As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
Health and Human Services (HHS) Office for Civil Rights has made October 2017, National Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations to go back to the basics in applying HIPAA privacy and security principles. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips in applying password management strategies. In this week’s second installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine the importance of updating and patching your information systems and applications.
Patch Management: Patch management is the process that helps acquire, test, and install multiple patches (code changes which are fixes) on existing applications and software in your information systems. This is a process that is accomplished by your system’s administrator or HIPAA security officer. You may have been notified that a specific application will be down for a few hours or overnight. This is most likely the result of testing for vulnerabilities, after which, patches are applied to “plug up” the vulnerabilities that were found. Patch management is a basic concept of HIPAA security and must be accomplished on a periodic basis to keep your e-PHI secured. Oftentimes, software patches are provided by the major providers such as Microsoft and other vendors, to update the software. In addition, a system administrator can purchase a Patch Management Software Program that schedules testing and patching periodically.
To bring this basic concept of patching closer to home, let’s examine the recent privacy breach at the Equifax Credit monitoring company where financial information of 145.5 million individuals was exposed. Under testimony to a Congressional panel, CEO Richard Smith explained how the breach occurred. In March 2017, the Department of Homeland Security notified Equifax of the requirement to patch a vulnerability in their Apache Struts software. Apache Struts is used by Equifax as an online portal for customers to dispute errors on their credit reports. According to Mr. Smith, the Equifax security team was to notify the technical team responsible for finding the vulnerability and applying the patch. But the human error here is that the patch was never applied. In addition, subsequent technical scans just didn’t work, and so the vulnerability that they were warned about by DHS was never found. As a result, the hackers accessed the data on May 13, 2017. The public was not notified until Sept 7, 2017. Needless to say, this nightmare scenario should not occur at your organization. Take a moment to discuss patch management with your HIPAA security officer.
Patch management is a basic security principle which can be managed by scheduling periodic scanning of your information systems as well as checking with vendors that provide your applications you use to manage your e-PHI which could include your EMR/EHR. In addition to patch management, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking!
Health and Human Services (HHS) Office for Civil Rights has made the month of October 2017, Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations subject to the HIPAA privacy and security rule to go back to the basics. The Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Today, the security of electronic health information is more critical than ever and it’s everyone’s obligation to protect e-PHI from unauthorized access. In this first installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine some tips for implementing a good password management program.
Password Management: Passwords can be viewed as the keys to the kingdom. Every user’s access point into your information systems that hold or lead to e-PHI, begin with a unique user log-in and password. With properly managed passwords, access is reserved to only those who are authorized to enter the system or application. Therefore, it is imperative that you implement appropriate password rules and consider some of these tips:
Password makeup: Consider making them at least 10 characters long consisting of an uppercase letter, lower case letter, number and a special character such as $%& (Alphanumeric). Use paraphrases such as “I love to golf on Saturdays and Sundays” which equates to an alphanumeric password of Iltg0sas.
Password history: Specify the number of times a different password must be selected before a user can reuse a previous password.
Password expiration: Set a date or time period after which the user must establish a new password. No user should have the same password to access e-PHI for an unlimited period. Consider forcing a password change every 180 days or once a year.
Password defaults: Default passwords which are issued to a user after initial access that is provided or an application/software that is brought on line, must be changed by the user.
Password protection: Passwords should be protected from viewing by others. They should not be written down on sticky notes or on paper left under the keyboard. Commit the password to memory or use a password vault or manager program.
HHS has provided a short list of tips to discuss with your staff during NCSAM and there are many more topics you can include at your organization as you see is needed. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
Phishing is the name of a method which entices you to give up your personal or financial information to people or organizations masquerading as a legitimate source. The bait is the request from a source you are familiar with, but is in fact, a replication or a phony. Phishing attacks may occur to your personal account, or they may involve your medical organization. In any event, knowing how to recognize them and not take the bait is the key to preventing a successful phishing attack.
Phishing attacks try to obtain valuable information from you such as your:
- Credit card number
- Bank account number
- Social security number
- Online account logins and passwords
The pilfered information is used to steal your money or in the case of your organization, carry out identity theft or introduce malware into your information systems.
Phishing attacks are carried out primarily in two main ways. First, attackers use phishing emails which look very similar to what you normally see in your daily e-mails. Second, attackers use links to websites that look similar to other organizations, companies, and/or banks that you visit frequently. Phishing e-mails and websites have the following characteristics:
- They all ask for you to provide personal information. Most legitimate organizations, and including all banks, will not ask you to provide personal information whether it be your credit card number or your login password.
- There is usually a sense of urgency. The phishing emails request immediate action and they use this technique to get you to bite quickly. This is the same technique you see on TV ads for a product whereby your quick response for “acting right now”, will get you a discount or a second item at half price. Or the e-mail will be emotional and pull at your “heart strings” in order to entice you to act.
- Most phishing emails have a generic “hello” for the greeting. The e-mail does not use your name since it is the same phishing e-mail sent to millions.
- The e-mails may contain attachments which are most likely malware and the moment you click on it, you invite malware (malicious code) into your system which will begin to destroy or copy your hard drive and its contents.
- The e-mails may also contain a phony link to a phony website. The link is masked so what you see looks correct, but the actual hyperlink is set up to go to the phony site. Hover your mouse over the link to see what is truly behind it.
- Many times, the e-mails contain poor grammar. Remember, hackers come at all levels with some that are very good at what they do, and others with poor writing skills.
- Legitimate websites use Secure Sockets Layer (SSL) for protecting the information you enter into the site; look for https:// instead of http:// in the URL. The added “s” means the site is secured.
Phishing attacks have increased over the years as hackers have gotten smarter and more clever. However, there are preventive steps you or your staff can take to survive the attacks with little to no damage. Consider the following:
- Your IT department should consider installing robust spam filters which can identify these e-mails and send them to the spam folder instead.
- If the e-mail looks suspicious, don’t trust it. Instead, pick up the phone and call the organization to determine if they sent the e-mail in question.
- If the link looks suspicious, don’t click on it. Instead, manually type the organizations real URL into your browser and provide the information after you have confirmed it was the organization that contacted you.
- Your IT department should consider adopting a URL scanner which will check the authenticity of any website you visit.
- If your organization uses Internet Explorer, ask your IT department to turn on the SmartScreen filter which will help you discover if a website is a phishing site.
- Unlike your browser at home, your organization determines what browser you will use at work, and it is most likely a newer browser which is supported with patches by the manufacturer. Nonetheless, your IT department could consider installing a security toolbar to alert you when visiting known phishing sites.
While the above technical steps will help minimize the effects of a phishing attack or help avoid them altogether, the ultimate defense lies with the user or employees themselves. It is the human factor that contributes to the large cases of successful phishing attacks since employees are ultimately tricked to open the link and/or respond to the e-mail. However, the more your workforce is educated regarding phishing, the more likely they will recognize an attack when it occurs. Some organizations have conducted “phishing simulations” to determine how many individuals will fall prey to the fake phishing attack. Afterwards, those individuals are provided additional training. This can be a great way to provide training and practice recognizing phishing attacks, but organizations need to make sure no punitive action is taken. Instead, consider an organization wide contest such that the department with the lowest number of tricked employees wins some prize or recognition.
Phishing attacks will continue and become more elaborate. The best defense is to employ technical safeguards to help detect them as well as to train your staff how to recognize them and not take the bait.
Happy HIPAA trekking!