10 Cybersecurity Tips for Small Businesses

Campbell County Chaos

Hopefully, you didn’t have a doctor appointment in Campbell County Wyoming recently.  And if you had an emergency situation, perhaps you were not getting the immediate care that you may have hoped for when you showed up at the ER.   It wasn’t the long wait from an overcrowded hospital waiting room, or overworked doctors running behind that was causing the delay, it was hackers messing with your health.  Ransomware was deployed sometime on Friday, September 20th, bringing several aspects of the electrotonic record-keeping process to its knees.

Medical professionals take an oath to protect and uphold your health – and many other things along that line.  But they are working against an invisible enemy and it’s not one that medicine can treat or prevent.  Hackers are hitting us where it hurts the most – healthcare.  While Campbell County does remain open and available to treat patients, their virtual hands are tied while the ransomware issue is addressed.

Patient Priority

Patient health is always a top priority and that remains the case at this facility.  But to maintain that, cybersecurity has to be put up there as a top priority as well.  If a medical facility wants to expand its ability to treat more patient issues, they add staff members that specialize in a particular area.  The time to add staff or have an ongoing relationship with your IT provider to support your business’s cybersecurity is NOW.  This role is not a one-time deal either.  This needs to be a full-time and ongoing part of running a safe and secure business not only to treat the health of the patients but also the health of the business.

The post Ransomware Chaos in Campbell County appeared first on HIPAA Secure Now!.

October 1, 2019 — HIPAA Secure Now! today announced its commitment to National Cybersecurity Awareness Month (NCSAM), held annually in October, by signing up as a Champion and joining a growing global effort to promote the awareness of online safety and privacy. NCSAM is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals committed to this year’s NCSAM theme of ‘Own IT. Secure IT. Protect IT.’ which encourages everyone to #BeCyberSmart through cybersecurity best practices.

We are thrilled to be participating in National Cybersecurity Awareness Month as a 2019 Champion. We strive to provide our clients with the knowledge needed to not only detect cybersecurity risks but to combat them as well. This October, we are putting extensive focus on the importance of cybersecurity in hopes that it will make a lasting impact on our clients and our community all year long,” said HIPAA Secure Now! CEO, Art Gross.

Now in its 16th year, NCSAM continues to build momentum and impact with the ultimate goal of providing all Americans with the information they need to stay safer and more secure online. HIPAA Secure Now! is proud to support this far-reaching online safety awareness and education initiative which is co-led by the National Cyber Security Alliance (NCSA) and the  Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security.

Cybersecurity is important to the success of all businesses and organizations. NCSA is proud to have such a strong and active community helping to encourage proactive behavior and prioritize cybersecurity in their organizations,” said Kelvin Coleman, executive director, NCSA.

For more information about NCSAM 2019 and how to participate in a wide variety of activities, visit staysafeonline.org/ncsam. You can also follow and use the official NCSAM hashtag #BeCyberSmart on social media throughout the month.

 

 

About HIPAA Secure Now!

Since 2010 HIPAA Secure Now! has been dedicated to helping clients protect protected health information, reduce the likelihood of a data breach and comply with HIPAA regulations. The company delivers comprehensive, affordable security and compliance solutions to healthcare practices and business associates.

HIPAA Secure Now’s unique combination of employee training, security assessments, policies and procedures – combined with financial protection and breach response services makes the company a leader in the HIPAA Compliance and Cybersecurity market, serving small and medium-sized healthcare practices and business associates. 

About National Cybersecurity Awareness Month

NCSAM is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing NCSAM in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/ncsam or niccs.us-cert.gov/national-cybersecurity-awareness-month-2019.

About NCSA

NCSA is the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s core efforts include National Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group. For more information on NCSA, please visit https://staysafeonline.org/about/.

The post HIPAA Secure Now Joins Far-Reaching Initiative to Promote the Awareness of Online Safety and Privacy for National Cybersecurity Awareness Month appeared first on HIPAA Secure Now!.

Humans or HIPAA?

When it comes to healthcare organizations addressing the HIPAA compliance of their business, many feel prepared and comfortable, readily checking that “compliant” box. But addressing the human part of security falls by the wayside too often.  Compliance and cybersecurity, which includes human security, both need to be a part of your overall strategic plan.

“If I have security, I’m ok with compliance, right?”  No, but you’re not alone in assuming that addressing one will take care of the other.  It is an easy mistake to make, and one that many healthcare businesses too often make.  Compliance and cybersecurity work together to keep you up, running and protected from a technical and federal regulations standpoint, but address different components.

When This Doesn’t Mean That

HIPAA compliance will take care of the laws and regulations that you need to adhere to.  Cybersecurity addresses the gaps or weaknesses in a business that makes that entity vulnerable to hackers.  If a breach occurs, your HIPAA compliance will be addressed by government agencies to make sure you were in accordance, and this will protect you legally in some respects.  So, in this regard, they work together to protect you, but cybersecurity must be your first line of defense.

With an increased value being put on healthcare data by cybercriminals, the target gets bigger every day on the business’s back.  Right alongside those increased values is the matching rise in the number of data breaches each year.  Healthcare data is sold for 10-20 times that of stolen credit card numbers, so where do you think hackers are focusing?  Just like most businesses, they go where the money is.  To add to the damage being done, they are not just focused on data theft, but also overall disruption to the business with targeted employee attacks.

Healthcare must begin to look at cybersecurity with the same reverence that they hold HIPAA compliance in.  Protecting your business and patient data should be an effort that combines both strategies.  If your IT provider isn’t discussing this with you, it doesn’t mean that they aren’t doing it already, but don’t assume. Ask questions, work together and make a plan that secures your business as a whole, not just segments of it.

 

The post Compliance & Cybersecurity Go Hand-In-Hand appeared first on HIPAA Secure Now!.

Remain Calm, Remain Honest – and Remain in Business

Avoiding the inevitable does not make it go away.

Healthcare patients choose a provider based on the quality of care.  In addition to that, the public will generally assume that their private information is safeguarded and not something that they need to verify or investigate before choosing that specific provider.  By alerting them to something they assumed to be a non-issue, it is understandable to be concerned about the loss of business.  However, credit reporting agency Experian has recently found that this churn can be kept to a minimum with the proper response plan.

In July 2019, Experian surveyed 1,000 adults in the United States and found that 90% of those surveyed would be somewhat forgiving if they were informed promptly as a result of an organized communication plan being in place by their provider.  Previous studies by Experian identify numbers that are more of a red flag to all parties.

It is in these studies that they found that only 34% of all breached response plans include some form of customer notification and that those plans are in place for only 52% of companies.  So, the few that are ideally prepared have a greater chance of survival, and those who aren’t prepared have a full stack of odds against them.

How Can the Risks Be Lowered?

Have a breach response plan in place.  This should be created by someone who knows their way around a breach and is ideally certified to assist with creating such a plan.  Additionally, have cyber insurance as part of your in-place plan.  This will allow you to call upon experts in the event that a (very likely) breach does occur.  And as we identified above, ensure that your breach plan includes client communication.

Even if you don’t have all of the answers immediately, letting them know that you are aware of the breach and will keep them updated will go a long way.  This increases the trust between you and your patients and makes it more likely that they will stay with your business following an incident.

66% of those surveyed would leave a practice due to slow or poor communication – don’t let this happen to your organization. It is better to be truthful up front than have to explain why you were dishonest in the past. People can accept mistakes, but they are less likely to accept being deceived.

The post Does Your Breach Response Plan Include Notification? appeared first on HIPAA Secure Now!.

 

A Toothache Beyond Repair

Hackers have used the very software that hundreds of dentists relied on to run their business, to bring it to their knees.  A ransomware attack is responsible for shutting down computers at roughly 400 dental offices all over the U.S. The Digital Dental Record and Wisconsin-based cloud services provider, PerCSoft collaborated on DDS Safe, which was used by US-based dental practice offices in the US for medical record retention and backup.  Cybercriminals deployed REvil (Sodinokibi) ransomware via this application to demand monies and regain access to their files.

As of today, we know that some companies did opt to pay the ransom while others wait for a decrypter to recover their encrypted files. The process has been slow, and some offices are finding it isn’t working at all.

REvil (Sodinokibi) ransomware is one of the most active and widespread ransomware strains seen this year, and this is the second time it has happened this summer.  Earlier in June, a group yet to be named, was breached using the same strain.

Follow Up

While Digital Dental Record learned of the breach on August 26th, and immediate action was taken, even a quick response couldn’t save the offices that were already infected.

This means that those offices are unable to run effectively while this situation is remedied, and some may run the risk of never fully recovering.

The Wisconsin Dental Association issued a statement confirming that DDS Safe remains a “WDA endorsed product” and that they are aware of the breach.

This likely isn’t the last story we’ll hear about a medical breach this week.  Numbers continue to rise, including the risk percentage that all providers face.  We must continue to educate ourselves on how to be proactive and not reactive as cybercrime is now an ongoing occurrence.

And above all, we need to acknowledge that even our best efforts do not remove the risk of others being less diligent in their practice of cybersecurity.

The post Ransomware Hits Hundreds of Dental Offices appeared first on HIPAA Secure Now!.

 

It’s a Fact

When you search for cyberattacks by vertical, always in the top categories is healthcare.  It can be filtered from there by the size of the business, whether it is enterprise or small to medium-sized establishments, but the information targeted is patient data.

Why?

Because who knows more personal information about you than your doctor?  Likely, no one.  And if that data can be accessed, it can be like opening a treasure chest of data to a hacker.  So many ways to manipulate that data, it can be an endless source of income via ransomware or sales on the dark web.

Back for More

With outdated and unsupported systems allowing easy access for hackers, the amount of PHI uncovered in a simple breach makes it a jackpot find.  Not only are technical security gaps an easy entrance for cybercriminals into healthcare organizations, but poor employee cyber-hygiene makes it incredibly easy for hackers to find their way in. Once these databases go for sale on the dark web, they are then used AGAIN by other cybercriminals for a second round of attacking whether it be by selling the patient data or using administrative credentials to login and hit the network with another breach.

This activity is not limited to US-based hackers either.  Foreign-based hackers have been found to target US healthcare networks in an attempt to blackmail them, as well as gain access to research data.  Not only does this pose a threat to the patient data, but to the United States medical industry in a different way.  If advances in treatment, prescription solutions, or any type of research is stolen and credited to another business entity or country, US-based businesses will suffer that loss financially or from lack of recognition.

What’s the Remedy?

Raising awareness, updating equipment, networks, software, etc. and addressing the risk of biomedical devices before they are in place – all are necessary.  We also need to continually address the human factor within healthcare organizations as it is proven time and time again that this poses one of the highest risks to any breach occurring.

The post Repeat Offender appeared first on HIPAA Secure Now!.

 

As many of you know, an Electronic Health Record (EHR) is a digital record of a patient’s paper charts, updated in real-time.  This is an incredible option to have in the world of medicine, where information can be exchanged between doctors as well as business associates. It also provides an incredible benefit to the patient, giving them the best and most appropriate care when needed.

Overall, it really is a great thing to have so much information at your fingertips.  Unless that information gets into the wrong hands.  Which is exactly what happened to Allscripts Healthcare, an EHR company used by a variety of businesses in the medical field, including

hospitals, pharmacies and emergency service (ambulance) centers around the world.

Today Allscripts is working with the Department of Justice to pay $145 million in a preliminary settlement in response to an attack that exposed patient records which were thought to be safe in the cloud.   They were in violation of HIPAA, the HITECH Act’s EHR incentive program, and the Anti-Kickback Statute related to Practice Fusion – which was the company acquired by Allscripts in 2018.  This settlement will resolve both companies of all criminal and civil liability related to the investigation surrounding them both.

Unfortunately, they aren’t alone.  With the human component being the big risk factor in any organization, healthcare employs many, many people with patient access.  Each record is a gold mine for hackers, and therefore even one mistake can prove costly to an organization like we’re seeing with Allscripts.

How do we remedy this?  The first and most important step is to cover your assets. Cyber Insurance is going to increase your likelihood of surviving a breach, but once you have the end protection setup, get your employees trained.  And then repeat the training.  Conduct Security Risk Assessments at least annually, not only to comply with HIPAA but to identify security gaps which could leave your organization’s data up for grabs. Then, perform a vulnerability scan and find out if your system is as secure as you hope and believe.

Protection and prevention go hand in hand and in the world of healthcare, you can never have enough.

The post Allscripts to Pay $145 Million for Practice Fusion EHR Investigation appeared first on HIPAA Secure Now!.

 

We’re just passed the midway point of the year and if this were our own health report, we’d be failing miserably when it comes to data breach prevention.

According to a recent report from Protenus and Databreaches.net, over 31 million healthcare records were breached in the first six months of 2019.  That is double the amount of 2018.

The information in these breaches was not caught and remediated quickly either.  Patient data was ‘for sale’ and available for manipulation on the dark web for months before being discovered in the American Medical Collection Agency breach.  With a confirmed 20 million records having been affected, the fallout from that will reveal itself in all of the days and months ahead – if not years.

So how did we get here?

Some of these were insider jobs – in fact, 60 of the incidents were a result of that. That means that over 3 million records were exposed because of existing employees.  These aren’t the hackers lurking on the dark web or in airports stealing your Wi-Fi, these are KNOWN actors in a business.  Hacking accounted for 60% of all incidents.  This means that out of 168 data breaches, phishing took down 88 businesses, with ransomware and malware being deployed at 27 of those.

The statistics are staggering, but what is also something to take note of – aside from the revelation that insiders are putting your business at risk – is that it’s not direct healthcare entities that are always responsible.  Yes, providers reported 72% of the breaches, but it was also health plans and business associates that are contributing to the overall numbers.

What does this mean?

It means that we can stand by and watch the numbers continue to elevate, the rate of increase continues to double and triple, or we can rework our approach, attack and react.  We’ve said it before, but every business owner – regardless of the vertical or channel in which they operate, need to say, “It is no longer an option of IF I’m part of a breach, but a matter of WHEN I’m part of a breach.”  Second to this must be the integration of cyber insurance into a business’s arsenal.  Surviving the breach is one thing, but thriving afterward and even during a breach, is another.

The post Halfway Health Check appeared first on HIPAA Secure Now!.

Computer network security

This isn’t something you can pencil in and get to when you have time, cyber maintenance has to be something you commit to. We all have those moments when we realize that we had the best intentions to stick with something, but its priority fell by the wayside. We start off strong, then taper off until we forget completely.

When it comes to your cybersecurity, there isn’t a shortcut or short-term guide to safeguarding your information and identity, so taking time to address it is not only necessary, it is going to pay off in the long run.

Sharpie this in

Book time on your calendar in the way you would for personal or home maintenance.  You schedule haircuts and change the batteries in smoke detectors, so consider establishing the same type of habits when it comes to your online information.

Take this time to update passwords, ensure that your software is all updated to the latest version and that you have two-factor authentications enabled where it is an option.  Call your credit card companies and ask about their security policy – and do they have methods in place to protect you from being hacked?  Enabling alerts on purchases and payments via text or email will help you to tackle any issues immediately rather than long after the damage has been done.

The bottom line is that you need to take time out of your schedule to deal with this. It’s not always convenient and it’s not always what you feel like doing, but you need to make it as much as a priority as any other maintenance in your life.

The post Make Time for Cybersecurity appeared first on HIPAA Secure Now!.

Cyberwarfare

 

In 2018, 71% of ransomware attacks targeted small businesses, according to a report by Beazley Breach Response Services. It’s clear that small businesses are a cybercriminals favorite target, yet many remain unprepared to handle a cyber-attack.

Is it that small businesses don’t care about cybersecurity?

It wouldn’t be fair to make that assumption; however, small businesses do often overlook cybersecurity concerns. This could be the result of many different things. For example, small businesses often do not have the resources to dedicate to cybersecurity. In fact, some of those businesses don’t have a dedicated IT individual/company at all. In some instances, small businesses may be carrying the “it won’t happen to me mentality” – despite plenty of statistics stating that small businesses are the most susceptible to a cyber-attack. And then there is the complexity of the topic. Many organizations don’t understand cybersecurity. Mix the lack of understanding with the other reasons that cybersecurity is often overlooked, it’s easy for small businesses to put it on the back burner and forget about it.

Out of sight, out of mind

Another reason it’s hard to get organizations to care about cybersecurity is that “if they can’t see it, it isn’t there”. It’s easy to take physical security of your organization seriously. You know that you must lock the office door when you leave, or that leaving medication unlocked and unsupervised could lead to its disappearance.

Unfortunately, cybersecurity doesn’t work the same way. Organizations can be told about cybersecurity risks and best practices, but not being able to physically see the danger makes it difficult to care or prioritize those safeguards above others. Think about it, you’ve used the same password for everything, for years. It’s not a difficult password so it’s easy for you to remember. You’ve heard that complex passwords are important, and you know you should never use the same password across multiple accounts, but you’ve been doing this for years and nothing bad has happened, so it’s probably not a concern for you. Cybersecurity is often out of sight, out of mind.

Healthcare organizations are especially vulnerable

The healthcare industry is the most targeted industry by cybercriminals. Many of the reasons for this are the same reasons that attackers target small businesses. Healthcare organizations also see a lot of turnover, which could translate to cybercriminals as new employees to target, many of which, may not be properly trained.

The value of healthcare data to a cybercriminal is also unparalleled. Medical records bring in big bucks on the dark web, allowing these attackers to see large returns for even just one successful attack.

Don’t wait till it’s too late

The worst mistake you can make is to think you’re not at risk, or not think cybersecurity is a high enough priority to do something about it. Small businesses need to take what we’ve learned about cybercriminals targeting them as a warning and act before they too become another statistic.

Cybersecurity tips

1. Recognize You’re a Target – First and foremost, you must accept that you are a target for cybercriminals. Every organization, small or large is a target and no industry is off limits. If cybercriminals see value in attacking your organization, they will.

2. Security Risk Assessment – It’s important to understand where your organization’s security gaps are. Perform a Risk Assessment to determine what safeguards should be in place but are not. For example, policies, data backup procedures, inactivity timers on your computers, etc.

3. Security Awareness Training – Employees must be trained on cybersecurity and understand how to spot malicious attempts made by cybercriminals. Employees should know how to spot a phishing email and the dangers of clicking attachments or URLs within emails, as these are common methods for a hacker to get in.

4. Complex Passwords – Passwords must be complex, reasonably long (at least 10 characters), and different across all accounts. Simple passwords can easily be cracked by cybercriminals through a brute-force attack, putting your entire organization at risk. Using repeat passwords across various accounts is also dangerous since one compromised password could give a hacker access to all your accounts.

5. Use a Password Manager – Managing several difficult passwords can be a difficult task, but password security should not be compromised for convenience. Using a password manager is a great way to ensure all passwords are secure. The best part is, you only need to remember one master password.

6. Enable Two-Factor Authentication – Sometimes referred to as 2FA, or multi-factor authentication, two-factor authentication is another layer of security for accessing your accounts, aside from you entering your credentials. 2FA requires a second form of authentication for you to successfully log in. For example, you may have to enter a 6-digit code sent to you via a text message to prove it is really you who is trying to log in.

7. Perform Updates – Ensure your software is being updated when updates become available. Software updates are often issued to fix a vulnerability found in the software. Not performing updates can often leave you susceptible to attacks that could have been prevented.

8. Regularly Backup Your Data – Do not underestimate the importance of routinely backing up your data. A cyber-attack could occur at any minute, and when it does, your data could be at risk. If your data becomes inaccessible or corrupt, through a ransomware attack, for example, you’ll need to be able to get that data another way – from your backups.

9. Audit accounts for suspicious activity – Make sure you’re performing audits on your systems. For example, if you have an EHR, you should be auditing it regularly looking for unusual activity, such as logins after hours, users accessing abnormal amounts of medical records. If inappropriate activity is occurring, the quicker you catch it the better off you’ll be.

10. Cyber Insurance – As cybercriminals continue to become more sophisticated, attacks will continue to occur. It’s no longer a matter of if your organization will be attacked, but when. Security incidents are incredibly costly, sometimes putting organizations out of business. Costs could include a breach coach, forensics, breach notification, credit monitoring, crisis management, and more. Verify that your organization has cyber insurance (this coverage is often not included in your standard policy) to protect you in the event of a security incident.

The post 10 Cybersecurity Tips for Small Businesses appeared first on HIPAA Secure Now!.

dark web

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282