A Forbes Article: 7 Tips From The FBI To Prepare Your Firm For A Cyber Attack by Joanna Belbey had so many good points in it that we felt that we needed to discuss it. Cybersecurity tips are always worth checking out to see if you have covered these things in your security plans. HIPAA Security requires these things but every business should be thinking about how to address these issues, not just those who have to comply with HIPAA.
Jay Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office is interviewed in the Forbes article and has some great points to share.
Types of cyber-attacks
- [2:55] Hacktivists – use your systems or data to make a statement about business practices or social issues
- [6:15] Foreign governments for terrorism or to gain a competitive advantage
- [7:00] Criminal enterprises – the new mob shake down – do what I say or I will kill your data
- [9:50] Bad actors / fraudsters – steal your identity, eat up your credit, wipe out your bank account
- [11:05] Industrial espionage – looking for a competitive advantage
Cybersecurity Tips[13:29] In summary, Kramer provided 7 tips to prepare your firm for a cyber-attack:
- [14:00] Understand what your network looks like, even after all the mergers, acquisitions, and consolidations.
- Create a map of your networks and prepare a list of devices on the network and users on the network.
- Sounds like a HIPAA Risk Analysis – actually that is exactly part of a HIPAA Risk Analysis
- [14:37] David’s rant: Backup your data routinely and store it offsite.
- Just like the HIPAA backup and disaster recovery requirements
- [19:22] Know where your most important data is being held. Think about where it should be held and the protocols to gain access to that information.
- HIPAA says you should identify your critical business apps and identify your PHI locations with threats and vulnerabilities to them in your Risk Analysis and Risk Mitigation Plans.
- [20:20] Develop policies for cybersecurity.
- What policies govern the use of data and networks by employees?
- Train your employees on use policies.
- Define where your logs and data are being held. List applications running on the network, including applications developed in house.
- HIPAA requires written policies and procedures for training, log management, data uses and disclosures, and access controls, etc.
- [22:43] Be aware that bad actors could be already be in your system right now and have been for a long time.
- Make sure your IT departments are aware of updates and are patching vulnerabilities in your systems.
- HIPAA requires up-to-date Antivirus solutions plus patch management to get security updates for all your important applications
- [23:59] Develop a response plan in the event of an attack. Have a plan to work with your attorneys, PR firm, your Board of Directors. Have a team of forensic experts and outside firms available.
- HIPAA breach response plan calls for this too! Coincidence – I think not!
- And finally, establish a relationship with your local FBI office today, before there’s a cyber-attack
There are the 7 cybersecurity tips the FBI shared. Interesting that those same tips could also be called cybersecurity tips for HIPAA compliance.