[BreachExchange] Compliance Managers, Know What’s Happening in Your Midst!

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 15 18:57:39 EDT 2018


http://complianceandethics.org/compliance-managers-know-
whats-happening-in-your-midst/

If you are a healthcare compliance officer, can you say with confidence
that you really know what is going on around you?  The ability to do so
determines your effectiveness.

The reason is simple: The best defense against a cyberattack is prevention
in every-day situations.  Otherwise, you simply take your chances.

This past January, the U. S. Office for Civil Rights (OCR) issued a memo
saying incidents of cyber extortion, in particular, are rising steadily,
with cybercriminals typically demanding money to stop the theft of
sensitive data or the disruption of computer networks.

Separately, a headline in USA Today, appearing in February, refers to
cyberattacks as “warfare” – a notion suggesting that defensive tactics must
constantly be in play.  In military parlance, the term “situational
awareness” means you know what’s going on around you so you can counter
threats in real time as they are developing.

Health organizations are especially vulnerable, as private health
information amounts to a gold mine for thieves.  Think phony drug
prescriptions or falsified insurance claims.  Elevating the stakes even
higher, the potential for rich black-market returns comes at the risk of
human lives.  Why else would respected health organizations pay ransom if
not to protect vital health information that is essential, in many cases,
for keeping people alive?

In its memo, the OCR offers guidance on how to prevent or respond to
attacks (Fact Sheet: Ransomware and HIPAA).  Some of the recommendations
reinforce basic requirements of the Health Information Portability and
Accountability Act (HIPAA), such as:

- Robust risk assessment and risk management;
- Staff training that ensures employees know how to identify suspicious
emails and other signs of malicious activity;
- Effective use of proactive anti-malware solutions.

These are among the obviously necessary steps to take, and indeed,
compliance with HIPAA rules amounts to a foundational level of needed
security.   At an optimal level, situational awareness implies the added
protection of daily vigilance on the part of people who truly look out for
threats as a matter of routine.  The goal: Create a culture in which daily
practices make it hard on thieves.  Ask yourself questions such as these:

Do your employees really understand that they should not open an email
attachment they are not expecting or do not recognize?

Do they really get it that if their computers are running unusually slow,
they need to report that to their supervisors immediately?

Do they know that any unusual phone calls, of stranger requests for
information, need to be reported?

By answering yes to questions such as these, you are affirming the right
environment for preventing attacks.  Just as in any other kind of warfare,
success requires armed forces working in tandem.  In healthcare, an armed
force translates to informed employees and business associates who ward off
threats as a matter of course — because they well trained on how to
recognize potential risks, they know how to stave them off, and their
instincts have been honed to the point that they know when to leap into
action to safeguard precious health information necessary to human
well-being.

In sum, daily vigilance is about a mindset that penetrates an entire
organization.  It’s about everybody being on the lookout — all the time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180315/0ffac0a7/attachment.html>


More information about the BreachExchange mailing list