October is Cybersecurity Awareness Month and a time to focus our efforts on fighting cybercrime and educating one another on keeping our personal and company data safe. The theme of Cybersecurity Awareness month is Do Your Part. Be Cyber Smart and encourage people and organizations to learn new security behaviors, strengthen learned behaviors, and raise awareness about cybercrime threats. At OSIS, helping our Members protect extremely sensitive information is one of our highest priorities through set policies and procedures to ensure we are exceeding all standards set forth in the HIPAA Security Rules. In this post, we will discuss how practices can improve their cyber hygiene, resources that can help prevent a ransom attack, and discuss the preparation needed to make health centers cyber ready.
Be Cybersmart in Your Health Center
What does it mean to be cyber-smart exactly? As there is no true definition, this means to follow good cyber hygiene. As a foundation, this next section will provide some of the key attributes that contribute to good cyber hygiene that can be implemented to help health centers be cyber smart.
Protecting Your Accounts
Evaluating password controls for your most critical accounts is a top priority in cyber hygiene. When creating a strong password, the complexity and variety of passwords and the variety used should be the focus. To help remember and manage passwords, we strongly recommend using a password manager like LastPass by LogMeIN to help do the heavy lifting when creating unique and strong passwords.
Multi-factor Authentication (MFA)
Does your practice have a Multi-Factor Authentication (MFA) in place such as the Microsoft Authenticator to improve your network security? Microsoft Authenticator to improve your network security? If not, this is another step for practices to help promote good cyber hygiene. Health centers face evolving cyberthreats that put patients and employees at risk. Using MFAs provide an extra layer of identification security by requiring users to submit a combination of factors – at least two – to authenticate their identity and gain access to a computer or device.
Protect Your Electronic Devices
Updating your devices regularly is another effective way to boost your cyber hygiene. Devices should be protected with anti-malware and antivirus solutions. Updating devices regularly based on solution suggestions ensures your protection is up to date. So, when it comes to updates, do not avoid annoying little reminders that appear in the corner. These are important and make your computers work better and add this additional protection layer.
Device Encryption
Health organizations should always take additional steps to ensure that your devices are encrypted when they are available. If you do not know what's available, IT departments should be able to make sure the devices you are working with are encrypted. Device encryption protects data and is available on a variety of devices. If devices are encrypted, device data can only be accessed by authorized users.
It is important to know good cyber hygiene habits can help keep your network healthy. Health centers should conduct regular vulnerability scanning to identify and address potential risks, especially those on internet-facing devices, to limit the attack at the surface. Now that you know better cyber hygiene, we would like to review the importance of learning and staying updated on ransomware and how it can affect health centers.
New Resource to Help Prevent Ransomware Attacks
Did you know a Ransomware attack can cripple your entire practice and, more importantly, hold your data hostage? A ransomware attack occurs when hackers control data or computer systems and take it hostage until a ransom is paid. This can put your patients at risk and prevent an organization from providing care in a timely manner and lead to providers and staff burnout.
It is important to OSIS to provide helpful resources to our Members and Clients to help reduce cybercrime and protect their patient’s personal health information (PHI). We recommend the health centers we serve, leverage Stop Ransomware, a new resource recently launched by the U.S. Government to help public and private organizations defend against the rise of ransomware cases.
This new resource is a whole-of-government approach for a one-central location for ransomware resources and alerts. We encourage organizations to use this new website to understand the threat of ransomware, mitigate the risk and know what steps to take next in the event of an attack. This includes ransom alerts, reports, and resources from Cybersecurity and Infrastructures Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other federal partners.
Below, we have compiled some mitigations and best practices against ransomware.
- Make sure the software and operating systems are updated with the latest patches and replace the operating systems, applications and hardware that are not supported.
- Never click on links or open attachments from unsolicited emails.
- Data needs to be backed up on a regular basis and keep the data on a separate device, stored offline.
- Report Ransomware to federal law enforcement through Internet Crime Complaint Center (IC3) or a Secret Service Field Office.
- Request technical assistance or provide information to help others by contacting CISA.
- Turn on strong spam filters to prevent phishing emails from reaching end users and authenticating incoming emails.
- Set up User Restrictions on permissions to install and run software applications to prevent malware from running or limit its capability to spread through a network.
- Configure firewalls to block access to unwanted malicious IP addresses.
If your health center has experienced a ransomware attack or other cyber-related security incident, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights offers valuable resources that explain steps for a HIPAA covered entity to take in response to a cyber-related security incident. With the resources above, health centers can prepare for or hopefully prevent future cyber-attacks and make the organization cyber ready!
Prepare Your Health Center to be Cyber Ready
To help prepare health centers for a culture of cyber readiness, OSIS and Frost Brown Todd, LLC. partnered in a insightful Cybersecurity for Health Center Leadership that offered health centers insight and preparation for the very real threat of ransomware, so that an organization is ready in the event it should come under attack. Reducing your organization’s cyber risks requires a comprehensive approach, such as the approach to addressing other operational risks. All cyber risks, including ransomware, are important because they can threaten an organization’s ability to operate, the reputation of the practice, the bottom line, and an organization’s survival. We recommend investing in the following essential elements to promote a culture of cyber readiness:
- Leaders: Drive cybersecurity strategy, investment, and create a secure culture.
- Users: Develop awareness and vigilance of security.
- Operations: Your systems protect key assets and applications.
- Surroundings: Only those assigned to the digital workspace have access.
- Data: The backups your organization is running on are crucial to operations.
- Crisis Response: The strategy must be considered by planning, preparing, and conducting cyberattack exercises like a tornado or fire drills.
Investment in cybersecurity by a health center begins with leadership and can drive actions and activities to change your organization’s culture. Cybersecurity can be a business risk and reducing an organization’s cyber risks requires awareness of the basics. The leader must drive the approach to cyber security as you would with any other business risk. With the comprehensive approach to cybercrime as you would in other operational risks, health centers can manage and use data more efficiently – while protecting it as well.
Resources:
Cybersecurity & Infrastructure Security Agency (CISA)