Anthony Murray covers various cybersecurity topics to protect your online presence, such as basics for breach prevention, phishing, ransomware, and social engineering tactics. Serving as a prelude to Cybersecurity: Protecting Your Healthcare Enterprise, which will be presented at the PHIMA Annual Conference, this webinar will provide attendees with practical cybersecurity knowledge to apply at the office and at home.
National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.
IT Security Basics for Breach Prevention
Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:
- Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
- Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
- Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.
In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.
How can you protect yourself against phishing? Follow these simple, but effective steps:
- Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
- Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
- Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.
Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.
How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.
If that happens, take the following steps:
- Unplug the power cord from the back of your PC—don’t just turn it off
- Contact your IT department (via phone) for assistance
- Contact your supervisor
Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.
Social Engineering Tactics
Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:
- In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
- Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
- Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links
National Cybersecurity Awareness Month: Sobering Stats
Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:
- 47 percent of American adults have had their personal information exposed by cyber criminals
- 600,000 Facebook accounts are hacked every single day
- 65 percent of Americans who went online received at least one online scam offer
Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.
Join our blog mailing list
On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.
2019 HIPAA Summit
The HIPAA Summit focused on advances in security technology and increased government cybersecurity initiatives. Considering recent data breaches, healthcare organizations must build cybersecurity awareness programs that ensure HIPAA compliance. Here are four top priorities:
- Secure executive and board-level buy-in
- Provide ongoing training and education
- Perform an annual risk analysis
- Create a comprehensive incident response plan
The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:
- Failure to conduct an enterprise-wide risk analysis
- Insufficient policies and procedures to regularly review information system activity
- Failure to identify and respond to suspected or known security incidents
- Failure to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive electronic protected health information (ePHI)
Defense in Depth
In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.
Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:
- Identification—inventories for asset management, governance and risk management
- Protection—access controls, awareness and training, protective technologies
- Detection—tools to detect threats and events, continuous monitoring, manual/automated alerting
- Response—planning, communications, analysis
- Recovery—planning, improvements, communications
Relevant Controls for HIM
We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.
The second category is Administrative, Physical and Technical with emphasis on:
- Data classification—data flow mappings and sensitivity
- Roles and responsibilities—privacy, security and legal
- Information security awareness—education, training and policies
- Information handling—use and disposal
- Physical access—secure rooms
With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.
As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.
In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.
Top Cybersecurity Threats in 2019
Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:
- Third-party misuses or shares of confidential data
- An attack involving IoT or OT assets
- A significant disruption to business processes caused by malware
- A data breach involving 10,000 or more customer or employee records
- An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment
As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.
The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.
To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.
Request MRO’s Cybersecurity Webinar
In an HealthData Management ‘HIT Think’ article, MRO’s Anthony Murray and Rita Bowen discuss the critical role business associates play in a provider’s privacy and security program. They describe how more provider organizations incorporate HITRUST and SOC 2 frameworks into their third-party assurance processes. Together, HITRUST and SOC 2 provide the basis for an effective BA management program that promotes communication, confidence and common ground.
What is HITRUST?
Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.
For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.
HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.
Why HITRUST Is Important to BA Risk Management
As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.
Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.
With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.
As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.
To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”
Join our blog mailing list
In a HITECH Answers article, MRO’s Anthony Murray, CISSP, Vice President of Information Technology, is quoted on his thoughts and advice during Cybersecurity Awareness Month.
On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.
Policies and Procedures
HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.
• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.
Threat Prevention, Detection and Response
Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:
• End user education and social engineering testing
• Strong passwords and account creation steps
• Malicious software protection
• System hardening practices
If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.
In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?
At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.
Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.
A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.
With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.
To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.
Request MRO's Cybersecurity Webinar
MRO’s Anthony Murray, CISSP, Vice President of Information Technology, offers insight on risk analysis.
MRO’s Anthony Murray, CISSP, Vice President of Information Technology, discusses key strategies that can reduce business associate risk.
At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).
Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.
The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.
Video Recap: Managing Risk Associated with Business Associates for Covered Entities
Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.
Question: Tell us a little bit more about your presentation and the topic of BA Management.
Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.
Question: What best practices did you discuss during your presentation?
Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.
Question: What is MRO doing to address this topic?
Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.
Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?
Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.
Question: What is your favorite part about AHIMA?
Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.
To download slides from MRO’s Business Associate Management presentation, complete the form below.