HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens.

National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners.

Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure.

DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month:

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

National Cyber Security Awareness Month Summary

  • Week 1: Simple Steps to Online Safety (Oct. 2-6)
  • Week 2: Cybersecurity at Work (Oct. 9-13)
  • Week 3: Today’s Predictions for Tomorrow’s Internet (Oct. 16-20)
  • Week 4: Careers in Cybersecurity (Oct. 23-27)
  • Week 5: Cybersecurity and Critical Infrastructure (Oct. 30-31)

Week 1 focuses on basic cybersecurity and cyber hygiene – simple steps that can be taken to greatly improve resilience to cyberattacks.

These basic cybersecurity measures are likely to have already been adopted by the majority of businesses, but these simple controls can all too easily be overlooked. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal is littered with reports of security incidents that have resulted from the failures to get the basics of cybersecurity right. Week 1 is the perfect time to conduct a review of these basic cybersecurity measures to ensure they have all been adopted.

This year has already seen several major data breaches reported, including the massive breach at Equifax that impacted 143 million Americans. In May, WannaCry ransomware attacks spread to more than 150 countries and the NotPetya wiper attacks in June causes extensive damage. FedEx and Maersk have both announced that the attacks could end up costing $300 million.

All three of those cyberattacks occurred as a result of the failure to implement patches promptly. Then there is the recently announced Deloitte data breach. That security breach has been linked to the failure to implement two-factor authentication – Another basic cybersecurity measure.

Stop. Think. Connect

During the first week of National Cyber Security Awareness Month, the NCSA will be promoting its “STOP. THINK. CONNECT.” security awareness campaign, which was developed with assistance from the Anti-Phishing Working Group in 2010. The campaign makes available more than 140 online resources that can be used by U.S. citizens to keep themselves secure and by businesses to improve security awareness of the workforce.

Week 2 will focus on cybersecurity in the workplace, highlighting steps that can be taken by businesses to develop a culture of cybersecurity in the workplace. DHS and NCSA will also be encouraging businesses to adopt the National Institute of Standards and Technology Cybersecurity Framework.

Week 3 will focus on protecting personal information in the context of the smart device revolution, highlighting the importance of secure storage, transmission, and handling of data collected by IoT devices.

Week 4 will focus on encouraging students to consider a career in cybersecurity. By 2019, there is expected to be around 2 million unfilled cybersecurity positions in the United States. Advice will be offered about how to switch careers and embark upon a career in cybersecurity.

National Cyber Security Awareness Month finishes with two days of efforts to improve the resiliency of critical infrastructure to cyberattacks.

OCR Encourages HIPAA-Covered Entities to Go Back to Basics

Late last week in its monthly cybersecurity newsletter, OCR sent a reminder to HIPAA-covered entities about the importance of securing health data, saying, “The security of electronic health information is more critical than ever, and it is the responsibility of all in the regulated community to ensure the confidentiality, integrity, and availability of electronic protected health information.” These basic security measures are essential for HIPAA compliance.

OCR suggests HIPAA-covered entities should go back to basics during National Cyber Security Awareness Month and use the tips and advice being issued to ensure all the i’s have been dotted and the t’s crossed.

OCR suggests a good place to start is conducting a review to make sure:

  • Strong passwords have been set – Consisting of passphrases or passwords of at least 10 characters, including lower and upper-case letters, numerals, and special characters.
  • Regular training is provided – To improve phishing awareness, reporting of potential attacks, and covering other important cybersecurity issues.
  • Use multi-factor authentication – So that in the event that a password is obtained or guessed, it will not result in an account being compromised. MFA is strongly recommended for remote access, privileged accounts, and accounts containing sensitive information.
  • Review patch management policies – To ensure that software updates and patches are always applied promptly, on all systems and devices, to fix critical security vulnerabilities.
  • Devices are locked – All devices should be physically secured when they are not in use.
  • Portable device controls are developed – To prohibit the plugging in of personal portable devices into secure computers or networks without first having the devices scanned to make sure they do not contain malware.
  • Policies are developed on reporting threats – Educate the workforce on the importance of reporting potential threats immediately to ensure action can be taken to mitigate risk.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.