regulation of Medicine

toolkit

Cyber Security Toolkit

Tips for better security

Tips for building a better password

A strong password is a good defense when it comes to data privacy and security. In view of the increased number of security breaches, it is important to build strong passwords and update them frequently. Although it is easier to use the same password for all of your online accounts, it leaves you vulnerable. A hacker could easily gain control of your financial information and social media accounts. Here are some tips to building a better password:

The longer a password is, the stronger it is.

  • Try to make sure your password is at least eight characters long.
  • Use a mix of lower case and upper case letters.
  • Try to use at least one number and two of these characters in your password: o ~!@#$%^&*()-_+={}[]\|;:/?.,<>
  • To help you come up with a strong password, try to think of a topic that interests you that you would not talk about on social media.
  • Then, try to replace some of the letters in that word with some of the symbols mentioned above.
  • For instance, Brazil, South America can be changed to BrazilSoAm.
  • BrazilSoAm can then be changed to Br@z!1>So>@m.
  • Using a password manager is a great way to improve your personal security online, but it’s not perfect.

Social media tips

A social media presence can be a great opportunity to build your brand, increase your customer base, and communicate with customers. Despite the benefits, there are some risks that you should be aware of. What are the risks of using social media in healthcare?

  • Potential HIPAA violation - Privacy and data security issues that arise from employees using social media in a way that may violate a patient’s privacy or compromise security. Significant civil monetary and criminal penalties can be imposed for a violation.
  • An entryway for a cyber attack - Social media can provide information to a cyber criminal that can be used in spear phishing attacks. These attacks often appear to come from friends or colleagues. Hackers can use social media to infect a corporate network with malware and viruses, exploit vulnerable networks, steal intellectual property, and harm an organization’s reputation.
  • Violation of Federal Trade Commission Rules - The Federal Trade Commission (FTC) has rules about how you promote products and services.
  • Discoverability in legal case - Social media platforms allow information to be distributed almost instantaneously to a wide audience and can create a permanent record that could easily be discoverable in a lawsuit.
  • Violation of professional standards – licensing boards can issue sanctions fori:
    • Inappropriate communication with patients
    • Use of Internet for unprofessional behavior
    • Online misrepresentation of credentials
    • Violation of patient confidentiality
    • Failure to reveal conflicts on interest online
    • Derogatory remarks regarding a patient
    • Online depiction of intoxication
  • Risk Management Strategies Involving Social Media
  • Include issues related to social media training in your HIPAA training materials.
  • Healthcare workers should be aware of the need to differentiate their personal and professional personas.
  • Develop a social media policy, customized to your organization that clearly identifies what is and is not acceptable. Set rules for what information staff can post.
  • Complete a comprehensive security risk analysis.
  • Companies may want to consider liability insurance that specifically addresses this risk.
  • If you sponsor an online support group, you can take down or leave comments, but do not edit a third party post as you may assume liability for the content.
  • Create a written compliance plan to monitor the highest risks for a potential cyber attack. The compliance plan must address cyber attack response procedures in addition to other compliance matters. This should include policies, codes of conduct, training, and specific incident response procedures.
  • If a HIPAA breach occurs, ensure proper notification. Notification must be sent to the individual affected as soon as possible, but no later than 60 days after discovery. If the breach involves PHI of 500 or more individuals, you must also notify HHS without unreasonable delay and in no case later than 60 days following the discovery of a breach. For breaches involving less than 500, maintain a log and submit the log the HHS within 60 days of the end of the calendar year.
  • Ensure that patients sign a photo release form prior to sharing any photos.
  • Develop a mobile device policy that defines the appropriate and inappropriate use of mobile devices and the clinician’s interaction with social media. The use of mobile technology should never negatively affect provider performance or compromise patient care. Keep in mind that distractions in places like the operating room have a potential to negatively impact patient safety.
  • Provide up-front full disclosure of all material relationships between brands and sponsored endorsements on social media. Clearly and conspicuously disclose that relationship with your brand.
  • Don’t make inflated promises about products services.
  • Consider insurance coverage for cyber and regulatory risks.

The goal is not to discourage the use of social media outlets, rather to use it responsibly, recognize the challenges, and use sound judgment regarding how it is used and how the information is secured. Additional Resources Sample Social Media Policies:

Other Resources American Medical Association. Opinion 9.124 - Professionalism in the Use of Social Media. Chicago, IL: American Medical Association, June 2011. American Nurses Association and the National Council of State Boards of Nursing. A Nurse's Guide to the Use of Social Media. Chicago, IL: National Council of State Boards of Nursing, 2011. Federation of State Medical Boards. Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice. Euless, TX: Federation of State Medical Boards, n.d. Social Media Guidelines for Nurses. video, National Council of State Boards of Nursing, 2011.

Ransomware tips

What is Ransomware? Ransomware is a relatively new way that cybercriminals are infecting PCs and mobile devices. Ransomware uses encryption to lock a victim’s files and hold them hostage until they pay the attackers demand—usually in bitcoin, a digital currency.

One of the most common attack methods is phishing emails that have malicious attachments or links in the email. When the user opens the attachment in the phishing email, it installs a malware on the computer that allows the attacker to encrypt or lock the files. The computer screen freezes with a pop-up message—often from the FBI or another federal agency—saying that because you violated some sort of federal law your computer will remain locked until you pay a fine. The email typically warns the user that the files have been encrypted and the files will be unencrypted when a ransom is paid.

Cyber Attacks are on the Rise in Healthcare

In 2014, the FBI signaled an alarm to the healthcare industry, calling it “a rich new environment for cybercriminals to exploit.”i Only in recent years has the healthcare industry begun the process of transitioning from paper to electronic systems. The rush to adopt the technology has left some healthcare organizations more focused on the clinical and workflow aspects of the electronic systems and less focused on data security. Meanwhile, cybercriminals have discovered new opportunities for financial gain from the virtual “treasure trove” of information contained in a medical record and medical devices.

What You Can Do to Prevent a Ransomware Attack

  • Back up your operating system and all its contents to an external hard drive every single day
    • It is less likely that you could be held hostage if you have copies of important data
    • Data can be recovered from back-up files
  • Be careful what you click on
    • Do not open attachments included in unsolicited emails. A suspicious email may tell the user that they should immediately review an overdue invoice or a similar tactic to entice the user to open the attachment
  • Use a reputable anti-virus and firewall. Make sure your software is up-to-date
  • Keep current with patching to minimize exploits and vulnerabilities
  • Be cautious when clicking any link containing free software or other offers
  • Business users should allow their IT departments to perform upgrades
    • Many ransomware attacks come in the form of fake ads for upgrades to products such as Windows, Java, and Adobe

Enable the pop-up blocker on your browser to prevent suspicious ads

  • Use virtual browsing sessions whenever possible, so everything is deleted—including malware—when the session is closed
  • Avoid clicking on links to suspicious websites
    • A common technique attackers use to distribute ransomware is through fake websites they have created. Attackers entice victims to visit the infected website and then run their malware once the victim downloads infected software from the website
  • Use secure sites when sharing confidential information (understand the difference between HTTP and HTTPS)
    • Anytime you need to share confidential information, such as a social security number or your credit/bank account number (to make online payments), you should always make sure that the site is HTTPS. This will protect your information from being taken by hackers and used to steal your identity. If you want to make a purchase online and you notice that the site is not HTTPS, you should either phone in your order or physically go to the store.
  • Be extremely wary of all shortened URLs
    • Shortened URLs, produced by services like bit.ly and goo.gl, can be brute-forced. (a trial-and-error method to obtain information such as a password or a personal identifier )
    • Searching a shortened URLs yields all sorts of secret documents - many of them can be edited, and can be infected with malware
    • The destination of a malicious link may be confusing
    • Some shortened link services have a better reputation than others
    • Services exist to reveal the destination of shortened URLs, for example X-Ray. (These will reveal the destination domain underneath the apparently harmless short URL)
  • Limit access to business critical data and shared drives
  • Use strong passwords

Immediately notify your IT department, the FBI, and MagMutual if you believe you are a victim of a ransomware attack. Disconnect from the Internet if you receive a ransomware note so your personal data isn’t transmitted back to the criminals. You may be able to mitigate risks by acting quickly.

Tips for sending sensitive information by email

 

  • When sending sensitive information via email, the information should be sent through an email system that encrypts the entire communication.
  • If you do not have such a system in place, then the information should be encrypted and attached as a secure file.
  • Make sure that the program you are using has appropriate encryption capabilities.
    • For instance, Microsoft Office 2007 and later versions have encryption capabilities, while older versions of the software do not have similar protection.
  • Make sure the password you are using is at least 8 characters long and contains a mix of upper case and lower case letters, one number, and two of the following characters: ~!@#$%^&*()-_+={}[]\|;:/?.,<>
  • Do NOT email the recipient of the information the password.
    • Instead, use another method: face-to-face conversation, phone conversation, or text messages.
  • For Microsoft Word 2010, setting up password protection for a document is as simple as clicking “File”, “Info”, “Protect Document”, and “Encrypt with Password”.

Phishing tip sheet

What are phishing, spear phishing, and social engineering attacks?

Phishing is the attempt to gain information such as usernames, passwords, and financial information for malicious reasons. These attacks often masquerade as a trustworthy sender in an electronic communication, such an email. Spear phishing is a scam that targets a specific organization. These are forms of social engineering attacks where the attacker uses human interaction (social skills) to gain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a vendor or financial institution and even offering credentials to support that identity. For example, an attacker may send an email seemingly from a bank requesting account information, often suggesting that there is a problem. When the victim responds by providing the information, attackers can use it to gain access to the accounts. These attacks are becoming more sophisticated and harder to recognize.

Think Before You Click

Before you open an email, ask yourself these questions:

  1. Am I expecting the email?
  2. Is the email from someone I recognize or who is on my contact list?
  3. Are the requests of the email reasonable?
  4. Is the email asking me to take some urgent action?
  5. Is the email asking for sensitive information?
  • Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, contact the company directly. Be aware that contact information provided on a website connected to the request; instead, check previous statements for contact.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don't send sensitive information over the Internet before checking a website's security.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Before clicking any links in the email, hover your mouse over the link and the actual URL will appear. Double check to make sure the real URL is leading you to the right place. Hackers often slightly alter the URL to look like the legitimate address.
  • Avoid copying and pasting a suspicious link into the URL section of your browser to check it. It can cause an infection just like clicking the link.
  • Do not forward a suspicious email to other people in the organization.

References: McDowell, Mindi. Avoiding Social Engineering and Phishing Attacks. U.S. Compter Emergency Readiness Team, 2016. NAS, Data Security Training Bulletin, Best Practices for Email

Tip sheet data security best practices

1. Manage Your Passwords

  • Use strong passwords on systems that contain sensitive information - mix 8 or more upper and lower case letters, numbers, and special characters.
  • Don’t reuse passwords on different accounts.
  • Don’t share your passwords with others.
  • If you have a lot of passwords, use a password manager application to create and store them.

2. Maintain Your Software

  • Remove applications you no longer need.
  • Watch for and respond to security update notices. Apply them immediately. These include your operating system (e.g. Windows updates), web browsers (e.g. IE, Firefox, Chrome), and helper programs used to run applications and read/play files (e.g. Java, Adobe PDF Reader, Flash, QuickTime).
  • Keep your anti-virus program updated, configured properly, and running.

3. Guard against Social Engineering Attacks (aka Phishing)

  • Carefully scrutinize links and attachments in emails before you click or open.
  • Use bookmarks to safely return to sites you visit frequently. Use browser functions that warn of sites with poor reputations.
  • Be wary of all outside requests for sensitive information, whether by e-mail, phone or text message.
  • Independently verify the identity and authority of any requester before disclosing sensitive information, and then only if there is a legitimate business need.

4. Keep Sensitive Information Physically Secure

  • Lock documents away when not using them.
  • Shield information from view when others are near.
  • Lock your PC screen and keyboard when away from your desk (Windows key + L on a device running Microsoft Windows).
  • Keep mobile devices (laptops, smartphones, tablets, USB sticks, etc.) either within your sight, or locked up at all times.

5. Avoid Unsecure Networks Outside the Office

  • Don’t connect to the office from public Wi-Fi networks; use your phone’s cellular data plan instead.
  • If you connect while traveling, or work from home, have your IT department set you up properly with secure remote access.

6. Encrypt Data According to your Organization’s Policies.

7. Destroy Sensitive Information (Hard-copy and Electronic) When no Longer Needed.

8. Report Suspected Data Security Events Immediately.

Cyber Liability Tip Sheet

Cyber Attacks are on the Rise in Healthcare

In 2014, the FBI signaled an alarm to the healthcare industry, calling it “a rich new environment for cybercriminals to exploit.i” Only in recent years has the healthcare industry begun the process of transitioning from paper to electronic systems. The rush to adopt the technology has left some healthcare organizations more focused on the clinical and workflow aspects of the electronic systems and less focused on data security. Meanwhile, cybercriminals have discovered new opportunities for financial gain from the virtual “treasure trove” of information contained in a medical record and medical devices.

Financial Impact of a Data Breach According to the Poneman Institute’s 2015 Cost of Data Breach Study, the financial impact of a data breach continues to increase. In fact, in 2015, the financial impact hit a record high. Over the last ten years, there has been an 11% increase in the total cost of a data breach; the average cost per lost or stolen record for all industries is $217.00. The healthcare industry is substantially above the average at $398 per record stolen. ii

Primary Causes of Data Breach Malicious or criminal attacks continue to be the primary cause of data breach.iii

Tips for Preventing/Mitigating Damages from a Data Breach

1. Software, hardware, and procedural methods to protect applications from external threats, such as firewalls

2. Application security

3. Database security

4. Endpoint protection

  • Require endpoint devices to comply with specific criteria before they are granted access to network resources.

5. Administrative policies and procedures (For example, audit policies, facility access controls, contingency plans, security incident response and reporting, workforce clearance, termination procedures)

6. Workstation policies and procedures

  • Mobile device policies
  • Retirement of devices that may contain PHI

7. Data protection/encryption

8. Maintain Business Associates Agreements (BAAs)

  • HHS sample Business Associate Contract

9. Vulnerability management

10. Security risk assessment/management

  • HealthIT.gov Security Risk Assessment tool

11. Identity and access management control

12. Mobile security and access controls

  • HealthIT.gov offers a library of materials on mobile device management and security

13. Data breach detection solutions

14. Data governance

15. Malware analysis

16. Consider risk transfer (cyber liability insurance)

17. Training and awareness

18. Breach response plan

Teach Your Staff Begin training staff (permanent, temporary, and contractors) during the orientation process, followed by regular ‘refresher’ training and briefings on healthcare privacy and security. Teach staff to identify suspicious emails, links, and emails and how to respond if they receive one of these.

  • Suspicious emails - A suspicious email may tell the user that they should immediately review an overdue invoice or a similar tactic to entice the user to open the attachment.
  • Suspicious links – A common tactic is to offer free software upgrades to commonly used software that contains malware.
  • Suspicious websites – Attackers entice victims to visit the infected website and then run their malware once the victim downloads infected software from the website.

Respond Promptly to Mitigate Risks Immediately notify your IT department, the FBI, and MagMutual if you believe you are a victim of a cyber attack. Early intervention may mitigate damages.

More Information of Cyber Security from HealthIT.gov https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf i United States Department of Justice Federal Bureau of Investigation. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain. Private Industry Notification, Washington, DC: United States Department of Justice Federal Bureau of Investigation, 2014. ii Ponemon Institute. 2015 Cost of Data Breach Study: United States. Traverse City, MI: Poneman Institute, 2015. iii Ponemon Institute, 2015.

HIPAA Workforce Training Tips

What Does HIPAA Require for Workforce Training? Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).

Privacy Rule Training Although the HIPAA laws require development of policies and procedures, there is nothing more important to ensuring HIPAA compliance than training your workforce. A covered entity (CE) is responsible for ensuring that every member of its workforce receives training in HIPAA privacy policies and procedures. New members must be trained within a reasonable period of time after joining the workforce and when material changes are made to policies and procedures. If you have contract employees who come in contact with protected health information (PHI) and work routinely on the premises, they should also receive HIPAA training. Business associates should also provide training to their workforce. You are required to maintain documentation that the training has taken place. (45 CFR 164.530)(b)(2)(ii). Although the HIPAA law does not specifically require annual training, it is recommended because of the increased risks of a privacy or security violation and the heightened liability associated with privacy and security of protected health information (PHI).

Security Rule Training Security awareness and training is also required for all members of the workforce, including management. Employees can create the most significant risk to the organization’s security. HIPAA requires training that is tailored to meet the organization’s needs and must be provided for new and existing members of the workforce. Training updates should be provided periodically and should include any changes to the Security Rule and when there are updates to policies and procedures. The workforce should also be trained when the organization has new or upgraded hardware or software or new technologies that impact security. (45 CFR 164.308(a)(5)).

What Topics Must the Training Cover? Privacy The HIPAA Privacy Rule does not specify the specific topics that must be covered in workforce training. Rather, it states that training must be “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Some employees may have functions with only a limited involvement with patients or PHI. For example, a billing clerk in a medical office may receive different training than a nurse. If an employee’s job function does not involve release of information, they may not need training on this topic.

The most common and important HIPAA privacy topics to train about include:

 

  • Identify the organization’s Privacy Officer
  • What is PHI
  • Document retention and destruction
  • The minimum necessary rule
  • Rules about when and how PHI may be disclosed
    • Disclosures that require a written authorization
    • Disclosure that do not require an authorization
      • Treatment, payment, healthcare operations, public health and safety, research, organ and tissue donations, work with a medical examiner or funeral director, workers’ compensation, law enforcement, other government requests
  • The importance of confidentiality
    • Confidentiality policy
    • Social media policy
  • Accounting of disclosures
  • Patient rights
    • Obtaining a copy of their medical record
    • Requesting a correction of their medical record
    • Requesting confidential communications
    • Requesting limitations on their medical information
    • Maintaining a list of those with whom we have shared information
    • Obtaining a copy of the Notice of Privacy Practices
    • Choosing someone to act on their behalf
    • Choosing to whom we share information (family, friends, or others involved in their care)
  • How to handle a patient complaint related to privacy

Security Training is also required under the HIPAA Security Rule. The implementation specifications are all addressable, which means that they must be followed unless there is a documented reason for not doing so or a documented alternative measure that is substituted. Specifically the HIPAA Security Rule requires that you implement a security awareness and training program for all members of the workforce, including management.

The most common and important HIPAA security topics to train about include:

  • Organizational policy on security updates
  • How to respond to a patient’s request for electronic communication
  • Physical safeguards of equipment, medical devices that contain PHI
  • Procedures for guarding against, detecting, and reporting malicious software
  • Procedure for guarding against, detecting, and reporting social engineering attacks
    • Phishing
    • Dangers of certain website
  • Remote access procedures
  • Procedures for monitoring log-in attempts and reporting discrepancies
  • Procedures for creating, changing, and safeguarding passwords
  • Use and security procedures related to portable devices
  • New or upgraded hardware or software or new technologies that impact security
  • HIPAA Breach/Data Security Incident
    • Definition of breach
    • How to respond in the event of a potential breach or a security incident
  • Procedures for destruction of sensitive information (hard-copy and electronic)

Important Note: These lists are not intended to be an exhaustive list of HIPAA training topics. It is important to remember that HIPAA requires training that is tailored to meet the organization’s needs and the employee’s specific job functions. The content and information contained herein is intended to be used for general information and is not legal advice. Consult your own legal counsel to assist with specific situations that require legal advice or counseling.

Tips for data destruction

  • Implement policies and procedures to address the final disposition of ePHI, including the hardware or electronic media on which it is stored.
  • If the data destruction is outsourced to an external vendor, ensure that a business associate
  • agreement is in place before releasing protected health information.
  • Whether by internal or external means, maintain a certificate of destruction that verifies what records were destroyed (for PHI, by individual name or identifying number), when and how they were destroyed; a statement that the destruction was in the normal course of business; and the signatures of responsible individuals and witnesses.
  • Sensitive information that no longer has a business purpose should be destroyed immediately.
  • Even encrypted files should be destroyed if they no longer serve a purpose.
  • Before destroying this information, make sure your organization is complying with all data retention laws or regulations.
  • Set up a data retention policy. Make sure your employees are aware of it and follow the procedures outlined in it.
  • All sensitive hard-copy files should be shredded with paper shredders designated as “high security”, which means they are approved to produce paper segments that can not be reconstructed.
  • Deleting a file and emptying the recycle bin does not completely remove the file.
  • To destroy a file on a device that will continue to be used, make sure to use a file wiping application to completely remove the file.
  • If the device will no longer be used, the data can be destroyed by using software designed to destroy data, using a degausser, or by physically destroying the device. Hard drive destruction involves physical bending, mangling, and breaking of the drive units so that the disks inside cannot possibly be spun up or read from.
  • To ensure proper destruction of sensitive data, use your IT department or hire an outside company specializing in data destruction.

Tips to secure mobile devices

Along with the increased efficiency and timeliness of new technology and mobile devices, new risks related to compromising protected health information (PHI) have also developed. The risks associated with mobile devices include lost or stolen devices, viruses or malware, unintentional disclosures, and unsecured networks. An important first step is to decide whether mobile devices will be used to access, receive, transmit or store patients' health information or used as part of your organization's internal networks or systems. As part of the decision process, consider whether to allow employee to use their own devices. Below are some tips to mitigate the risks associated with mobile devices.

  • Control access to your devices
    • Set strong passwords and user authentication
    • Change all passwords at least on a quarterly basis
    • Enable automatic log off feature
    • Keep passwords, PINs and passcodes secret – do not store on the mobile device
    • Disable notifications that allow you preview texts or emails while device is locked
    • Always keep the device in your possession
  • Install and enable encryption
  • Install and activate remote wiping and remote disabling
  • Install security software and keep it up to date
  • Install and enable a firewall
  • Be wary of public Wi-Fi networks
  • Delete all stored information before discarding the device
  • Research all mobile apps before you download

For additional information and resources, please visit www.healthit.gov.

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.