A cybersecurity nightmare
“IT just informed us that our main software platform has been hacked.” A statement no CISO wants to hear. Do you have a plan for what to do next? Are you prepared to handle this? How will you recover servers and client data? As an organization, are you legally required to report this breach? These are just a few of the questions you may be asking yourself when you realize your organization has been breached.
Our world is encompassed by technology and the Internet of Things. Software programs are now one of the most important operational assets for companies – big and small, across all industries. The networks and servers that facilitate these software programs need to be properly secured from hackers and cybercriminals. If you are on the internet and sell any product or service, getting hacked is more likely today than a week or even a month ago. Hackers typically trick unsuspecting people to click links to inadvertently launch ransomware. That ransomware then begins encrypting data and databases that user has access to. Sometimes the hacker finds the names of executives on the company website and gets lucky using an old email address and password to access the victim’s account.
The unfortunate truth is these and many other companies give into the pressures and end up paying hackers millions of dollars to:
- Decrypt their applications and data in order to regain access to their systems
- Not release the personally identifiable information
This problem isn’t going away
There is a rapidly growing market for cyber-criminal companies. Both public and private organizations are paying up and the frequency and cost of breaches are continually increasing. No one is immune. With that in mind, it is important to create a plan to outline how your organization will react in specific situations.
Here at HIPAA One we have implemented a security incident response plan (SIRP) to respond to an email hack. For example, if one of our employees happens to click on a bad email link and is tricked into a false "change-password" screen and the hacker then gains access to their email list and emails a few of our clients, we have a plan in place to respond.
According to our SIRP, we would immediately shut down the compromised account. Then we would individually contact each person that received the fake email with instructions to delete those messages. We would also wipe and reload the computer with a brand-new account.
With a specific plan in place, we are more likely to respond to and successfully limit the damage something like the above scenario would cause. Additionally, tools such as multi-factor authentication could also be used to further support and secure our other systems.
We all believe it will never happen to us. Appropriate cybersecurity measures are often avoided until a breach occurs and shakes the foundation of the organization. Waiting for a disaster to occur before making the necessary changes is common and very dangerous. Don’t let a breach be the catalyst for implementing cybersecurity measures; if it hasn’t already happened, your time will come too. Criminals are spending a lot of time and money to obtain unauthorized access to systems. If we do not invest time and resources to combat their efforts, we will eventually lose.
What can be done now?
It can be difficult to know where to start when it comes to implementing cybersecurity measures. We recommend HIPAA Security and Privacy as a foundation of security controls to cover confidentiality, integrity and availability. The HIPAA One Security and Privacy software give users an actionable list of items to implement now, and provides an intuitive, step-by-step approach to addressing security risks.
Some of the recommended cybersecurity tasks in the NIST framework include: Performing an annual Security Risk Assessment, conducting routine Security training, and performing annual external server and network vulnerability scan. HIPAA One has created an ongoing cybersecurity checklist based on NIST standards that include annual, monthly, and daily (as needed) tasks that are considered the best practices when it comes to adequate cybersecurity. We have provided a sample of the list here.
If you would like access to our free download of the HIPAA security checklist inspired by HIPAA and NIST standards, follow this link.
The process to reduce risk doesn’t happen overnight. There are always risks that should be addressed today as a starting point. Everyone needs a good foundation of practical, simple and effective measures to protect the organization from ransomware and data-extortion. To discuss your concerns and needs for your HIPAA or cybersecurity strategy, fill out the form below to speak with us today.