American security consultant and former con man Frank Abagnale once said, “Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively.”
Unfortunately, cybercrime is constantly evolving, and you need to be doing all you can to protect yourself and your company from it. One in three Americans is affected by cyber related attacks every year – this equates to an attack every 35 seconds. Chances are likely that you or your practice have been compromised at some point. Protecting critical data is one of the biggest challenges that a company will face. In healthcare, with the added requirements of HIPAA compliance and protecting PHI, your information security posture can easily be one of your most important business decisions.
Alarmingly, it is reported that over 75% of the healthcare industry has been infected with malware and is in the top 5 industries attacked with ransomware. In 2018, hackers stole nearly 600 million personal records, and overwhelmingly targeted healthcare practices, providers and medical manufacturers as victims of their crimes.
Over 95% of all cybersecurity breaches are a result of human error. Bad actors always look for the weakest link, and the highest value targets as a point of infiltration. Owners, the c-suite, accounts payable accountants, and in the case of practices, the physicians as well as the billing administrator are all considered to be valuable targets for the criminal looking for an opening to the data they want. Once they are in, however, most companies don’t even detect that they have had a breach for a mind-boggling 6 months.
Develop a human firewall.
One of the most challenging parts of developing a security minded focus in an organization is getting past the “this only happens to other people” or "this can’t happen to me” mindset. It is commonplace for people to believe that they are never sloppy and are always doing the right things. This is when most mistakes happen. From day one of employment forward, employees should be assimilated into a security culture. Everyone in the organization should be an integral part of the solution, lest they become the problem. Simple steps such as locking the computer when not actively working, changing strong passwords often, reporting suspicious emails, and questioning things such as requests for payment or anything that seems “out of place” should all be part of a daily routine, to the point of creating muscle memory.
Education and training for employees.
Training and education is something that should always be done, and everyone in the organization needs to be involved in the process. Benjamin Franklin best said, “Tell me and I forget, teach me and I may remember, involve me and I learn.” A good cyber posture, for any company, begins and ends with the employees. The threats are constantly evolving. As such, your education should always be current, relevant and constant. Consider things such as phishing tests and social engineering training with follow-up quizzes to stay sharp.
Limiting Network Access
Flexibility and remote access can be very useful to employees. Network technologies such as instant messaging, file sharing, remote screen access and Bluetooth file dropping are also very popular. These tools are often overlooked as being safe and convenient but are also wrought with security issues when not limited to the scope needed to complete business. The law requires that health care information be protected due to its sensitivity and the use of these technologies should be used with extreme caution. Practices with a solid security footing have taken the steps of disallowing these technologies altogether as they well understand the risks involved are not subverted by the benefits offered.
Create a cyber security incident response plan
Incident response is a well-planned approach to determine how to manage reaction after a breach or cyber-attack. The goal is to minimize the damage, maintain business continuity and mitigate attack related losses and exposure. To achieve this goal, it is recommended that you do two different things.
- Get everyone in the habit of reporting anything they see that could have any impact. From strange emails, intrusive calls, or unknown attachments in email that have made it beyond the firewall. Employees should have a short form that they can document and send to the team member tasked with cyber or IT.
- Develop an incident response form and checklist. It should be simple, yet specific. This is a great way to capture information that is needed and should be easily followed by those who have a “need to know.” Your checklist should include some, if not all the following information:
- Identification: Who reported the incident? When was it reported? Where was the threat detected or located? What impact does it have to operations? What is the extent?
- Containment: Can the issue be isolated? Have backups been made to protect PHI and business-related files? Have all threats been removed from the system?
- Mediation/Eradication: Does anything need to be reconfigured to restore normal operations? Have all possible entry points been closed? Have all affected machines been updated and patched? Has all malicious activity been removed?
Once the threat has been eradicated, when possible, you should share with your team what happened, how it happened, and include training to ensure that it does not happen again.
IBM President/CEO and Chairman Ginni Rometty said, “Cybercrime is the greatest threat to every company in the world.” This prophecy has been trending toward trues as it is expected that data breaches, in the year 2020, will account for over 3 billion dollars and it is likely that cyber related crime could become one of the greatest threats to every person in the world within the next decade.
By developing a solid cyber stance in your practice, continuing education, creating a response plan, and above all being a human firewall you can be the strongest link in your organization, and work to stay one step ahead of the bad actors.