By Bahar Ferguson
HIPAA
These five letters that can immediately cause headaches or instill fear. HIPAA, the Health Insurance Portability and Accountability Act of 1996, was created and exists to create national standards for electronic healthcare records, transactions and security, allowing for proper protection while facilitating the proper flow of information required to provide a high level of care.
The penalties for HIPAA breaches can result in significant financial and reputational damage. We are all constantly inundated with attempted hacking emails that, if fallen for, could trigger a HIPAA breach (among all sorts of other complications) if you or your company is bound by HIPAA. With every device and every user being a direct door to a HIPAA breach, it is important to be proactive. To do so, we must both protect the physical device and constantly educate the individuals on hacking trends and company policies. Here are four tips for starting down the more proactive road trying to avoid or minimize a HIPAA breach:
1. Encryption for remote devices. Whether you need to take your laptop to and from clinic sites, offices, or just home to finish up various work and projects, our devices often follow us from the office, introducing a number of potential HIPAA violation triggering events. Unfortunately, cars get broken into or devices get stolen, left behind or misplaced. At a minimum, it is important for employees who must take laptops out of the office to have encrypted devices. This can help protect the loss of sensitive information. Additionally, the ability to remotely wipe any lost computer and having a policy in place for reporting and wiping the lost device is crucial.
2. Multi-factor authentication. Electronic: We have all seen this a lot lately. Apps or websites asking if we want to set up multi factor authentication (MFA), a second step to ensure we are who we claim to be when we log into an account. This is always a smart feature to implement as it may put in that one last obstacle to keep[ out nefarious folks from your account and private information. However, if you’re just warming up to the concept of adding a second step, definitely place the greatest emphasis on the services that hold the most sensitive information.
One incredibly easy and helpful area to protect is your email. In healthcare, if someone were to hack into your email accounts, it may immediately be a HIPAA violation if you have any sort of patient information accessible through your email account. With MFA for Office 365, the feature increases security by requiring you to log in not only using your email address and password, but also one secondary authentication method (code from SMS text message, code from mobile app, phone call or app password for non-browser clients).
Off-line: While electronic MFA is often most commonly discussed, it is critical to implement the same concept into various off-line exchanges. Whether it be the transferring of funds, sending of sensitive information, etc., it is important to put policies into place that help ensure the information is being requested from the appropriate people before such information is sent. For example, hackers are continually sending emails attempting to cause someone to fall for their impersonation of a legitimate person or request. Often it is a request to wire money, a request for employee W-2 forms or even customer or patient information. It is important to require a second method for such important information transfers, like an in-person confirmation or text confirmation. Having the email coming from a legitimate address is not enough. If that individual had his/her email hacked, the hacker may send from their account, leaving little question to where it comes from, even speaking in their email style, causing the receiving end to not call into question the legitimacy of the request.
3. Acceptable-use policy. An acceptable-use policy (AUP), also known as a fair use policy, is an integral component of a company’s device management. An AUP is designed by the company leadership, governing how the platform should and should not be used, explaining various monitoring strategies used to enforce such behaviors and the consequences for policy violations. It is here that a company can define what behaviors are unacceptable, such as excessive use of resources or time-wasting activities, distribution of confidential information, distribution of indecent or offensive data, password change requirements, off-site device use and other security measures surrounding virus transmission or dissemination.
4. Education. You can have the most sophisticated system available but if a user clicks something they shouldn’t, your entire network can be compromised. Regular training by your IT team can help keep people informed of the latest tricks and hacks and serve as a reminder to always slow down and be hyper-vigilant. Hacking trends are constantly changing and we must keep people aware of trends in order to help reduce the chances of individuals falling victim to various attacks.
This cannot be emphasized enough. It is incredibly important to slow down and investigate the file or email you have received to determine if it is legitimate. We have seen an increase in spoofing attacks where the cybercriminal, who has accessed information regarding the company, its customers, etc. (either through a quiet email hack or other methods), purchases a domain similar to that of the target user to create an almost exact email replica and sends customers invoices with “updated payment methods.” And of course, the very common email to key contacts requesting the wiring of money or simply sending virus-laden files. The spoofed domains may replace a “q” with a “g” or leave out a letter that, without careful attention, may go unnoticed. Additionally, slow down to determine whether the request follows normal procedure from the company supposedly sending or just check to see where the link actually will take you instead of actually clicking in order to see where it takes you.
Unfortunately, that is only one part of the issue. Even if you are never hacked or your domain isn’t spoofed, the rise of cybercriminals using DropBox, DocuSign, UPS, etc., as covers for people to open files causes any legitimate files sent to be properly introduced. It is important to check the sender and determine whether you should be receiving an email. When in doubt, reach out to your IT team or simply delete the questionable email.
Bahar Ferguson is president of Wasatch I.T., a Utah provider of outsourced IT services for small and medium-sized businesses.