As a healthcare executive, it can be easy to assume that your organization’s data is “safe,” but are you really sure? Here are four crucial protections to have in place to prevent a security breach:
Find all seven protections here.
#1 Security Awareness Training
The #1 security threat to any company is... your EMPLOYEES. According to the cyber security training company, KnowBe4, 91% of successful data breaches started with a spear phishing attack – an employee clicking on an infected e-mail.
Spam filters and anti-virus software cannot protect your network from an employee that intentionally clicks on and downloads a virus. That’s why it’s CRITICAL that you educate all of your employees how to spot an infected e-mail or online scam. All it takes is ONE slip up, and you can't assume your employees know better.
Further, many crime and cyber liability insurance policies will REQUIRE that you have an AUP (acceptable use policy) and cyber security training in order to receive coverage in the event of a breach. If you cannot prove you were providing training, you could be denied coverage. We encourage all of our clients to take a close look at the wording of their insurance policies and make sure they are compliant, so their coverage isn’t denied in the event of a breach, ransom attack or financial theft.
Employees can also compromise your company by using weak passwords that are easy for them to remember, downloading infected files or software applications OR accessing company applications from home PCs or mobile phones that are NOT being monitored, patched, updated and protected by your IT department or company. That’s why it’s critical to make cyber security awareness training an important, ON-GOING part of your cyber protection, along with an Acceptable Use Policy that is enforced.
For our clients we provide routine updates on what is going on in the industry to help them stay alert to potential threats, as well as an appropriate use policy template that helps the employees understand their duties in protecting your sensitive data.
#2 Mobile And Remote Device Security
If an employee is accessing company data with an unprotected, unmonitored, personal device, such as a cell phone, tablet or home computer, they can easily infect your network with a virus OR give a hacker access to your data.
Often, employees are doing this without the knowledge or consent of their managers and I.T. team. The FIRST step is finding out if this is going on (and it most likely is). Then, if you choose to allow employees to use personal mobile devices or home computers, you must protect that device like any other PC on your company network with advanced endpoint security, encryption, backup, etc.
At a minimum, ALL mobile devices should have a PIN code to access. Next they should have a remote “kill” switch that locks the device and wipes the data if lost or stolen. According
to Bitglass, over 68% of healthcare data breaches occur when devices are lost or stolen. You also have to think about employees who quit or who are fired. How will you be able to erase YOUR data if it’s on their own personal device?
Because the data in your organization (patient records, financial information, etc.) is highly sensitive, you may not be legally permitted to allow employees to access it on devices that are not secured; but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can or cannot do with that device, including “rooting” or “jailbreaking” the device to circumvent security mechanisms you put in place.
#3 Strong Passwords That Are Enforced
Thanks to the power of AI (artificial intelligence), hackers have developed sophisticated software that can check over 100 million combinations of a password per second, also called “brute-force” attacks. This software is available for free online and can run off of any PC.
Today, a complex 8-digit password using mixed case, numbers and symbols has only 1 billion permutations and can be cracked in 16 minutes. To speed things up, hackers hijack hundreds of thousands of computers to do the work automatically. To say the numbers become enormous at this point would be a gross understatement.
Remember, if your password is readable, a beginner can hack it with free software in seconds. Our advice is to make sure it’s complex and at least 12 characters long, with upper- and lower-case letters, numbers and symbols – particularly for online banking or to password vault applications.
But human beings are NOT foolproof and will default to shorter, easier-to-remember passwords. That’s why you need to enforce good passwords.
#4 Dark Web ID Monitoring
BECAUSE most people are incredibly lazy about selecting strong passwords and the ease of which hackers can crack one, you also need to add Dark Web monitoring to protect yourself.
The “Dark Web” is a part of the World Wide Web used by all cybercrime rings and hackers that is only accessible using special software. All users and operators are anonymous and untraceable, which is why it’s the playground for all cybercriminals.
Dark Web monitoring scans the Dark Web for your specific credentials being sold or traded. Once detected, it notifies you immediately so you can change your password (hopefully to a strong one!) and allows you to be on high alert for strange activity in your applications and online banking.
We use real-time scanners that check the Dark Web for our customers so we know if an employee was compromised before the hackers do.
WARNING: There are several companies who are now offering to do a Dark Web scan for you. Be VERY careful of going online and conducting one if you don’t know the company and the people behind it. They could be scams designed to get your password or credentials! Further, Experian and Equifax started offering Dark Web scans; but my concern is that both of these companies have had massive data hacks and exposed millions of personal records – definitely not companies I would trust. Further, it was rumored that the terms and conditions you agreed to when requesting these scans by these companies contained language that waived your rights to privacy, protecting THEM if they were hacked again. While we are not a law firm and cannot confirm if this is true, we can tell you it’s our opinion that you should be very careful about who you trust with your credentials.
Ensure you are implementing all four of these protections, and go here for the full report:
