Thank you to everyone who submitted questions and attended our 31 Days of Cybersecurity webinar. In this blog post you can find all the questions we asked our expert panel and a summary of their answers. If you have any additional questions about HIPAA compliance or cybersecurity, please email firstname.lastname@example.org.
Can you speak about best practices when communicating and sharing sensitive information via email or online file sharing tools?
Most attacks targeting organizations that handle sensitive information are carried out via email. Email is used frequently by the entire workforce and is often not given adequate controls. Implement appropriate levels of security for the various kinds of data being shared. Having controls in place, such as email encryption, is crucial for mitigating user error.
Can you tell us more about penetration testing and the kinds of companies that need to perform pen testing?
Let’s start with the definition of pen testing. How is it different from vulnerability testing? Well, vulnerability assessments are automated scans that detect network or machine vulnerabilities. In order for pen testing to be effective, it should be performed after a vulnerability assessment. Unlike vulnerability assessments, pen tests are performed by a person who is acting as a simulated hacker. The pen tester uses common cyberattacks against the company’s network to determine whether it is vulnerable to these attacks.
The size of the company and amount of data it has are the most important factors when determining whether your company needs a pen test. As the amount of data goes up, the need for a pen test goes up. Again, pen tests are best used after a vulnerability assessment to close any remaining gaps in your security program. Be sure to conduct a vulnerability assessment before you perform a pen test.
How are phishing scams impacting remote workers?
The frequency of phishing attacks, as well as their success rates, have spiked during the pandemic. This stems partly from the increasing sophistication of the attacks, and partly from the increase in user error that has resulted from remote work. It’s harder to train staff and get them to implement controls when they’re working remotely. Phishing scams in particular thrive on human error. It only takes one staff member clicking a link or attachment in an email for there to be a breach.
Human error is the top cause of breaches. What can companies do to foolproof their systems to guard against user error, particularly now that so many people are working from home?
The best cybersecurity programs combine training and technology to mitigate risk. Many programs can predict when a user is about to make a mistake. For instance, a program might send a user a pop-up that says “You’re about to send this email to someone outside your organization. Was this intentional?” Technology can provide guidance to the user, but if the user isn’t trained and doesn’t follow a program’s recommendation, a breach can still occur.
How often do you recommend updating your passwords?
At the very least, you should be changing your passwords every 90 days. You should also be sure to change your passwords after you’ve had a vulnerability assessment or pen test. If one of these assessments determined that your passwords were weak, you should implement stronger password generation procedures. Strong password requirements include: don’t use dictionary words, make passwords 15 characters long, and use a mix of letters and symbols.
One of the most common ways password credentials can be compromised is the lack of two-factor authentication. That way, if a hacker knows the password for one account, they might not have access to the second account or device that the authentication message is being sent to. This is a highly effective barrier against breaches.
What should enterprise-sized companies be doing to ensure cybersecurity? More specifically, what should companies that anticipate growth do to prepare for handling cybersecurity on a large scale?
Good cybersecurity programs don’t rely on one vendor or solution to implement controls. It’s best to integrate different solutions and create a strong framework that minimizes vulnerabilities. It’s also important to establish a process and make it repeatable. Create a cybersecurity program that works for one office, then implement the same controls across all of your organization’s locations. You’ll need to adapt it and test new solutions along the way. But, it’s always important to first focus on implementing the basics, then repeat that throughout the organization.
If a company has a Google Apps or Office 365 account, and a signed BAA (Business Associate Agreement), why is this not sufficient for HIPAA compliance?
HIPAA compliance requires more than just secure platforms and a signed BAA. You must also have proper procedures and best practices in place to keep PHI safe when it’s transmitted. For instance, if a doctor is sending health-related information to a patient, it should be sent as an encrypted attachment. It’s crucial that you have controls in place for protecting outbound traffic.
What should an organization do for basic security if they don’t know where to start?
Make sure you have a good foundation. Have endpoint security as well as detection and response controls in place. You should also document incident response procedures. This includes assessing where the attack came from, what form it took, and whether your systems have vulnerabilities that need to be addressed.
To mitigate more risks and build a stronger cybersecurity program, you should also perform a vulnerability assessment and implement solutions for vulnerabilities that are identified. Building a strong security infrastructure is the first step in creating an effective cybersecurity program.
What are some of the cybersecurity controls required by HIPAA?
Whether you’re complying with HIPAA or another information security act, NIST’s cybersecurity guidelines outline the basic controls that organizations should use in their security operations. These include conducting a Risk Assessment, documenting security controls, and implementing role-based access controls.
What makes an efax solution safer than a fax machine?
Traditional fax machines are some of the least secure devices for transmitting PHI. With an efax vendor, you can sign a BAA, audit their security controls, and encrypt any information you transmit using their service. Efax companies also encrypt any PHI they store, keeping information secure at rest, in transit, and in storage.
Thank you for being a part of 31 Days of Cybersecurity. Total HIPAA specializes in creating customized HIPAA-related documentation and training for our clients. We provide documents like Security Policies and Procedures, Disaster Recovery Policies, Confidentiality Agreements, and Bring Your Own Device (BYOD) Policies. Our HIPAA Prime program is an all-in-one customized compliance solution. Please email email@example.com to learn more!