October is Cybersecurity Awareness Month – a 19-year collaborative effort between the government and industry to improve awareness of cybersecurity in the United States, led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA).
2022 Cybersecurity Awareness Month – See Yourself in Cyber
The theme of this year’s Cybersecurity Awareness Month is See Yourself in Cyber, where the focus is on the actions that everyone should take to improve cybersecurity. In previous years, the month of October has been divided into four weeks, each of which has a different theme. This year, rather than have a different weekly theme, the focus each week will be on one of four key behaviors that everyone should adopt. Simply practicing these basics of cybersecurity will greatly improve an individual’s and an organization’s security posture.
- Enabling multifactor authentication – Improve access controls by adding additional authentication requirements in addition to a password. MFA can prevent access from being granted to accounts using stolen credentials.
- Using strong passwords and a password manager – Set strong, unique passwords for all accounts that are resilient to brute force attacks and use a password manager to create those passwords and store them securely in an encrypted password vault.
- Updating software – Ensure software is kept up to date and apply patches promptly to correct known vulnerabilities.
- Recognizing and reporting phishing – Learn about the signs of phishing, the red flags in emails, text messages, social media posts, and telephone calls that can indicate a phishing attempt, and ensure phishing attempts are reported.
“To build a more resilient nation, everyone—from K through Gray—has a role to play, which is why our theme for this year’s Cybersecurity Awareness Month is ‘See Yourself in Cyber,’” said CISA Director Jen Easterly. “This October, we are taking this message directly to the American people because whether you’re a network defender or anyone with an internet connection, we all have a role to play in strengthening the cybersecurity of our nation.”
Improving Cybersecurity Awareness in Healthcare
Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element. Improving security awareness of the workforce by focusing on the above key behaviors will go a long way toward improving security and preventing data breaches.
Security awareness training is a requirement for compliance with the HIPAA Security Rule. The administrative safeguards of the HIPAA Security Rule require all HIPAA-regulated entities to train all workforce members on internal security policies and procedures, with the 45 CFR § 164.308 (a)(5)(i) standard requiring “a security awareness and training program for all members of its workforce (including management).”
HIPAA-regulated entities should adopt a risk-based approach when developing training courses and should teach cybersecurity basics and focus on the most important behaviors that can reduce risk. The HHS’ Office for Civil Rights has issued guidance on aspects of cybersecurity to include in security awareness training programs and raises awareness of important themes in its quarterly cybersecurity newsletters.
“The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” explained OCR in its Q1, 2022 cybersecurity newsletter. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond.” OCR also stressed the need for training to be provided to all members of the workforce, which includes management personnel and senior executives.
Training should be followed up with regular security reminders, which are an addressable specification of the HIPAA Security Rule. Cybersecurity Awareness Month is the ideal time to focus on security reminders and develop a program for delivering these reminders regularly. OCR suggests security reminders can include cybersecurity newsletters, but also phishing simulations to members of the workforce to gauge the effectiveness of the security awareness and training program, and to provide additional, targeted training to employees who are fooled by the simulations. HIPAA-regulated entities should consider implementing a mechanism that allows employees to easily report phishing attempts and suspicious emails to their security teams, such as an email client add-on that allows one-click reporting, and to encourage employees this month to report potential threats.
Multifactor authentication is an effective additional safeguard for improving access controls to prevent stolen credentials from being used to access accounts. This month is the ideal time to accelerate plans to implement multifactor authentication – if MFA has not already been implemented – and to ensure that it is applied to all accounts. Phishing campaigns are being conducted that allow certain types of multifactor authentication to be bypassed. To protect against these MFA bypass attacks, MFA implementation can be made more resilient by using a solution that supports Fast ID (FIDO) v2.0 and certificate-based authentication.
Brute force attacks often succeed due to employees setting weak passwords or reusing passwords on multiple accounts. HIPAA-regulated entities should enforce their password policies, but also make compliance with those policies easier for employees by supplying a business password manager. Password managers can suggest truly random, complex passwords, and greatly improve password security and management.
It is easy to focus on technical defenses for protecting ePHI and preventing unauthorized access, but the importance of training cannot be overstated. Ensuring all employees are aware of the above key behaviors and are practicing good cyber hygiene will go a long way toward improving the cybersecurity posture of the entire organization.
The post Cybersecurity Awareness Month Focuses on 4 Key Behaviors appeared first on HIPAA Journal.