January 9, 2019
Top Five Tips for Information Security Awareness
Automated cybersecurity systems are no longer enough
Information security is evolving largely in response to the growth of ransomware attacks and other attacks designed to monetize how people are getting data. John Hluboky, Vice president and Chief Information Security Officer at Practice Fusion, notes, “What we are seeing are attackers who are becoming far more organized. They’re launching very specific attacks to gather information and data. Many of those attacks have been either sold or leaked in the wild and are now being used by attackers all over the world for a variety of different things, including attacking healthcare.”
The last line of defense are people who are well-trained. In particular, healthcare organizations require information security awareness training. HIPAA Privacy Rule’s Administrative requirement and the Administrative Safeguard clearly state minimum security awareness training requirements for covered entities and business associates. The most common approach to meet these requirements is conducting new-hire and annual computer-based training courses with the company.
A growing body of evidence suggests that annual trainings alone simply don’t work. The common industry approach to information security awareness training is not preparing employees for the increasing volume of cyberattacks targeting healthcare. This can be especially true for small practices that typically do not have an IT department, or anyone focused on protecting their systems.
Mr. Hluboky provided the following tips on how to keep information secure. He reminds us that, “The most important thing that anyone can do is to understand how these attacks are coming in and to minimize their chances of falling victim to them.”
1. Be more vigilant about patient data
In the first 10 months of 2018, there were 257 healthcare breaches reported by the Office of Civil Rights (OCR)—nearly double the 139 breaches reported in 2017. This constitutes 12 million patient records compromised in the United States alone. Unlike a financial account number that can be revoked and replaced, healthcare information contains details about an individual which are unchangeable. This includes a patient’s diagnoses, medications, and treatment plans. This information may be used by an attacker for identity theft, blackmail, or to coerce victims for financial harm.
2. Do the basics—starting with people
The most commonly exploited vulnerability of an organization is the human element. For example, opening a secure door for a person with their hands full (but no access badge) or clicking on an email link professing to be valid can be prevented by security awareness training. We must train people to be suspicious of others’ actions and intentions.
3. Remember that password protection matters
Most people grapple with complex passwords and fall back to using something easier to remember, which may not be as secure. Computer processing today can make short work of brute-forcing dictionary attacks, so make sure employees take the time to create a complex password or use a secure password manager.
4. Use multifactor authentication (MFA)
Many online services offer authentication protection in the form of MFA. MFA apps for mobile devices are available free of charge from many service providers to add substantial protection for account access.
MFA authentication mechanisms are:
- • Something one knows, such as a password or passphrase
- • Something one is, such as a biometrics scan for facial recognition, fingerprint, etc.
- • Something one has, such as a smartphone or secure token device
5. Watch out for WIFI
Many people use public WIFI access points. Unfortunately, attackers can set up rogue access points that masquerade as valid. This allows the attacker to intercept and replay all data sent through their rogue WIFI. If you must use public WIFI, consider using a personal virtual private network (VPN) service for your devices. Even better, plan to tether your devices from your own mobile devices for Internet access or purchase an inexpensive mobile hotspot for travel.
Look for more ways to enhance your data security
This information security awareness article is another example of our commitment to ensuring the highest levels of data security in Practice Fusion and Patient Fusion for your healthcare organization. Look for more detailed information coming soon on other critical healthcare topics.