HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.