Indiana, serving Indianapolis and the surrounding areas including Avon, Carmel, Fishers, Plainfield, and Noblesville Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense. Contact us today to learn more about these strategies at www.sentreesystems.com

 

[contentblock id=72 img=gcb.png]

Data Security is improved by taking a data-driven approach that addresses security issues that are uncovered by a review of security risk data. For example, allowing employees to continue to use software that has known vulnerabilities, which has not had the most recent security patch applied, is a risk that is unnecessary.

Here are a few tips to improve Data Security by using a data-driven approach:

Conduct a Security Assessment and Implement Its Recommendations

It is surprising when an organization goes to the trouble to conduct a security Assessment, which should be done on a regular basis and then does not implement the recommendations. Executives may think that since the security Assessment was done, the security is improved. A security Assessment demonstrates an Impact vs. Likelihood that your organization will have a compromise in the near future, but does not actually stop a breach from happening. It is important to take the next steps of implementing security upgrades as well.

Monitor Data Security News Alerts

By setting up Google alerts and keeping an eye on the latest Data Security News, helps increase awareness about security issues. An example of a Google alert is using the name of the software or IT service combined with the phrase “security flaw.” Moreover, there are industry security news systems that can be regularly checked for alerts such as the Security News notifications in the Security Education Companion.

Organizations that do not have sufficient internal staff for these Data Security issues do well by contracting with an outsourced IT data security company to monitor them on behalf of the organization.

Be Proactive About Advanced Persistent Threats

Advanced Persistent Threats (APT) are socially-engineered attacks that are occurring on a continual basis. Examples of APT attacks included phishing where websites are faked to get people to enter private information, email campaigns that cause people to download attachments that are malware, or websites that load malware when a person visits them.

Sentree Systems Corp. is a highly-qualified data security consulting company that works with small businesses in Indiana, serving Indianapolis and the surrounding areas including Avon, Carmel, Fishers, Plainfield, and Noblesville. Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense. Contact us today to learn more about these strategies at www.sentreesystems.com

 

[contentblock id=72 img=gcb.png]

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282