Cyber security: Back to basics

by Cathy Bryant

It seems ironic that we have a Cyber Security Awareness Month. Every day must be cyber security awareness day given today’s threat environment. But, we do and it is in October. And it is a great opportunity to have cyber security awareness conversations with your staff.

Without a doubt, our electronic health information is more at risk than ever. All covered entities and business associates must meet the HIPAA Security Rule to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI).

In the risk assessments we conduct at TMLT, we find that practices are failing to meet the basic requirements of HIPAA security. A recent study found that 73% of medical professionals report having shared their password to allow someone access to the EHR. The Health and Human Services Office for Civil Rights (OCR) offers the following tips for getting back to basics. (1)

Basic cyber security tips

Have a strong password. Make sure you use a strong password (i.e. usually 10 characters or more and includes upper case and lower case letters, numbers, and special characters like #$&*). Recent research suggests users could also consider using “passphrases,” which are sentences that may be easier to remember than a very complex password (e.g. “I got a pony for my 8th birthday!”). (2) Do not use passwords or phrases that would be easy to guess, such as a pet’s name or your birthdate. (3)

Training. Train your staff regularly on important cyber security issues, such as how to spot phishing e-mails and when/who to report possible cyber incidents to in your practice.

Multi-factor authentication. A username and password may not be adequate to protect sensitive information, privileged accounts, or information accessed remotely. As part of its risk analysis, an entity should determine what authentication practices to use to protect its systems and sensitive information. Multi-factor authentication typically includes a password and additional security measures, such as a thumbprint or key card.

Updates and patching. You should update and patch your systems and applications regularly, because updates and patches often fix critical security vulnerabilities.

Lock devices. Limit physical access to devices and lock devices when not in use.

Portable devices. Be cautious plugging a phone, USB, or other portable device into a secure computer or network. Portable storage devices may not be as secure and may contain malicious software that could corrupt your secure network. If the device is needed, be sure to follow your organization’s policies on the use of such devices, which could include prohibitions on the use of personal devices or having IT personnel review such devices to ensure they do not contain malicious software.

Do not wait. Do not wait to report possible cyber security threats to the right people in your organization. Time is often critical during a cyber incident. If you suspect a cyber threat, report it right away.

Cyber security and ePHI

Be aware. Be aware of your responsibilities as a covered entity or business associate under HIPAA. See 45 C.F.R. Parts160 and164. Also, be aware of current threats and trends in cyber security, so you can take action and update security measures as needed.

Plan. Covered entities and business associates are required to have security incident procedures and response plans in place, as well as contingency plans to ensure effective, concentrated, and coordinated means to respond to and recover from security incidents. These policies, procedures, and plans should provide a roadmap for response and recovery activities, be approved by management, and be reviewed and tested regularly.

Respond. Once a security incident is detected, immediately take steps to analyze the incident, contain its impact and propagation, eradicate the incident, remediate vulnerabilities that permitted the incident, recover from the incident, and conduct post-incident activities. (4) You should also take steps to mitigate any impermissible disclosure of protected health information.

Report. Breaches of e-PHI affecting more than 500 individuals must be reported to the OCR, affected individuals, and the media as soon as possible, but no later than 60 days after the discovery of the breach.

Breaches affecting fewer than 500 individuals must be reported to the affected individuals as soon as possible, but no later than 60 days after the discovery of the breach, and to OCR no later than 60 days following the calendar year the breach was discovered. Entities may delay its reporting of a breach if such a delay is requested by a law enforcement official.

The OCR encourages entities to report all cyber threat indicators to federal information sharing and analysis organizations (ISAOs), such as those maintained by the Department of Homeland Security and HHS Assistant Secretary for Preparedness and Response, as well as to private sector cyber threat ISAOs. Do not include PHI in these reports. OCR does not receive such reports from its federal or HHS partners.

Sources

1. U.S. Department of Health and Human Services Office of Civil Rights. Back to basics (Basic cyber security tips. Cybersecurity Newsletter. September 2017.

2. For more information, please see Appendix A-Strength of Memorized Secrets from NIST Special Publication 800-63B Digital Identity Guidelines. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html. Accessed October 3, 2017.

3. For additional tips on creating strong passwords visit: https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice.