We know that client data security, data privacy, ransomware and cyber breaches are on the top of the news, but just how does that affect daily decisions in your practice or business?

There are two commonly held misconceptions

1. The responsibility of data security falls on the third party suppliers you use for your electronic records and cloud-based applications
2. Failing that, cybersecurity insurance will cover you if you do have a breach.

Most operators of health care practices, like all business owners, need to be much more prepared for potential information breaches and malware and ransomware attacks than they currently are.

It is the operator of the business or practice that is legally and financially responsible to their clients for protecting personal data, regardless who else has handled it. This includes the responsibility of adhering to all data security regulatory compliance and standards for personally identifiable information, such as HIPAA, PIPEDA, PCI and others.

Insurance companies are increasingly insisting that their clients (you) take proactive measures to prevent data breaches.  If these measures are not put in place and documented to show that the policy requirements have been met, insurance coverage can be denied in the event of a security incident.  This can be a very expensive surprise. The average cost to a business of a data breach is estimated at $6.75 million in Canada in 2021 and $7 million in 2022.

Insurance companies are also becoming more stringent on requirements before they will even write or renew a policy for a client. Business who have not done the groundwork may find that they cannot purchase insurance. This is the cyber equivalent of the house that fails a building inspection – nobody wants to insure a house that already has a leaking roof (or a leaking network).  See this article https://www.computerweekly.com/news/252529132/Companies-warned-to-step-up-cyber-security-to-become-insurable

Identify your critical information assets and systems so that you know what you are protecting and its impact of damage, loss or theft.

Understand the main threats to your organization.

Through a process of data discovery, identify your valuable information and systems and apply risk management plans to improve your security position.

Identify the regulatory requirements for sensitive data in your particular field, whether you have to comply with health information, financial information, transaction or privacy security standards in each country you operate in.

As mentioned above, insurance companies are asking for their clients to prove that they have security measures and documented plans.  Every business should have written policies for all security, data handling and data privacy practices, procedures for implementing them, and incident response plans for response if a breach or failure happens.

A complete data management plan including data storage, data backup, data encryption, accessing data, and authentication of data is vital.

Create an end-to-end security system in which all components of the infrastructure such as firewalls, access points, network connections, endpoint security software (anti-malware) and backup recovery technologies work together and interact to shut down problems.

A good, integrated cyber security system will be continually updated, and will have ongoing monitoring and reporting.

The most desirable system will have a 24/7 Security Operations Centre watching your network and computers for attacks. They must also be able to act upon, isolate and neutralize events before they spread through your network (and before you are aware that there was an issue).

Do not offer WiFi to the public, even your own clients. Turn off WiFi on your printers. Ensure that your internet routers have a unique passkey and limit WiFi access to staff only.

Audit your inventory of “Internet of Things” (IoT) devices such as smart doorbells, cameras, WiFi controllable light fixtures, speakers, agents (Alexa, Google, Siri) and more. Change default accounts and passwords to unique ones and consider removing these devices whenever possible.

Vet your suppliers for their data security practices before signing on with them.  Do they have written security policies? Can they meet the required standards and privacy regulations? Will they regularly report on their security measures and continuously improve them?  Who has access to your data and why?  Your data handlers, supply chain partners and contractors can be a major exposure to your data.  They need to be secure, documented and controlled, with monitoring on a regular basis.

Cybersecurity is not the sole responsibility of one designated ‘security’ person. It requires the support of all levels of management, constant work by the IT security teams and active participation of all members of staff.   Your IT consultants can help you organize a unified response to security threats.

The number one way for a bad actor to gain access to your data is through human error.  Criminals are skilled at deception, gaining information through phone (impersonation), email (phishing) and the web (spoofing, malware links). Staff training on a regular basis can reduce this risk.

Your computer software applications and operating systems need regular updating to close loopholes in their security that hackers can exploit. Patching should be done frequently and ideally automatically. Ask your IT consultant or Managed Service Provider about patch management systems which can ensure patching frequency and report on non-compliance.

Beware that every device connected to your network also has built-in software and password access, which can serve as an entry point for attackers, especially if the default access accounts and passwords remain unchanged. Printers, routers, access points, scanners and all of the rest of your IoT inventory need periodic inspection and updating to ensure protection.  Updating the firmware on these devices is seldom automatic, it is up to you to manage this inventory proactively, on a regular basis. Consider replacing an insecure device that is not upgradeable or lacks the ability to be made secure, or one from a manufacturer that is out of business, with a secure equivalent.

Misconfiguration of software, servers, and online assets is a huge contributor to data breaches.  An inventory of all of your connected data and its handling is a must. Continuously conduct external monitoring and vulnerability testing to ensure ongoing protection. Test and monitor web-based applications, both customer-facing and internal, for security, data integrity, and potential unintended access and give them extra attention for protection.

Defend your networks from intrusion, ransomware threats and cyber threats. Use a firewall to defend against outside access and against data exfiltration by monitoring incoming and outgoing traffic and filtering out malicious sources.

Use a virtual private network (VPN) with secure restricted access when employees are working remotely, to secure the connection to your internal network environments and protect private information.

Develop a policy for deploying mobile devices to staff and connecting them to your networks. Will you only allow company owned phones and tablets in your environment? Encrypt and password-protect portable devices for data protection. Track and enable remote disabling in case of loss to protect critical business data.

Limit the use of portable data media, such as USB sticks and hard drives, to company-owned devices that are password secured. USB sticks are great tools but they are subject to being lost. USB media are a popular vector for malware to enter your network. Under no circumstances should anybody plug in a ‘found’ USB device. Consider disabling USB access on computer workstations with the access management feature of your endpoint protection restrictions.

In addition to personal computers, configure mobile and network devices’ settings for data security. Change default passwords and restrict access. Grant standard user access to individuals rather than administrative access.

Use and enforce strong passwords, use a secure password manager system to discourage employees from storing passwords insecurely

Enable two-factor authentication for logins. MFA, though not foolproof, still proves to be a significant improvement over relying on just a single, vulnerable password.

Consider a strong single-sign-on authentication solution

Have sound policies for issuing and resetting of account access, and how to deal with employee passwords and accounts when they leave employment. Pay particular attention to any account access granted to external contractors or service companies and monitor their use.

Identify critical data and make sure only authorized users have access

Train your staff in good cyber hygiene and safety, and how to recognize phishing, fraud and malware (and avoid them).

Lighthouse Integrations has the enterprise-level experience to help you through identifying, implementing, and maintaining data and privacy security for your business. Our Business Maturity Model is a process that lays a solid foundation for business growth based on industry best practices and established standards and regulatory requirements. As a managed services provider, we can tailor an end-to-end solution that fits your requirements. Contact us to learn how to leverage our expertise.

BASELINE CYBER SECURITY CONTROLS FOR SMALL AND MEDIUM ORGANIZATIONS V1.2 (Government of Canada – https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations)

The baseline controls aim to advise and guide small and medium organizations on how to maximize the effectiveness of their cyber security investments. Organizations seeking to go beyond these controls should look to more comprehensive cybersecurity measures such as the Center for Internet Security Controls, the NIST Cyber Security Framework, ISO/IEC 27001:2013 or ITSG-33 IT Security Risk Management: A Lifecycle Approach.