It has been a little over a year since the passage of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
What does this mean to you? Well, it requires a different set of reporting criteria that mandates that ALL cyberattacks be reported within 72 hours of discovery. All ransomware payments made to threat actors must be reported within 24 hours of making the payment. How is this different from current HIPAA law? The current HIPAA breach notification rule mandates that covered entities must self-report only if there has been a proven breach of unsecured Patient Health Information (PHI). If an investigation determines that there is a low probability (LOCOPRO) that PHI has been compromised), the covered entity may not be required to self-report. This becomes mandatory only if an investigation determines that PHI was likely to have been compromised and the effected entity has up to 60 days to self-report. Under CIRCIA, there is no time to figure out if PHI has or has not been compromised, you will need to report any cyberattack and circle back to meet the HIPAA requirements.
Obviously, in any cyberattack scenario, your practice will work closely with your Managed Service Provider (MSP) to ascertain the reason for the attack, how to mitigate it and how to minimize any further damage to the business. In fact, it is incumbent on your MSP to institute safeguards and protocols to prevent a cyberattack from occurring in the first place. The diligence of your MSP to keep your IT infrastructure sometimes can only go so far and with the threat actors becoming more sophisticated, it may require them to step up their cybersecurity specialization or work with cybersecurity specialists to decrease the vulnerability of your organization.
HCN has partnered with a cybersecurity specialty group called Black Talon Security to assist our clients with a set of tools and services that might not be part of your MSP’s arsenal. We asked Gary Salman, Black Talon’s CEO, to put together some common misconceptions about cybersecurity. Here is what he came up with:
- my firewall and anti-virus software will protect me.
- my backups will prevent me from having to pay a ransom/extortion demand.
- I am in the Cloud, so I have nothing to worry about.
- my IT company has me protected, so I have nothing to fear.
- hackers won’t find me, there are too many “big fish” out there.
- even if I get hit, I will be able to get back up and running quickly.
- the FBI has tools to decrypt my data.
- I don’t have any data that hackers care about.
- I have insurance, so I am covered.
- I am just a physician practice, not a hospital, so security does not matter to me.
Along with Gary’s common misperceptions, he has provided ten best practices for cybersecurity.
- Turn on multifactor authentication.
Enable multifactor authentication (MFA) or two-factor authentication (2FA) for any application or website that supports it. MFA sends a unique code to your phone or activates a separate authentication app to validate your login.
- Create strong passwords.
Use strong passwords everywhere. Create strong passwords by combining a minimum of 12 characters, numbers, and special characters like @, $, #, !, and &.
- Don’t reuse passwords.
Never use the same password across multiple websites or applications. Every website and/or application should have a unique password.
- Use a password manager.
Utilize password management tools like LastPass or Dashlane to manage and create strong/unique passwords. These applications can automatically generate unique, strong passwords.
- Approach remote access tools with caution.
Using remote access tools can present a tremendous risk to your organization. Make sure you use the paid business versions of these technologies as well as MFA and strong passwords.
- Train your team.
Train your entire office on how to recognize threats such as phishing, spear phishing, social engineering, business email compromise (banking wire fraud), and proper use of removable devices. Test them using a phishing simulator.
- Learn the difference between information technology and cybersecurity.
Understand the difference between your IT company and a dedicated cybersecurity company. Know when you might need the help of a specialist.
- Evaluate your vulnerabilities.
Use a dedicated cybersecurity firm to evaluate your firewall(s) and perform real-time vulnerability management. This evaluation can uncover exploitable devices on your network that may expose you to a breach or ransomware attack.
- Put your security to the test.
Have a cybersecurity specialist perform an annual penetration test to identify risks and how you can be breached. Cybersecurity specialists can also perform a security risk assessment to evaluate how and where you may be attacked.
- Install prevention software.
A cybersecurity specialist can deploy extended detection and response (EDR) software on all computers. EDR software uses artificial intelligence to help detect and mitigate threats.