cybersecurity misconceptionsCybersecurity misconceptions are pretty common both in personal life and business.  There are definitely enough cases of misinformation coming through our offices on a regular basis to make it obvious just how confused people can be about what should be done.  We have pointed out many times that the government has been releasing information for years to assist both businesses and individuals.  You can find a lot of information that is very helpful at StaySafeOnline.org.  Today we are going to discuss one directed at SMBs explaining several cybersecurity misconceptions.

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

10 Cybersecurity Misconceptions – Ep 244

The HIPAA Boot Camp

2020 Spring Session Dates

March 24, 25, 26

Tucker, GA

2020 Fall Session Dates

Sept 15, 16, 17

Los Angeles, CA

For info go to TheHIPAABootCamp.com

Registration Form

 

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

 If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Listener message from K-Heat

Greetings, Donna & David – I am a long-time DoD cyber person working to transition into the health care industry, and I am so glad I found your podcast. Your expertise is extremely helpful in easing my learning curve, and the fact that you make me LOL is just icing on the cake!! 🙂

I’d like to ask if you’d consider doing a podcast comparing the processes & controls required to protect DoD/Ntl Security classified data (under RMF) and those for PHI (under HIPAA)? – Perhaps the best correlation with RMF is HITRUST CSF?

As I learn more about HIPAA, I’ve noticed MANY similarities between best-practice controls for classified data and PHI. Though, there are certainly differences -terminology, compliance mandates, and penalties. -yikes, PHI breaches are expensive!

As an example, something I’d be interested to know – DoD has a tool called eMASS that is essentially a central repository to track all cyber control implementation information. (plenty of user complaints about the tool, of course, but the intent of it is actually good). Is there a similar tool for HIPAA compliance controls?

My most important bottom line, though — You have made an excellent podcast, and I’m lucky to have found it. Thank you!!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

10 Cybersecurity Misconceptions

Cybersecurity misconceptions are often not technical in nature.  This list was assembled by the National Cyber Security Alliance based on input from leaders and employees of businesses all over the spectrum and the fact that technical understanding is not the problem is clear based on what they covered.  Of course, we need to add a little bit of a healthcare spin to each of them but hey, we have HIPAA in our name!

One focus of employee online safety education should include debunking commonly quoted cybersecurity misconceptions.CYBERSECURE MY BUSINESS™

1 – The data I have or have access to is not that valuable.

All data is valuable to someone.  Most businesses will have client lists, employee records, credit card information, marketing lists, tax information, business plans, marketing plans, etc.  There will be something of value to someone in any business’s records.  Healthcare data is more valuable than most data out there stored in businesses.  Obviously, things like the formula to Coca-Cola might be more valuable but then it isn’t stored all over the place in small and large organizations either.

2 – Cybersecurity only concerns technology.

Cybersecuring an organization is the responsibility of the entire workforce, not just the IT staff.
No.  Nope.  Not at all.  We just talked about the number one issue we face is insiders.  Securing a human is one of the hardest things we face.  Humans are nothing at all like managing technology.  To this day I do not understand why some people will click on things or do things just in the user interface much less in the decisions they make about data.  We can not stress enough how little technology can do when a person wants to do something bad enough the technology is not enough to stop them. The point is clear in the article when they make the point that cybersecurity “is the responsibility of the entire workforce, not just the IT staff”.

3 – Cybersecurity is expensive

Just like the point above cybersecurity isn’t always about buying high end equipment and tools. Yes, you should spend money on sound technology but just throwing money at vendors will not provide the security you need.  To do things right you will need to invest in certain things.  But, the most valuable thing you can do in many cases is get your staff trained and enforce your policies and procedures.  If you can’t afford to buy the latest and greatest tech you can still be cybersecure if you invest your dollars strategically.  Long gone are the days that your technology expenses should be included in office supplies budgets.  You should have a long term technology investment strategy that allows you to balance expenses while remaining cybersecure focused.

4 – Outsourcing cybersecurity requirements leaves me free from liabilities.

Again, this is not something that can be done with the wave of a wand or stroking a check to make it go away.  Vendors can take you down just as easily as an external threat actor or an insider with malicious intent.  You must be engaged and involved in making sure everyone takes their responsibility to protect your business and it’s data seriously.  In healthcare this gets really complex.  The impact on patients can be life threatening.  Often people don’t really understand that to be the case.  If you see data as nothing but numbers and letters then you forget they represent someone’s life.  You can’t outsource that responsibility and expect to be left unscathed when things don’t work out.

5 – My general liability policy will cover a cyber incident.

This one comes as a shock to a lot of people.  Many GL policies will not cover anything to do with a cyber attack.  In a recent case a business sued their insurer and got their data breach covered.  In other cases, the insurer claims that because a nation-state attack is suspected, it is an act of war.

6 – Cyber attacks always come from external threats

We just talked about how serious the insider issues are in healthcare but also the news is that insiders are a major issue everywhere.  We have an entire episode to explain why that is absolutely not the case.

7- Younger people are better at cybersecurity

In a word no.  They are better with technology than older generations but that does not make them good at security.  Many of the younger generations have developed habits where security and privacy are not even something they consider.  Please do not make an assumption that they know anything about security until that is proven.

8 – Compliance with HIPAA, PCI, etc is enough

Compliance is not security and security is not compliance.  What is important is that you use a robust framework that includes both security objectives and compliance standards.  If you worry only about compliance you will definitely not be secure.

9 – Physical security doesn’t fall under cybersecurity safeguards

This is easy for healthcare professionals to know the problem in that statement.  Well, it should be.  The HIPAA security rule requires safeguards that are administrative, technical and physical.  If your data can be picked up and walk out the door you will not have security very long.

10 – I just bought the latest hardware or software solution so it is secured out of the box.

No, in fact, vendors leave it turned off as default.  Or they have default passwords that they expect you to know you should change.  Software and hardware requires updates regularly for a reason.  Many times you will see a cool list of security features on your device brochure but you must be sure that it is turned on and configured properly.

There are many other resources out there for all SMBs in addition to this one.  The FTC has a great section Cybersecurity for Small Business that also includes quizzes to test your knowledge.  It also references the NIST CSF for an appropriate framework.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.