Record Requests610-994-7500

Security Awareness: How to Remain Safe While Working from Home

As our current climate continues to change day by day, I thought it would be beneficial to share some best practices for security awareness. While this is certainly not all encompassing, many of these practices can be applied not only to your organizations, but also in your personal life as well.

Working from Home

Due to the COVID-19 pandemic, many of us are now working from home. Unfortunately, cyber criminals will continue to target individuals and organizations with phishing campaigns in the hopes of exploiting vulnerable systems and services. While working from home, everyone must remain vigilant and keep an eye out for suspicious activity. Here are some of the most effective ways to protect yourself while working at home:

  • Secure your wireless network router at home, and make sure to change the default admin password. Also enable WPA2 encryption and use a strong WiFi password for the wireless network that you created.
  • Be aware of all the devices you have connected to your network, including baby monitors, gaming consoles, Alexa, Google Home, TVs, appliances or even your car. Ensure that each device is protected by a strong password and that the operating system is kept up to date. You should enable automatic updating whenever possible, so that you don’t forget. This includes your cell phone and computer as well.
  • Make sure every account has a separate, unique password. If you can’t remember all your passwords, consider using a password manager to securely store all of them for you. Some of our (free) favorites include LastPass, Dashlane and Keeper.
  • Keep your account secure by using multi-factor authentication or two-factor authentication. Whenever this feature is offered, you should absolutely use it. When you login, both your password and a code sent to your mobile device are needed. For example, you might use it for banking, Gmail, Dropbox and various social media sites.
  • Make sure antivirus software is installed on your personal computer. Chances are your work computer already has this software from the corporate level. Some free options for personal computers (Windows, Mac and even smartphones) include Sophos Home, Bitdefender and Avast.
  • Use your common sense! If an email, phone call or online message seems odd, suspicious or too good to be true, then it probably is.

Using Social Media

While most people use social media for personal reasons rather than for business, almost everyone has a LinkedIn account which is considered social media but designed for work purposes. Regardless of the social media platform you use, here are some friendly reminders to ensure stronger security awareness:

  • Use social media wisely. Once it’s out there, it will never permanently come down, even if you think that it has!
  • Apply the strongest privacy settings possible to ensure your privacy and protection.
  • Enable multi-factor authentication. If someone is trying to hack your account, you will know immediately and can remedy the situation quickly.
  • Don’t share personal information on business accounts. And don’t share business information on personal accounts.

Being Hacked

If you are working from home, and believe you have been hacked, how can you tell? This can be more challenging if you’re accustomed to being in the office and reporting an issue to your IT/Security team in person. Here are some signs that you’ve been hacked:

  • Your antivirus program triggers an alert. That’s why you should always install an antivirus program.
  • Your password no longer works, but you know it is correct.
  • You get a pop-up message stating that your computer is infected, and you must pay a ransom or call a phone number to fix the problem.
  • You believe that you have accidentally installed suspicious or unauthorized software.
  • Your friends and coworkers are receiving odd messages from you, that you never sent.
  • Your browser takes you to a random website that you can’t close.

Maybe more important, what can you do if you believe that you have been hacked? If your equipment in question is from your organization, always consult the appropriate department or person. At MRO, our employees are directed to contact the IT department. Don’t try to fix the problem. Stop what you are doing and report the problem right away. If it’s your personal equipment that has possibly been hacked, contact a local business for assistance. However, if an account such as LinkedIn has been hacked, then contact LinkedIn support for assistance. Getting help from a knowledgeable professional is always the best course of action when you are hacked.

Whether you are working from home or using a personal device for leisure, being proactive and vigilant can help both your organization and you practice better security awareness and protect your important online accounts.

Read More

Cybersecurity Awareness: How to Protect Your Online Presence Webinar

Anthony Murray covers various cybersecurity topics to protect your online presence, such as basics for breach prevention, phishing, ransomware, and social engineering tactics. Serving as a prelude to Cybersecurity: Protecting Your Healthcare Enterprise, which will be presented at the PHIMA Annual Conference, this webinar will provide attendees with practical cybersecurity knowledge to apply at the office and at home.

Read More

National Cybersecurity Awareness Month: How to Protect Your Online Presence

 

National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.

IT Security Basics for Breach Prevention

Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:

  • Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
  • Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
  • Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.

Phishing

In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.

How can you protect yourself against phishing? Follow these simple, but effective steps:

  • Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
  • Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
  • Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.

Ransomware

Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.

How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.

If that happens, take the following steps:

  • Unplug the power cord from the back of your PC—don’t just turn it off
  • Contact your IT department (via phone) for assistance
  • Contact your supervisor

Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.

Social Engineering Tactics

Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:

  • In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
  • Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
  • Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links

National Cybersecurity Awareness Month: Sobering Stats

Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:

  • 47 percent of American adults have had their personal information exposed by cyber criminals
  • 600,000 Facebook accounts are hacked every single day
  • 65 percent of Americans who went online received at least one online scam offer

Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.

Join our blog mailing list

Read More

Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI

 

 

 

 

 

 

 

 

 

On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.

2019 HIPAA Summit

The HIPAA Summit focused on advances in security technology and increased government cybersecurity initiatives. Considering recent data breaches, healthcare organizations must build cybersecurity awareness programs that ensure HIPAA compliance. Here are four top priorities:

  • Secure executive and board-level buy-in
  • Provide ongoing training and education
  • Perform an annual risk analysis
  • Create a comprehensive incident response plan

The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:

  • Failure to conduct an enterprise-wide risk analysis
  • Insufficient policies and procedures to regularly review information system activity
  • Failure to identify and respond to suspected or known security incidents
  • Failure to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive electronic protected health information (ePHI)

Defense in Depth

In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.

Security Framework

Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:

  • Identification—inventories for asset management, governance and risk management
  • Protection—access controls, awareness and training, protective technologies
  • Detection—tools to detect threats and events, continuous monitoring, manual/automated alerting
  • Response—planning, communications, analysis
  • Recovery—planning, improvements, communications

Relevant Controls for HIM

We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.

The second category is Administrative, Physical and Technical with emphasis on:

  • Data classification—data flow mappings and sensitivity
  • Roles and responsibilities—privacy, security and legal
  • Information security awareness—education, training and policies
  • Information handling—use and disposal
  • Physical access—secure rooms

With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.

Enterprise Engagement

As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.

Resolution Agreements

In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.

Top Cybersecurity Threats in 2019

Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:

  • Third-party misuses or shares of confidential data
  • An attack involving IoT or OT assets
  • A significant disruption to business processes caused by malware
  • A data breach involving 10,000 or more customer or employee records
  • An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment

As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.

The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO’s Cybersecurity Webinar

Read More

Critical Practices to Improve Business Associate Management

In an HealthData Management ‘HIT Think’ article, MRO’s Anthony Murray and Rita Bowen discuss the critical role business associates play in a provider’s privacy and security program. They describe how more provider organizations incorporate HITRUST and SOC 2 frameworks into their third-party assurance processes. Together, HITRUST and SOC 2 provide the basis for an effective BA management program that promotes communication, confidence and common ground.

Read More

HITRUST—What It Is and Why It Matters

What is HITRUST?

Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.

For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.

HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.

Why HITRUST Is Important to BA Risk Management

As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.

Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.

With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.

As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.

To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”

Join our blog mailing list

Read More

Webinar Recap: Cybersecurity- Protecting Your Healthcare Enterprise

On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.

Access Management

Policies and Procedures

HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.

• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.

Threat Prevention, Detection and Response

Prevention

Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:

• End user education and social engineering testing
• Strong passwords and account creation steps
• Malicious software protection
• System hardening practices

Detection

If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.

Response

In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?

At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.

Information Governance

Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.

Risk Register

A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.

Cyber Extortion

With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO's Cybersecurity Webinar

Read More