Cybersecurity Tips to Avoid Tricks to ePHI
Trick-or-treating is a popular Halloween tradition in the United States, and other countries. Most of us associate "treats" with some form of candy, and "tricks" as possible pranks or other forms of mischief if a treat is not given by the homeowner. Halloween is also about dressing up as ghosts and ghouls and other spooky creatures.
Generally, trick-or-treating occurs every year on or about the evening of October 31; however, it is common to see trick-or-treating, trunk-or-treating or other Halloween celebrations occur on different days throughout the month. It is even common for many healthcare organizations to incorporate some Halloween fun while at work.
Did you know, in the United States, October is also National Cybersecurity Awareness Month? Every October, the federal government and its industry partners celebrate National Cybersecurity Awareness Month. According to the Office for Civil Rights (OCR) because ePHI identifies individuals and includes information regarding an individual's health, treatment, or treatment payment information, it presents a tempting target for bad actors - especially identity thieves. On the black market, ePHI is often more valuable than other types of personal data because it can be used to steal identities and commit healthcare fraud.
To prevent Spooky Mischief from Haunting your ePHI - follow these Back to Basics Tips:
- Have
a Strong Password - make sure you use a strong password
(i.e. usually 10characters or more and includes uppercase and lowercase
letters, numbers, and special characters like #$&*). Recent research
suggests users could also consider using "passphrases," which are sentences
that may be easier to remember than a very complex password.
- Training -
staff should be trained regularly on important cyber security issues, such
as how to spot phishing e-mails and when/who to report possible cyber
incidents to in your business.
- Multi-factor
Authentication - a username and password may not be
adequate to protect sensitive information, privileged accounts, or
information accessed remotely. As part of its risk analysis, an entity
should determine what authentication schemes to use to protect its systems
and sensitive information (e.g. e-PHI). Multi-factor authentication
typically includes a password and additional security measures, such as a
thumbprint or key card.
- Updates
and Patching - you should update and patch your systems and applications
regularly, because updates and patches often fix critical security
vulnerabilities.
- Lock
Devices - limit physical access to devices and lock
devices when not in use.
- Portable
Devices - be cautious plugging a phone, USB, or other portable
device into a secure computer or network. Portable storage devices may not
be as secure and may contain malicious software that could corrupt your
secure network. If the device is needed, be sure to follow your
organization's policies on the use of such devices, which could include
prohibitions on the use of personal devices or having IT personnel review
such devices to ensure they do not contain malicious software.
- Do Not Wait - do not wait to report possible cybersecurity threats to the right people in your organization. Time is often critical during a cyber-incident, so if you suspect a cyber-threat, report it right away.
Remember: While October is National Security Awareness Month, we all need to be watchful and proactive to avoid tricks to our ePHI every day of the year - because cybersecurity threats are downright spooky.
If you have any questions about these Basic Cybersecurity
Tips, or would like additional support preventing "tricks" (e.g., mischief,
threats, etc.) to your systems, contact us today by email: support@hcp.md or
by phone: 855-427-0427.