We missed the boat on National Insider Threat Awareness month in Sept: Insider Threat Mitigation.  But we are not going to miss NCSAM this year. Do Your Part. #BeCyberSmart and If You Connect It, Protect It. are going to be all over the place here in October.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

NCSAM Kick-Off starts next week – Ep 273

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

HIPAA Say What!?!

[04:11]The summer edition of the OCR cybersecurity newsletter came out recently: Summer 2020 OCR Cybersecurity Newsletter. If you aren’t signed up for these, you should consider it. They usually have perfect little nuggets of information to use at some point.

The summer 2020 newsletter focuses on the need to maintain a complete IT Asset Inventory. The intro has several points if you are willing to read between the lines a bit.

Conducting a risk analysis, which is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI held by an organization, is not only a Security Rule requirement, but also is fundamental to identifying and implementing safeguards that comply with and carry out the Security Rule standards and implementation specifications.  However, despite this long-standing HIPAA requirement, OCR investigations frequently find that organizations lack sufficient understanding of where all of the ePHI entrusted to their care is located. Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT)  asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance.OCR Summer 2020 Newsletter

Basically, what they are saying there is that HIPAA does not explicitly require an IT asset inventory. BUT, to properly do a Risk Analysis you should have an IT asset inventory. Can we legally get you for not doing it? No. However, we will make note that you don’t have one in an investigation and potentially have problems with your SRA methods and outcomes.

I know this is one of the most challenging steps we deal with when doing an assessment. We aren’t talking about just gathering a list of the inventory you purchased or a list of computers bought. We need to know what is actually happening on your network including all the different devices connected to it even if you didn’t buy them yourself. But the newsletter makes the point that IT assets cover physical devices, software AND data. All of those are IT assets. Not just what you find on a simple scan of the network.

OCR has started making these things clear in the recent settlements we covered a couple of weeks ago. This was part of the newsletter that sounded similar to what they were requiring in those CAPS:

Generally, an enterprise-wide IT asset inventory is a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset).

The guidance explains something we have said over and over here and with our clients. You really need to know what data you have moving through your network and how it moves in, around and out of your network to do a proper security risk analysis. Under HIPAA you must do one focused on ePHI but it really is good to look at everything when you are doing your analysis. I liked a story they referenced from Microsoft:

Real world examples of IoT devices used for malicious activities include incidents reported by Microsoft in which malicious actors were able to compromise a VOIP phone, printer, and video decoder to gain access to corporate networks. The hackers were able to exploit unchanged default passwords and unpatched security vulnerabilities to compromise these devices. Once inside the network, the hackers were able to conduct reconnaissance and access other devices on the corporate network in search of additional privileges and high-value data.Microsoft Blog

Wow, who would think that could happen!?! We have tried to explain the same thing in many ways.

NCSAM Kick-Off starts next week – Ep 273

NCSAM National Cybersecurity awareness month 2020[16:13] Without constant follow up from us we were concerned about your ability to plan what to share each week during NCSAM. That is why this year as we head into Oct there is a plan to cover you. Each week we will review what is happening the next week for NCSAM and provide links to resources to help make it easier for you to share it out. As a reminder you can see the plans for the theme “Do Your Part. #BeCyberSmart.”

Next week will be when we open up Oct but since there are only a couple of business days in the week that are actually in Oct there is a brief 2 day promotional plan published. What should I do with that, you may ask. Well here is what we know.

The objectives are to educate the country on cybersecurity topics including:

NCSAM emphasizes “If You Connect It, Protect It.” Throughout October, CISA and NCSA will focus on the following areas in our promotions and outreach:

  • October 1 and 2: Official NCSAM Kick-off
  • Week of October 5 (Week 1): If You Connect It, Protect It
  • Week of October 12 (Week 2): Securing Devices at Home and Work
  • Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4): The Future of Connected Devices

NCSAM Champion Resources

If you signed up as a NCSAM Champion there are plenty of resources available for you to build any number of messages and events.  For example the messaging guide includes quotes like these:


This document is a guide to help you create written content to raise awareness during Cybersecurity Awareness Month.

Keeping a few helpful tips in mind while writing about cybersecurity issues creates easily understood material and more participation in your programs.

Here are a few things to keep in mind to help guide you when you’re writing:


The impact cybercrime has on companies is a very real one. The cleanup and sustained damage after a security breach can be expensive not to mention the loss of sensitive data, trust with customers, and falling stock prices as a result. When writing about the potential threats to a company’s data, make the point that it’s a matter that should be taken seriously, but it’s far from being hopeless.


[16:13] Raising awareness and taking action to protect digital information inspires confidence and eases anxieties. By communicating a few simple things, everyone can navigate safely online without exposing unnecessary personal or financial data. The result of the messaging should leave anyone feeling good and informed about the simple practices to keep their info safe.

● Don’t write material that feels threatening or fear-based

● Avoid painting scenes like cyber-criminals waiting at every online intersection ready to steal social security numbers

● Promote practical, empowering steps people can take

This document has many more sections including simplicity and much more. If you haven’t yet, review this document for ideas you can use for messaging that isn’t complex or overbearing. Those are the things this program wants to avoid. It is about engaging people and making them feel they are part of the solution and motivated to be involved and responsible for protecting data themselves.

The first two days of Oct are designated as a kick-off event. Each of the other full weeks have a specific topic. This kick-off is about setting the stage for the themes and events of the coming weeks.

pasted image 0

For each week they provide information about the chosen topic along with story ideas but you are also encouraged to create what works best for your environment. That sounds familiar, like: reasonable and appropriate for your environment. Here is what they give you to work with next week for the kick-off.



  • The number of cellular Internet of Things (IoT) connections is expected to reach 3.5 billion in 2023 – increasing with an annual growth rate of 30%. (Ericsson)
  • Gartner forecasts that 25 billion connected things will be in use by 2021. (Gartner)
  • 63% of people find connected devices ‘creepy’ in the way they collect data about people and their behaviours. (Consumers International & Internet Society)
  • Once plugged into the internet, connected devices are attacked within 5 minutes and targeted by specific exploits in 24 hours. (NETSCOUT)


  • IoT Security: The Good, The Bad, and The Ugly
  • Smart Devices Need Smart Security
  • The New Office: How COVID-19 Has Impacted The Way We Work

I really like the campaign DHS built for the month. They included fun puns and videos with a tongue in cheek approach. The Campaign

There are also a collection of videos and blog posts explaining how to use them on topics like passwords, vishing, data protection and more. A great resource is also a set of content for employee handbooks or sharing at a lunch and learn. Tips & Advice

Gather some of this information if you haven’t already. Put together even a small event or group of emails. Anything is better than nothing. When you have free resources that you can throw together go for it. If nothing else, make an announcement that October is National Cybersecurity Awareness Month next week. There are several ways you can do it using text from the Champion toolkit. Or even use the content on the About page. Then figure out how to use things each week for the rest of the month.


You have plenty to do from this episode. Pick a part and take a tiny bite of the elephant by completing one thing. Or, just move one thing forward. Next week we cover what the topic is for Week 1 of NCSAM.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.