Basic|ILY

Back to basics HIPAA Compliance and Cyber Security Awareness

Cyber Security Awareness and HIPAA Compliance

Welcome to my humble little byte of the internet where you will find my latest musings and knowledge sharing on Cyber Security and HIPAA Compliance concerns.
What You Need to Know: Passwords ..and why it matters for HIPAA Compliance

Leave a Comment

What You Need to Know: Passwords ..and why it matters for HIPAA Compliance

Do you know where your passwords are?

The HIPAA Security Rule, 164.308(a)(5)(i) states, a covered entity or business associate must, in accordance with 164.306:
    Implement a security awareness and training program for all members of its workforce (including management). Furthermore, this program must include an appropriate implementation for (ii)(D) Password Management. Procedures for creating, changing, and safeguarding passwords.

What is Password Management?
Password management involves creating or generating complex passwords that are not easily cracked, regularly changing passwords, and intentionally safeguarding passwords from being stolen. Good password management includes never using the same password across multiple websites, enabling multiple factors of login validation (authentication), and never posting or sharing your passwords.

Why are complex passwords important?
Besides fulfilling a HIPAA Security Rule standard, creating complex passwords is good cyber hygiene. Complex passwords reduce the risk of becoming a victim of an account compromise that could lead to a data breach. The more complex the password, the more difficult for an attacker to crack it. However, a complex password alone is not enough. According to FBI statistics, strong authentication could have prevented 62% of data breaches in 2015.

What is ‘strong authentication’?
Strong authentication implements multiple factors of login validation, such as a complex password and a unique one-time code or fingerprint. Many websites and services offer strong authentication options. Adding this extra login step significantly reduces the risk of having your credentials compromised.

What IS a complex password?
– Generally considered greater than 15 characters
– Random combination of letters, numbers, special characters
– Nonsensical phrases randomly combined with other characters

What is NOT a complex password?
– Names of important people, places, pets, etc.
– Important dates
– Anything you might write about on social media

What other password management procedures should you implement?
– Create or generate unique complex passwords for each website
– Use a password manager to generate and store complex passwords
– Enable multiple factors of authentication whenever available
DON’T post or share your passwords

1 Comment

What You Need to Know: Ransomware ..and why it matters for HIPAA Compliance

Ransomware threatens the basic tenets of the HIPAA Security Rule ..integrity, availability, and confidentiality of data.

The HIPAA Security Rule 164.306(a) states, covered entities must:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4)  Ensure compliance with this subpart by its workforce.

What is ransomware?
Ransomware is malicious software that is used to lock (encrypt) files on your computer system and shared network drives. Attackers then ask for a ransom payment in exchange for the key to recover the locked files. In many cases, they never send the key, or an invalid key is provided, and the files are never recovered.

HHS issues guidance on ransomware and HIPAA.
Multiple sources estimate that ransomware attacks have increased 300% since 2015. Due to this steady climb from an estimated 1000 attacks per day in 2015, to 4000 attacks per day during the first half of 2016, the U. S. Department of Health and Human Services (HHS) has issued guidance for covered entities and business associates in regard to ransomware.

Maintaining HIPAA compliance ..would you have to report the ransomware incident to HHS?
If ransomware has adversely affected unsecured ePHI (electronic protected health information) in your environment, provisions in the HIPAA Breach Notification Rule may require you to report the incident to affected individuals, the Secretary of HHS, and the media.

If you become a victim of a ransomware attack
– Initiate your security incident response and Breach Notification procedures
– Do not pay the ransom
– Report the incident to your local FBI field office
– Report the incident to affected individuals, agencies, and the media, as appropriate

Reduce your risk to becoming a victim
– Provide security awareness and training for staff on how to identify and report suspicious activity
– Implement data encryption on all ePHI (at rest and in motion)
– Perform regular full data encrypted backups, and periodically ensure ability to successfully restore data from backup

Leave a Comment

Hello world!

I want to say hello to the world for the first time from my very first blog. Yes, I left the default title (for you computer people, you know who you are). Why? Because it is apropos. Please don’t judge. I am a cyber security professional, not a web developer! And no, is it not the same thing! In time this site will develop into something more refined, and aesthetically cyber, but if I don’t do it now, well… I have been “Coming Soon” for over a year, and it is about time I arrived. Eventually, I will delegate the website administration to a professional web developer, but for now I want to learn a little bit about the process and the design.

My goal is for this site to be a resource for Cyber Security and HIPAA Compliance matters, with an emphasis on privacy and security awareness and education. This will never be an overly technical website; however, if you like what you read here, I will do my best in each and every post to include relevant links for more technical reading. Likewise, I will develop a blog roll that will include many of my favorite web resources for the best cyber technical stuff on the planet!

My vision is that someday this website will transition to a full-fledged cyber security business website. For now, I may also post other initiatives that I am pursuing, but I will always keep it to the “basics.”

One thing I have learned, blog posts are supposed to be a few paragraphs so readers don’t lose interest. So, I will now thank you for stopping by, and I hope you find useful information that helps you secure your business. Thank you for growing this blog with me.

Jennifer