New cybersecurity questions have been added to the HIPAA One Security Risk Analysis.
Cyberattacks on healthcare organizations are continuing to rise and the threat of a breach is a top concern for many organizations. Each time we turn on the news there is a new report of a ransomware attack or a healthcare organization reporting a breach. It seems like these attacks are happening more frequently and at a larger scale. Many organizations have a dedicated IT team and budget so why are these breaches still happening?
Human error and lack of training is a huge factor. Bad actors are using phishing emails to lure people into clicking or downloading malicious software, ransomware, etc. Additionally, health information is a lucrative business and we are seeing more and more cybercriminals trying to be part of the payout.
To help combat this rising trend, we wanted to discuss five new cybersecurity questions that we have added to the HIPAA One software to help organizations identify areas they may be at risk so they can take action to further secure and protect their organization from a breach.
Multi-Factor Authentication and Passphrases
There are two items that you can implement starting today, passphrases and multi-factor authentication (MFA). Let’s start with passphrases. In the past, the requirements for setting up a password would require you to use a certain character length and special characters. Oftentimes, it becomes so complicated we start to use the same password for multiple accounts and we just add a number at the end or add an exclamation point. The new guidelines are to use a passphrase in combination with MFA. According to the National Institute of Standards and Technology (NIST), the passphrase needs to be at least 64 characters and doesn’t need to have special characters or numbers. Using a passphrase will also allow you to relax the requirements of the password and lengthen the time between updating your passphrase.
MFA is a tool that combines the use of your passphrase with a texted code to your phone to validate a login. Using MFA can help notify you if someone is trying to access your account. It also ensures that they can’t login to your account unless they have your passphrase as well as access to your cell phone for the validation code.
Data Loss Prevention
Data loss prevention (DLP) is a technology intended to limit data leakage. It is important to have this safeguard in place to monitor, block and safeguard ePHI as it transitions to and from your organization. A lot of cloud platforms have support for this feature, whether it is internal or through a third party. Earlier this year, HIPAA One collaborated on a whitepaper with Microsoft. In that whitepaper, step by step instructions are outlined to help you turn on DLP for Microsoft Office 365 to help automate, encrypt, and limit sending of ePHI through pattern matching or exact data matching.
It is important to create a policy and procedure to address the prevention of data leakage. By implementing a DLP policy, it helps monitor and control information leaving your organization and ensures all data to and from is encrypted and automatically checked before being sent.
Mobile Device Management
Most people today have a mobile device that they use. Some organizations give their employees a device and others have a bring your own device (BYOD) policy. Either way, it is important to ensure you have a policy in place that provides a certificate in each device to encrypt, require password or biometric login as well as secure deletion of corporate data upon request or remove access for a lost or stolen device.
BYOD could be a sticking point for some individuals, so it is important to have a conversation and respect the boundaries and requirements for BYOD. This helps alleviate any concerns the individual may have while ensuring your organization is protected.
Software Development Lifecycle
Secure software development lifecycle is intended to bring security closer to the development team. This doesn’t apply to everyone, just those organizations or business associates that are investing in and working on software development. It is important to ask if your organization has a policy and procedure in establishing a SDLC framework, and methodologies essential in the management, development, delivery, and deployment of secure software applications. This will help ensure that security is included throughout the process and not just bolted on to the end of the process.
Security may slow down the speed in which you go to market with your software application but in the long term, it adds more value to your product by being secure and reliable. As you involve security staff and end users early and often you are less likely to run into issues down the line.
Change management is a very important to have a current policy and procedure in place to make sure as changes to the organization happen, there is a periodic review of technical and non-technical security items. This review can take place after any environmental, technical or operational change. If any changes happen, it is important that a review is in place to make changes and ensure the proper security, etc. has taken place.
Today we see gaps between the SRA and ever-evolving cybersecurity. To help organizations bridge those gaps, we have added the above five cybersecurity items to the HIPAA One Security Risk Analysis. This allows all internet-connected organizations to further leverage NIST standards by adding these questions into the “Turbo-Tax”-like approach to HIPAA compliance. With over 7,000 sites relying on HIPAA One, this change will help organizations elevate the standard of security and strengthen their security posture while maintaining HIPAA compliance.
To learn more about these new questions, you can watch our 35-minute webinar where we discuss each question in depth and what they look like within the HIPAA One software.