Increase your IT IQ Trusted Technology. Strong Security. Better Business.
Introductions
Trusted Technology. Strong Security. Better Business.
Resources • Slides with notes, List of terminology and other tips can be found online at https://www.integrityky.com/bgmgma/ • IT is packed full of acronyms and technical jargon that can intimidate end business users. You can sign up for “terms of the day” at https://techterms.com/ if interested in more. • Information on Healthcare IT: https://healthitsecurity.com/ (subscribe to newsletter) • Verizon 2019 Data Breach Investigations Report – executive summary: https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
• National Cybersecurity Awareness Month (NCSAM) - October - Toolkit https://niccs.us-cert.gov/sites/default/files/documents/pdf/dhs_ncsam2019_toolkit_508c.pdf?trackDocs=dhs_ncsam2019_toolkit_508c.pdf
Trusted Technology. Strong Security. Better Business.
What does IT contribute to your organization? How does it fit into the business plan? Think of IMPACT rather than tasks or processes. • keeping systems and networks up; • ensuring security and privacy for intellectual property, mission-critical applications, and sensitive data; • protecting the company from security breaches, malicious viruses, and malware; • ensuring that employees are using systems properly; • tracking and monitoring system assets; • developing and maintaining applications; • managing relations with technology vendors. Trusted Technology. Strong Security. Better Business.
Panel / Open Discussion
COMMENTS? QUESTIONS?
Trusted Technology. Strong Security. Better Business.
My patient data is in the cloud. I’ve been in practice 20+ years and never had a problem, so it isn’t likely to happen to me so why spend the money? Trusted Technology. Strong Security. Better Business.
Should I have breach insurance?
Trusted Technology. Strong Security. Better Business.
HealthCare Breaches Map
e-mail • 2 factor authentication is the best defense • Alert on auto forward rules • Beware urgent email asking for your credentials – don’t give them! • Be wary of unusual email from people you know – their account could have been compromised
Passwords • Length is the single most important factor • Take the Test: https://www.my1login.com/resources/pass word-strength-test/ • No frequent expiration • Use of a Password Manager like LastPass or 1Password • Never reuse work passwords for any other sites https://pages.nist.gov/800-63-FAQ/#q-b5
3rd Parties • • • • •
EMR provider support/host Line of Business application providers Managed IT Service providers Printer/Copier support vendor Cleaning company
• What is in your contract about data security? • What is in your contract about downtime? • How are your vendors training their staff on HIPPA Security?
• Pre-employment screening • Separation of duties • Minimum access to data to perform the job • Cybersecurity training for staff on hire and annually thereafter
Managed Security Services • Daily log review • Threat Hunting • Breach detection • Insider threat mitigation • Incident Response by trained team • Alerting 24/7/365
Managed Security Services • Manage O365 security • Web based cybersecurity training portal • Annual HIPAA Security Risk Assessment • Phish testing • Quarterly Vulnerability scanning
Resources • Global Cyber Alliance Toolkit • Center for Internet Security • HHS Cyber Security Guidance • Integrity IT
Simple Things you can do to improve your security • Ensure ALL staff understand they have a role in ensuring the security of your business – write it into their job descriptions • Continuously educate staff on how to identify potential security threats of all types (not just electronic) Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Do not allow personal devices (employee phones/tablets) to connect to your business network. • Have separate BYOD Wireless Network. • Don’t have a single password for your business Wi-Fi • Password protect all wireless networks
Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Do not allow your staff (or Physicians) to use personal email for business purposes • Do not allow staff to access personal email on a business computer • They can do it on personal devices on BYOD Wireless Network
Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Ensure the security of devices taken off network • Encryption • Firewall • Internet Content Filtering
• Work computers are not toys for your children to play games on Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Only allow systems on your network that are: • Running current operating systems that are actively supported and updated by their manufacturer • Managed by your IT Staff or Provider
Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Don’t allow computers to connect to your business network that do not have the necessary security controls in place. • Vendors (HVAC, Physical Security, Surveillance, etc) • Put them on isolated networks • Ask for evidence of their due diligence • Require a BAA Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Ensure that the companies you do business with, and that have access to ePHI, are meeting the same security standards you are required to meet. • Ensure that all access is removed when an employee leaves
Trusted Technology. Strong Security. Better Business.
Simple Things you can do to improve your security • Ensure the secure and documented disposal of devices with ePHI (hard drives, printers, etc.) • Ensure the secure storage of paper documents with PHI
Trusted Technology. Strong Security. Better Business.
Simple things you can do to improve your security
• Assess your risk on an ongoing basis (it’s a HIPAA Requirement) • Let the Security Professionals do it
• Systematically address the risks identified • Show intentionality & Progress
Trusted Technology. Strong Security. Better Business.
Last line of defense - Backups • Ensure that you have multiple backups of your data • Ensure you have backups both onsite and offsite • local backups in a separate location within your building
• Test your data & system recovery procedures periodically • Make sure your IT provider understands your recovery expectations • Recovery Time Objectives – how long you have until a compromised business process must be restored before there are unacceptable consequences. Trusted Technology. Strong Security. Better Business.
Backup vs Disaster Recovery Backup
Disaster Recovery
• Copying data and archiving it.
• More than data backup – your overall plan
• What data is being copied? • Where is being archived? • How long it takes to retrieve?
Trusted Technology. Strong Security. Better Business.
Layered Security
Trusted Technology. Strong Security. Better Business.
What is the difference between updating and patching? Updating
Patching
• Adding new features to an application
• Fixing bugs, flaws and holes that are known
• Software version changes
• Improves software stability and security
• Includes patching
• Auto-patching can fail • Verify patching
Trusted Technology. Strong Security. Better Business.
All devices have a lifespan
When should you update a device?
Unable to accept Updates and Patches Old devices compromise security
Trusted Technology. Strong Security. Better Business.
Do you have an inventory of your technology asset?
ROADMAPS
Do you know the lifespan of those assets?
Do you know what to budget for maintenance, improvements, growth?
Trusted Technology. Strong Security. Better Business.
Asset Inventory A list of every item on your network • Date of purchase • Age • End of Life • End of Support • When it should be replaced • Expected Cost to Replace
Trusted Technology. Strong Security. Better Business.
Protecting your phone • Keep operating system up to date • Set a lock screen with passcode • Avoid un-protected USB charging in public places
Trusted Technology. Strong Security. Better Business.
Protecting your texts • Does your EHR have HIPAA compliant messaging? • Use it
• Do your providers use business phones or their own phone? • https://www.hipaajournal.com/hipaa-regulations-for-sms/ • List of HIPAA Compliant Secure Messaging Apps • https://www.g2.com/categories/hipaa-compliant-messaging
• A free app https://www.pmd.com/secure-messaging
Trusted Technology. Strong Security. Better Business.
Preventing Annoying Spam Calls • AT&T Spam Blocker • https://www.att.com/features/security-apps.html
• Verizon Spam Blocker • https://www.verizonwireless.com/solutions-and-services/call-filter/
• Nomorobo – stop robo calls • http://nomorobo.com/
• National Do Not Call Registry • You can register your home or mobile phones with the National Do Not Call Registry. To register: • Call 1.888.382.1222 (TTY: 1.866.290.4236) • Or visit www.donotcall.gov
Trusted Technology. Strong Security. Better Business.
Managing IT team when you are non-technical • Hire Strong People • Know your Big Picture Goals • Ask Questions • What could go wrong? • What milestones do you need to hit to make the delivery date? • How do other handle this risk? • Why does X make more sense than Y?
• Pay Attention to What You See and Understand • Be Honest about Your Limitations Trusted Technology. Strong Security. Better Business.