May 21, 2020
Cyber threats in general but especially those affecting healthcare organizations have been a hot topic of discussion over the past few months. Recently, the Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), and the Office for Civil Rights provided guidance on the most common technical vulnerabilities that have been exploited during 2020 and in particular during COVID-19. We know you’ve had a lot of information thrown your way lately, so to keep your practice up to speed and help you stay ahead of new vulnerabilities, here’s a brief overview of the bulletin’s highlights:
- One of the most common trends is to use Object Linking and Embedding (OLE), where malicious malware is embedded or linked within other seemingly harmless content. OLE has been a huge gateway for hackers in 2020 thus far. It’s important to be aware of this commonly used tactic and avoid clicking on any links or attachments from unauthorized sources and to train your staff to recognize hidden threats.
- Cyber actors have been targeting unpatched (vulnerable) connections such as Virtual Private Network. Deploying patches help fix security vulnerabilities and other bugs to improve the functionality and security of the program – check with your IT provider to ensure your software is current and patched.
- In the abrupt transition to remote work, many organizations began utilizing cloud collaboration services without fully implementing the needed safeguards to prevent hackers from gaining easy access to these systems. Ensure your practice is utilizing secure networks when accessing data from the cloud and that proper set up of these services was completed to reduce risks associated with cloud-based services.
- Many Microsoft and Adobe Flash products have been the target of hackers due to their widespread use. Refer to the CISA security recommendations when utilizing these programs and make sure your software is up to date.
- The lack of proper employee training during the transition to remote operations continues to give hackers an advantage of being able to gain access to sensitive systems through phishing scams. Employees may not be accessing PHI properly or be fully aware of what to look out for when it comes to cyber threats. Make sure you have the proper cybersecurity training in place to protect your practice.
As organizations begin to go back to work, it’s important to know that much like COVID-19 itself these cyber threats won’t just go away. Properly educating your employees on good cyber hygiene, doing routine checks and updates on security safeguards, and continuing to be on the lookout for any potential threats are vital in keeping your practice protected. Certain things your practice should be implementing right away are:
- Implementing a backup solution to automatically and regularly back up critical data and system configurations.
- Ensuring all access to systems requires a multi-factor authentication whether access is done remotely or while in the office.
- Enabling automatic updates for operating systems, applications, and hardware to protect from system vulnerabilities as well as test and deploy patches right away.
For more information on the government’s guidance along with the mitigations provided to assist in ensuring the security of your practice view the full bulletin here.