Tip: Make staff training a priority in 2020. Data security continues to be the Achilles heel of healthcare. From the gambit of social engineering incidents to encryption snafus, the industry suffered mightily in 2019 with major setbacks that impacted millions of patients’ electronic protected health information (ePHI). Manage Risks With Analysis and Training Once you dig into the details of many healthcare-related cyber attacks, two things often pop out: — a lack of risk management policies and protocols and limited or no staff training on cybersecurity. That’s why it’s critically important that management promote compliance by advocating for better employee education on data security as well as stronger risk planning, explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “You have to start at the top,” stresses Sheldon-Dean. “There needs to be a corporate commitment to privacy and security, and the first step is to establish the responsibility and authority to make sure the organization as a whole, as well as all elements of the organization, make the plans and have the necessary resources ready to conduct risk analyses, from the corporate to the local office level.” Sheldon-Dean adds “This requires that there are overarching policies and procedures for privacy and security providing the authority within which the work can be performed.” Reminder: Hackers aren’t particularly picky either; moreover, recent incidents highlight more than ever that organizations of every size and scope remain vulnerable to attack. “A lot of my customers think they’re too small to be targets, and maybe that’s true, but the non-targeted attacks are still out there,” warns Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah. Tip: A great way to stay on track in 2020 is to review cybersecurity basics as well as emerging threats. Test your cybersense with these 10 tough questions. 1. What kind of software helps to prevent a ransomware attack? a. Certified electronic health record technology 2. What decoy tool can you use to distract and draw hackers? a. Honeypot 3. What is a nickname for a cyber attack simulation, usually performed by IT staff? a. RiskIT 4. What social engineering tactic uses malware to lure victims via SMS texting to reveal personal or practice information? a. Pharming 5. What is patch management? a. The application of vendors’ security updates in a timely manner 6. What important action are you taking when you encode data, so that only authorized users can see and use it? a. Patient blocking 7. What are you implementing when your systems prompt you to report at least two types of evidence to authenticate your identity during the log-in process on your devices? a. Password safe 8. What can you install to block out unauthorized users while also monitoring network traffic? a. Malware 9. What is it when your practice is exposed for a cyber attack, but you don’t know it? a. Man-in-the-middle 10. What hack are cyber criminals utilizing when they use legitimate-looking software, trick you to download, and then destroy your device via the back door? a. Tailgating Answers: 1) c 2) a 3) b 4) b 5) a 6) d 7) c 8) d 9) b 10) c
b. Cloud solutions
c. Anti-virus software
d. Slack messaging
b. TrickBot
c. Encryption
d. Vishing
b. Pentest
c. APT
d. API
b. Smishing
c. Vishing
d. Firewall
b. A badge protocol at the hospital
c. How Medicaid monitors health IT
d. None of the above
b. Risk assessment
c. Software update
d. Encryption
b. Breach list
c. Multi-factor authentication
d. Techguard
b. Spyware
c. Application Programming Interface
d. Firewall
b. Zero-day vulnerability
c. Open source
d. Cloud opening
b. Spearfishing
c. Trojan horse
d. Worm