Every day brings a new story about hacking in healthcare. There are seven big healthcare hacking stories just this week, but next week will likely be the same.
And every other day, cybersecurity stories are happening in the wider world. Today the New York Times reports on the new era of government sponsored cyberattacks in international relations. The Chinese government is accused of hacking “governments and universities in a yearslong campaign to steal scientific research.” In April we wrote about Russian cyber attacks on the U.S.
On May 21, 2021, the White House issued a new Executive Order on Improving the Nation’s Cybersecurity.
The opening sentence of the Order:
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Cybersecurity risks are everywhere, and they are abundant and growing. This is the new normal and we need to adjust.
Act Now to Strengthen Your Own Cybersecurity
The good news is that there are simple defenses you can use today and tomorrow to greatly reduce your risk.
NOTE: These overlap with, but are slightly different from, the five best practices in the President’s Executive Order, above. Those five best practices are critically important, but several may take more effort than our quick-start suggestions below.
We still strongly recommend a full HIPAA Risk Analysis and follow-up Risk Management plan, but even if you’re not ready to do that, take these steps now.
- Data back-up
Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. Experts recommend offline, encrypted backups of data and regular testing of backups. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups.
- Ensure anti-virus and anti-malware protection is up-to-date
This may seem obvious, but don’t gloss over this one. Verify that a) you have a quality anti-virus/anti-malware software installed on your system, and b) confirm it is current. Has the subscription lapsed?
- Improve password security
The first step is to choose a strong password to begin with. Remind the workforce that passwords are never to be shared, or written in an email or text to someone else. Consider using a password manager to choose and store your passwords. Finally always choose multi-factor authentication (MFA) when it’s offered.
- Patch and update software
Review all the software you have on your systems. When software is out of date, that means the vendor is no longer supporting its functionality and security. Also, older software has been hacked for longer by cyber criminals, and they know all the weaknesses. Invest in the most up-to-date software you can, and install all the patches on your current software recommended by the vendor.
- Workforce security training
There are basic key tools to avoid phishing, one of the most common methods hackers use to gain entry. Help your workforce by showing them these tricks and remind them to be suspicious of unexpected emails, attachments and links. HIPAA cybersecurity training should be given in short chunks, memorable, and tied directly to the person’s responsibilities – make sure it’s relevant.
Cybersecurity Resources Summary
One of the best resources on how to defend against ransomware is the brand new stopransomware.gov website hosted by the Cybersecurity and Infrastructure Security Agency (CISA) – it’s the one-stop shop for government resources to fight cybercrime. Also, read the May, 2021 Executive Order.
To stay ahead of HIPAA requirements in healthcare, we recommend reading the Summer 2021 Cybersecurity Newsletter that came out last week from the Office for Civil Rights (OCR), the agency that enforces HIPAA. It discusses two elements of the HIPAA Security Rule, Information Access Management and Access Controls.
We’ve said it before, but believe in it strongly, so we repeat that the best defense against cybercrime is strong HIPAA compliance.
If you need help getting started, or you want a refresher course, give The HIPAA E-Tool® a call.