Cybersecurity Awareness Month is being celebrated this October. For 19 years, the government and industry have collaborated to increase awareness of cybersecurity in America. This effort is headed by the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA).
This year’s Cybersecurity Awareness Month theme is “See Yourself in Cyber.” The emphasis is on the steps that all people must take to enhance cybersecurity. In the past years, the four weeks in October have different themes. This 2022, instead of having a different theme every week, the emphasis for each week is going to be one of the four key behaviors that should be adopted by everyone. Just practicing the four fundamentals of cybersecurity will significantly enhance a person’s and a company’s security posture.
- Implementing multifactor authentication – Enhance access controls by putting additional authentication criteria besides a password. MFA could prevent granting access to accounts utilizing stolen credentials.
- Employing a password manager and requiring strong passwords – All accounts must have strong, unique passwords to be tough against brute force attacks. Use a password manager to generate passwords and keep them safely in an encrypted password vault.
- Keeping software up to date – Make certain software is updated and implement patches immediately to fix known vulnerabilities.
- Identifying and reporting phishing attacks- Understand the indicators of phishing, the warning indicators in email messages, SMS messages, social media content, and phone calls that could suggest a phishing attempt, and report phishing attempts.
Enhancing Cybersecurity Awareness in the Healthcare Industry
Lots of cyberattacks succeed because of errors by staff members and not knowing the fundamental facets of cybersecurity. Based on the 2022 Verizon Data Breach Investigations Report, 82% of 2021’s data breaches were prompted by humans. Enhancing employees’ security awareness by centering on the above-mentioned behaviors will help improve security and stop data breaches.
Training in security awareness is a necessity for HIPAA Security Rule compliance. The administrative safety measures of the HIPAA Security Rule (45 CFR § 164.308 (a)(5)(i)) demand that all HIPAA-covered entities train their employees about internal security guidelines and procedures.
HIPAA-covered entities must follow a risk-based strategy when creating training courses and must teach cybersecurity fundamentals and consider the most essential behaviors that could minimize risk. The HHS’ Office for Civil Rights has given guidance https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html on the included aspects of cybersecurity in its cybersecurity newsletters every quarter.
The Security Rule calls for covered entities to carry out a security awareness and training program for all employees. A covered entity’s training program must be continuous, changing, and flexible to teach employees how to address new cybersecurity threats. OCR additionally emphasized the necessity of training employees, including management staff and senior officers.
Cybersecurity Awareness Month is the perfect time to emphasize security reminders and create a program for sending these reminders on a regular basis. OCR recommends including security reminders in its cybersecurity newsletters, and doing phishing simulations for employees. HIPAA-covered entities must consider employing a mechanism that enables employees to quickly report attempts at phishing and suspicious emails to their security teams.
Multifactor authentication is a powerful extra protection for enhancing access controls to prevent using stolen credentials to access accounts. This Cybersecurity Awareness month is the perfect time to speed up plans to execute multifactor authentication to all accounts in case it is not yet implemented by MFA. Phishing campaigns are being done that permit some types of multifactor authentication to be circumvented. To safeguard against the attacks to bypass MFA, MFA implementation must use an option that facilitates Fast ID (FIDO) v2.0 and certificate-dependent authentication.
Brute force attacks usually become successful because of employees using weak passwords or using passwords on several accounts. HIPAA-covered entities must implement their password guidelines, and make compliance with those guidelines less difficult for workers by providing a business password manager. Password managers may propose really random, complicated passwords, and significantly boost password security and management.
It is quick to concentrate on technical defenses for securing ePHI and stopping unauthorized access, however, the significance of training can’t be over-emphasized. Making sure all workers know about the previously mentioned key behaviors and are doing good cyber hygiene will truly improve the cybersecurity defenses of the whole company.