HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

National Cybersecurity Awareness Month Takeaways

November 1, 2018

At the close of National Cybersecurity Awareness Month, a number of cybersecurity tips were published by OCR (the office within HHS that enforces HIPAA). These are timely and important reminders, relevant to everyone in the regulated community of covered entities and business associates, particularly in light of OCR’s recent settlement agreement with Anthem in connection with its major breach of a couple years ago (see more on my thoughts about the Anthem breach here), as well as OCR’s release of a new and improved security risk assessment tool. Without further ado, here they are:

  • Encryption: Encryption is the conversion of electronic data into an unreadable or coded form that is unreadable without a decryption key. The proper use of encryption can prevent unauthorized users from viewing encrypted data in a usable form and may substantially reduce the risk of compromising ePHI. HIPAA covered entities and business associates are required to assess whether encryption is a reasonable and appropriate safeguard as a means of protecting ePHI at rest (i.e., ePHI that is stored such as on a computer’s hard drive or on electronic media) and ePHI that is electronically transmitted. See 45 CFR §§164.312(a)(2)(iv), 164.312(e)(2)(ii).
  • Social Engineering: Phishing remains one of the most common and effective social engineering tactics for stealing user credentials and other sensitive information. Malicious actors send deceptive emails to users, enticing them to disclose login credentials or click links that may install malware (malicious software). The effectiveness of phishing attacks can be greatly reduced with proper training to keep information system users aware of the threats of phishing attacks and helps users identify suspicious emails. The Security Rule requires covered entities and business associates to implement security awareness and training programs for all workforce members including management. See 45 CFR § 164.308(a)(5)(i).
  • Audit Logs: Network and system activity can be recorded and monitored with logs, which are a record of events and information pertaining to whatever device, system, or software they are monitoring. Audit logs are an important security tool that allows organizations to detect suspicious activities as they are occurring and can be used to reconstruct events that happened in the past. In order to be effective, the information contained in logs should be reviewed on a regular basis. The HIPAA Security Rule requires the implementation of audit controls, i.e., safeguards to record and examine activity on information systems that contain or use ePHI (see 45 CFR § 164.312(b)) and to regularly review records of information system activity, such as audit logs. See 45 CFR § 164.308(a)(1)(ii)(D).
  • Secure Configurations: Proper configuration of network devices and software will reduce the attack surface for bad actors and greatly improve an organization’s cybersecurity defenses. The aforementioned tools – encryption, anti-malware, and audit logs – require appropriate settings in order to function as intended. If encryption safeguards are not implemented correctly and do not use the latest versions, the encryption solution may be compromised or bypassed. Anti-malware software settings determine what files or devices are scanned and how often. Maintenance and updating of malware definitions will ensure that the software is providing maximum protection. Proper log configuration is also essential to effective network defense. If logs do not collect and retain the correct data, suspicious activity may go unnoticed. Furthermore, logs should be protected against unauthorized manipulation or deletion, which is a common tactic malicious actors use to cover their tracks. These are just a few examples of network components that require proper configuration to provide effective cybersecurity defense. The configuration of firewalls, workstations, routers, servers, and other components all play an important role in minimizing the chance of security incidents. See 45 CFR §§ 164.306(e), 164.308(a)(8), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.312(c), and 164.312(e)(2)(ii).

Also worth noting is a collection of thoughts about cybersecurity courtesy of HITECH Answers. I was one of several folks asked for advice. Here’s my two cents:

You shouldn’t wait until you experience a breach to start thinking about cybersecurity. If or when you do, however, I recommend that you take the opportunity to do a serious root cause analysis and to communicate with everyone in your organization – from the c-suite to front-line staff – openly and productively about the results of that analysis and plans for implementing administrative, physical and technical fixes to the layers of security protection in your data infrastructure and operations. We often hear about organizations that try to sweep security incidents under the rug (the most recent example that comes to mind rhymes with Google), and the reputational costs are often greater than those that might be associated with “coming clean” in the first place. Remember: cybersecurity is a process, not a one-time deliverable, and unless and until this is accepted at all levels of every affected organization, and is funded and otherwise supported appropriately, preventable breaches will continue to occur.

Let’s be careful out there.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Health care policy, Health Law, HIPAA, OCR, Privacy, Security

you might also like:

  1. Cybersecurity and Healthcare Panel Discussion with Government and Industry Experts

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry

« Dave Ryan, Intel GM for IoT in Healthcare and the Future of Remote Care – Harlow On Healthcare
Joyce Lee, Doctor As Designer talks design thinking — Harlow On Healthcare »

Trackbacks

  1. National Cybersecurity Awareness Month Takeaways - Health Data Answers says:
    November 15, 2018 at 7:08 am

    […] article was originally published on HealthBlawg and is republished here with […]

Follow me on Twitter

David Harlow 💉😷 Follow 43,200 17,542

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3h 1638640040317440001

The Harlow #Healthcare #Innovation Daily #digitalhealth #hcldr #HarlowOnHC Thanks to @DigitalSalutem #digitalhealth #healthtech

Image for twitter card

Eight steps to a successful AI implementation

information-age.com OpenText outline in Information Age the eight key implementation steps to help AI and machine lear...

paper.li

Reply on Twitter 1638640040317440001 Retweet on Twitter 1638640040317440001 0 Like on Twitter 1638640040317440001 0 Twitter 1638640040317440001
Retweet on Twitter David Harlow 💉😷 Retweeted
HCNowRadio avatar; HealthcareNOWradio @HCNowRadio ·
11h 1638517571107401733

NEXT at 8:30 am ET @healthblawg speaks with Steven Lane, PCP, informaticist and CMO @HealthGorilla, who has much to say about #healthdata, data on #SDoH, the power of data to improve healthcare and more. #HarlowOnHC #QHINs https://healthcarenowradio.airtime.pro/

Image for the Tweet beginning: NEXT at 8:30 am ET Twitter feed image.
Reply on Twitter 1638517571107401733 Retweet on Twitter 1638517571107401733 3 Like on Twitter 1638517571107401733 1 Twitter 1638517571107401733
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
6h 1638583863076167706

ICYMI> Lissy Hu, President of Connected Networks at WellSky — Harlow on Healthcare https://healthblawg.com/2023/01/lissy-hu-wellsky.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Lissy Hu, President Twitter feed image.
Reply on Twitter 1638583863076167706 Retweet on Twitter 1638583863076167706 0 Like on Twitter 1638583863076167706 0 Twitter 1638583863076167706
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]