By: Dorothy Cociu, President, Advanced Benefit Consulting & Insurance Services, Inc.
CAHU Vice President, Communications
Most of us are still licking our wounds from COVID-19. For the past nearly 18 months, we’ve all lost so much. From illness and death of family members and loved ones to the loss of income, food insecurity and massive amounts of stress, to dealing with zoom learning for kids, and doing our jobs from home, we’ve been hurting. Most of us were looking forward to the predicted 2021 improvements, with vaccines available now for all who want them, infections down, and travel beginning to see a new life. By June 15, 2021, California opened up its economy, and we had hope. Yes, our income may still be lower than pre-pandemic levels and some may still be struggling, but for the first time in so many months, we saw a glimmer of optimism and confidence that the future could be bright again.
However, just as we were beginning to smile more, feel comfortable going out to eat at our favorite restaurants with family and friends, and for many, hugging our parents for the first time in over a year, another cloud has begun hanging over our heads. And at times, the cloud turned to pouring rain and then bolts of lightning… A new national emergency seems to be claiming our freedoms and our hopes and dreams. This time, the emergency isn’t about a virus. It isn’t about quarantine or loneliness. It’s about blatant attacks on our infrastructure, our pipelines, our airports, our healthcare, our food supply, our power plants, and our business operations. This enemy isn’t a single germ or microorganism or pathogen. It’s a seemingly widespread and growing network of hackers and cyber criminals who exploit our weaknesses to infiltrate our networks and databases, quite often for profit. In some cases, it’s just simply about knowing they can, and rattling our nerves. But often, in cases like Colonial Pipeline, JBS Foods and many others, it’s about holding data hostage, and demanding cash payment or bitcoin in amounts of tens of millions of dollars, just so that companies can get their systems back up and running. And what has the Federal Government often recommended when someone is hit with ramsomware? Quite often, agencies such as the FBI has said simply, “Pay it.”
The only good thing that these recent nationally reported attacks have done is raise awareness, which I am grateful for. The question is, what will it take for people to take this seriously? East coast residents saw the results first-hand with the closure of gas stations, and when they could finally find gas, there were miles-long lines waiting for the limited supply, and high prices (although sadly, those prices were often still less than what we pay daily in California for gas for our vehicles). We’ve all felt it in the raising of food prices, particularly meat prices, in our grocery stores, and in the inability to get the goods and services we need when we need them. As if last year’s toilet paper shortage wasn’t bad enough… I’m not sure if our nerves can handle food and gas shortages for long periods of time…
This storm has not passed. In fact, the clouds are darkening and gaining strength; at times it feels as though we’re in the eye of the storm, and at other times, just on the outskirts. No matter where you are, you can still feel the rainfall, the humidity, the ferocious winds. With limited laws and no national, combined effort to combat it, the storm will rage on, until we all take control and stop it ourselves.
The Weakest Link
The problem is, in the simplest of terms, that systems can only be as secure as their weakest link. In most cases, the weakest link is us… Yes, the most common denominator is human beings. Humans are, as we all know, human. We make mistakes, and we sometimes have short-term memories. If not constantly reminded of something, we forget. Or at times, we just ignore, because it’s easier. In many cases, we simply aren’t properly trained to protect one of our most valuable company assets… our data.
In many instances, it has taken only a single individual, perhaps someone highly respected who cares greatly about their job and the company they work for, to take down an organization, although perhaps unknowingly. It may only take one misstep to throw the organization into turmoil, and subject it to a cyber attacker who is demanding millions of dollars…. Can it be avoided? Yes, but at what cost?
Generally, the cost is doing a proper risk assessment, understanding your risks, and doing something to mitigate those risks. The cost is ramping up your network and database security, and the cost is taking the time, energy and effort to do one thing… Properly train your employees. In most cases, many of the largest breaches in the United States and across the world may have been avoided, if only the organization had spent some time, energy and financial resources protecting themselves with these steps.
Federal & State Laws & Regulations Overview
Unlike other nations, such as the European Union, the United States has no single federal law regulating cybersecurity or information security. Although several states have cybersecurity and data breach laws, one of the few federal laws we have is HITECH, which came out of the American Recovery & Reinvestment Act in 2009, which ramped up HIPAA Security, and protects the electronic medical information of an individual. In addition to HIPAA Medical Records Privacy & Security and HITECH, we have the federal law of GLBA (Gramm-Leach Bliley Act), which protects financial information within banks, financial institutions, mortgage companies, insurance companies, and by extension, agents. We also have little known federal Computer Fraud and Abuse Act (CFAA) for prosecuting cybercrime, Sarbanes-Oxley (applies to public companies), and the Federal Trade Commission (FTC),which, since 2002, has assumed a leading role in policing corporate cybersecurity practices. In that time, it has brought more than 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers. Also on the federal side, we have the Children’s Online Privacy Protections Act (COPPA) and the FDA regulations for the use of electronic records in clinical investigations and a few other little known federal privacy protections. But, there is no single regulation or oversight. There is a hodge-podge of laws, and often the government agencies don’t work together to fight cyber crime as other nations have.
Here in California, we have even more privacy laws in effect, including the Confidentiality of Medical Information Act, Confidentiality of Social Security Numbers, a Data Breach Notification Law, a Customer Records law, and of course the California Consumer Privacy Act (CCPA), to name a few.
Even though some of these laws, including HITECH, require electronic security, is that enough? Sadly, recent history has proven it is not. Even with these federal and state requirements, we continue to see hospital after hospital, medical group after medical group, and individual medical practitioners fail to fully implement the security measures required by federal and state laws. We see multiple businesses in all industries subjected to ransomware, and their email, their data files and more are held for ransom. Nearly every week, we are hearing in the news of another cyberattack that has slowed down meat production, fuel for automobiles and aircraft, and more.
I’ve been preaching (and teaching, in seminars, webinars, on podcasts, writing articles, etc.) HIPAA Privacy & Security protections since 2002, just prior to the effective date of HIPAA Medical Records Privacy, which went into effect in 2003 or 2004, along with HIPAA Security in 2005. When I wrote my HIPAA Manual in 2000 and updated it beginning 2002 and for many years after with all of the Privacy & Security applications, I did my best to teach people how to protect their companies, mostly in terms of physical and administrative security… From teaching them to lock paper records down, double-protect SSNs and mental health information, to assist them with creating written policies and procedures and create their internal processes, and of course I did privacy training all over the country… HIPAA Security in 2005 brought to it the electronic component, so again, I did the rounds and wrote about it, taught seminars, helped employers and providers with implementation. It wasn’t until HITECH in 2009, however, that it was taken somewhat seriously, when HHS and OCR started treating business associates the same as covered entities, and when penalties and enforcement ramped up, that we began to understand the importance of protecting our data. It was in 2009 that even I, who had been doing privacy & security training for 7 years at that point, knew I was out of my league, and had to find technology partners to assist with the complexities of HITECH, because, after all, it’s all about IT functions and technology. Yes, it was taken more seriously, but not seriously enough. And today, it’s not just about medical records. It’s about our internal systems, our personal and business financial information, people stealing identities, and now, it’s about having our data ripped from our systems and held in the hands of an invisible enemy. Even with these federal and state requirements, we continue to see data hacked and often, companies just pay up, because they knew the risks, but failed to take the necessary steps. To many, it was an understanding that it could happen, but an unwillingness to do the work, invest the funds, and implement strong company-wide policies to secure data. To some of those, they felt it was worth the risk. Pay now or pay later- and choosing to put off what could have helped them avoid the dangers of today’s cyber-crimes. Some of those are indeed paying later. Much more than they may have wanted or imagined, because the wide-spread thought process is, it can’t happen to me. We’re starting to realize now that it can.
In 2021, the “new normal” is being reminded almost daily about the current storm, the new national emergency (in my words, not the official government’s words), and that is cybercrime. We need strong cybersecurity measures to combat that emergency. The question is, are you willing to do what it takes to protect yourselves and your company’s data?
The First Steps Toward Data Protection
Now that this new national emergency is among us, what are we going to do to stop it, or at least slow it down, get a handle on it, and try to eventually end it?
First, take a step back and evaluate where you are. When was the last time you did a complete risk analysis – a true risk assessment – for your organization, including physical, technical and administrative security? Have you ever? Have you evaluated your systems, done mock trials to find weaknesses? Or have you turned your back on it, thinking ‘we’ll get to it someday.’? Well, folks, some day is here, and you need to take action now, or you could be the next victim of cybercrimes.
Some Real-World Actions To Keep You Safe
To share additional perspectives rather than mine, I brought in some reputable industry experts to assist me in this article; Ted Mayeshiba (Ted M.) and Ted Flittner (Ted F.), principals of Aditi Group, a Technology and IT Services and Consulting firm (and in full disclosure, my company’s technology partners), and Zach Ayta, Director of Partnerships and Sidd Gavirneni, CEO and Co-Founder of Zeguro, a Cybersecurity consulting and Cybersecurity Insurance company.
Recent Ransomware Attacks in the News (Colonial Pipeline & JBS)
My first question to them was this…Recent large ramsomware attacks like Colonial Pipeline and JBS Foods have shown us that hackers are exploiting security weaknesses and holding the data of many companies hostage, and often demanding millions of dollars to unlock their own data, which in turn, has shut down supplies for critical goods and services. Can you explain to us, in layman’s terms, just what we mean when we say ransomware is a form on malware targeting systems? What exactly do these malicious actors do in these situations?
“Ransomware is simply encryption software loaded onto your machine or network, which is NOT of your choosing,” stated Ted Mayeshiba (Ted M.). “It was loaded onto your machine by a bad actor. The bad actor then encrypts all of the data on your system so you can’t read it. Their request to you is if you ever want to read or use any of your files again, pay them and they will give you instructions to decrypt the files.”
Sidd Gavirneni of Zeguro was asked the same question, and responded as follows: “Ransomware has become increasingly prominent in recent years and has grown significantly during the COVID-19 pandemic, with new ransomware samples growing by 72% in the first six months of 2020. This type of malware encrypts data in an information system and demands payment in exchange for regaining access. The payment is commonly demanded in cryptocurrencies due to their untraceable nature. Though the malicious actors claim that they will unencrypt data after the ransom is paid, there is no guarantee that users will receive the decryption key, and according to the Center for Internet Security (CIS), one ransomware variant deletes files even if the ransom has been paid.”
I do want to point out that, as you may have heard in the news, that U.S. authorities have recovered millions of dollars in digital currency that was paid to the hackers who were responsible for the east coast fuel pipeline attack, the Colonial Pipeline. According to the Wall Street Journal (updated June 7, 2021, by Dustin Volz, Sadie Gurman and David Uberti), investigators seized approximately 64 bitcoin, which is valued at approximately $2.3 million, from a virtual wallet. This particular attack was carried out by a suspected Russian-based criminal gang, according to the Justice Department. It was reported that Colonial paid $4.4 million to the hackers because they were unsure how badly the cyberattack had breached its systems or how long it would take them to bring the pipeline back online.
This was the first (at least that I’ve heard of) time that the US government has actually been successful in getting part of the paid ransom blocked on a major case, so I would not count on the government to help every company out there. This one affected our fuel supply and started a media frenzy, and people were desperately looking for fuel for their vehicles, and frankly, that type of publicity is not good for a somewhat new Administration in Washington, so I’m sure there was immense pressure to do something to show US strength in fighting cybercrime. What about the other attacks? Did the government step in for those? Most of the time, the answer to this date has been no. You need to rely on yourselves, and avoid it from happening in the first place.
Public Entities Are Not Exempt from Hackers
Public entities have also been breached, such as Steamship Authority of Massachusetts, the Washington DC Metro Police, the University of California, Michigan State University and others. People are wondering how they are supposed to protect their data when these large public entities aren’t even able to protect theirs. What are some basic things that can be done to protect your company’s data, and how do we convince organizations that this is serious? Again, I went to experts for answers.
“How do you protect yourself? This is malware, so you use all good hygiene practices we’ve spoken about on many occasions, like our trainings and in our podcasts. You must keep your software and browsers up to date, use Multi Factor Authentication, and most importantly, don’t click on links you aren’t expecting, etc.” stated Ted M. “How can you protect data? Well, in the case of a small library in Indiana, they had their card catalog hacked and encrypted. What they do now is keep a backup of all their critical data offline. If they get hacked, they wipe everything clean and restore from backup. For a small business, this is a very practical solution. For someone like Colonial Pipeline, they discovered it would take many days to do because the entire infrastructure was encrypted. For those larger companies, we would recommend a separation of systems to prevent the unrestricted spread of malware. Sierra Wireless (another very large Fortune 500 firm) was a victim of ransomware. It attacked their administrative functions, but their operational functions were unaffected. The customers were unaware. Most administrative functions were back in days, fully functional within a week. No ransom was paid.”
So, is the answer to just back up your data? Yes, that’s a good practice, but you cannot rely entirely on your backups. As Ted M. said, this takes time that many companies may not have, particularly if they are an essential service or business. To many organizations, time is money. And no one likes to lose money. But would you rather lose your data?
In my discussions with the experts, I went on to ask them, how does the COVID-19 stay at home scenario add to the risks of data breaches and cyber-attacks? What can be done to mitigate this, since many companies decided during COVID that they can save money by having certain employees work from home for the long-term? What are some basic must-dos and don’ts that companies should be practicing?
“The spread of ransomware throughout a connected network is the largest risk for a small business,” replied Ted M. Your machines in the office may be “locked down”. Machines at home, less so. At home there are many areas of weakness. Family members. Open ports. Memory sticks may be inserted which are infected. Wireless networks can be hacked. IoT devices (Alexa, Nest, etc.) may be hacked. Multiple entry points, multiplied by the number of employees out of the office in coffee shops or other public places, multiplies the risk.”
Ted M. continued: “What can be done? Work policies must be enforced at home. You should set up machines at home with a separated family account, work account and administrator account. NO ONE BUT the employee should have access on the work account on a machine. You need to restrict rights to the various accounts so work product cannot be breached or compromised.”
You may be thinking, how do I do that? For that, I would highly recommend that you contact a reputable IT services company. Most individuals cannot do that alone (although some teenagers in your household may be able to, but not willing to do so!). However, be sure if they are working with machines that are owned by your organization or contain any type of company data, that the IT service providers you use are HIPAA (for medical information) and/or GLBA (if you deal with financial information) compliant, and be sure if you sponsor a company health plan, that you get a HIPAA Business Associates Agreement signed. You may also need a GLBA vendor agreement in place.
Hacker Groups in the News – Are They The Only Danger?
Recent news reports have named certain hacker groups that have been linked to recent large breaches and ransomware schemes. We’ve heard about DarkSide, REvil group, Avaddon, Evil Corp, DoppelPaymer Gang and more. I asked Ted Mayeshiba and Sidd Gavirneni if we should be worried only about these more infamous groups, or should we be focusing mitigation efforts on a wider range of hackers? Who should we be afraid of, and why?
“The larger groups offer Ramsomware as a Service (RaaS),” said Ted M. This means they put kits together for any middle school whiz kid to use and distribute. They leverage servers and infrastructure where payments are processed and the heavy lifting of hacking is done. It’s the democratization of evil. What this means, however, is that “spearphishing” will become more dangerous. More people, who are likely to know more about you, may send more enticing emails with links for you to click. Social media is now an attack vector. Therefore, it’s important that you NOT use the same photo for business and personal media accounts. Facial recognition software has progressed now, so hackers are able to associate facts on your Instagram account tied with facts on your LinkedIn account to give a good picture of enticements for the hacker to use against you.”
People often give me a hard time about why I don’t have social media on my phone and why I don’t have an Instagram account…. Hmmmm… I wonder why? And for those of you that may not understand the humor, a phone is also a device that needs to be protected and secured. All devices do, if they are used for company business. Much to my frustration at times, my phone is encrypted, and I download very few applications on it. Those that are downloaded are approved by Aditi Group. Phones can get hacked too, and if they are connected to your networks at the office, they can be just as dangerous as a laptop. For social media, I primarily use a tablet that is not connected to any office networks or databases.
“The most important goal is to protect your business – irrespective of the size or type of a malicious actor group,” stated Sidd. “And this is because there are many, many more malicious actors that are not in the news – including newbies. The average cost of a breach for small businesses is $3.6M, and we have seen instances of ransomware attacks by amateur cyber criminals.”
Keep in mind, many of these are faceless individuals, clicking away at holes, trying to find a way into your network. It could be someone next door to you. It could be a friend of your son or daughters’. Social media, as Ted M said, is now a major source for your personal information and a breeding ground for hackers, including, as Sidd mentioned, the newbies.
Healthcare and Insurance Group Attacks
Turning to something close to probably everyone reading this article, healthcare and insurance groups have always been a huge target for hackers and cyber-attacks. From Anthem to Primera Blue Cross to Mass General, Cottage Health, UMass, and more recently, Scripps, have all fallen victim to cyber criminals. Since much of our reading audience is in the healthcare and health insurance business, or a field supporting that business, are there certain things this industry should be doing more of to protect patient and customer medical data?
“Healthcare related businesses usually are subject to Federal HIPAA laws and local State laws that require “de-identify” patient info or protect it,” stated Ted Flittner (Ted F.). “Protection falls on data when At Rest, In Motion, and Deleted. And we must Control Access to just the people who are Authorized to see data. Making all that happen is a lengthy topic and starts with knowing your company.”
Ted F. continued: “The most common statement made by Health and Human Services and Office of Civil Rights in HIPAA violation cases is a lack of adequate RISK ASSESSMENT by the companies. The first responsibility is to understand your own company risks of violating HIPAA privacy rules. The second responsibility is to make a plan to reduce or eliminate those risks.” Of course, Ted F is speaking my language, because as I said above, I’ve been doing HIPAA Privacy & Security Training since 2002, and it’s one of the most important things I tell my students, which are generally CFOs, CEOs, corporate Presidents, Partners, as well as Human Resources professionals and insurance agents. But telling them and having them listen isn’t enough. They have to do something about it. They need to take action.
Ted F. continued: “Number one: get an outsider’s view of your business risk. The actions following a risk assessment are specific to the company.”
Sidd Gavirneni took a somewhat different approach to my question. “Cybersecurity is all about People, Processes, and Technology – making sure that businesses are looking at it holistically.”
“Healthcare is extremely susceptible to cyber-attacks because of the amount of sensitive data, the third party tools and products being used, and the proliferation of IoT devices,” continued Sidd. “So, we always recommend starting with understanding your ecosystem, and creating cybersecurity processes around that ecosystem. There are many things you need to do, but we’ll talk about only a few things that healthcare businesses can get started with:
- Ensuring that you continuously maintain an inventory of all software and devices you are using, and patching them at least once a month with any software updates.
- Encrypt all data
- Make sure that you are backing up all data continuous, but also have a process to restore that data
- People are the primary root cause of breaches. So, train all your employees, consultants, and contractors on cybersecurity best practices. This cannot be a “once a year” effort. It needs to be at least once per month, so it stays top of mind.”
I can’t agree with Sidd more. Too many companies, in my opinion, train their people once, and then forget about it. Some even go so far as to train every two to three years, but with technology changing, and employees being those human beings I mentioned, it just doesn’t stick with them. If you’re a business owner, I implore you to read these words and let them sink in… Then read them again and again until you remember them. Your best defense is to train your employees, your consultants, and contractors on privacy and security of all types, and keep doing it, over and over. Once a month may be overkill for some companies, but for many others, it could be the difference between getting hacked and being safe. Know your business and talk to a consultant to help you determine what type of training and how often you need it for your employees, given your situation.
No Industry is Safe
No one is safe. No industry is safe. Even professional sports teams have been victims of cybercrimes recently. The Houston Rockets were hit with a ransomware attack, even after they claim to have prevented some attacks. This attack was reported as minor, but is it really minor if at least one person falls victim to these attacks and pays?
“It can appear minor to the victim if the dollars are low and they learn their lesson and tighten security,” stated Ted F. “Depending on the type of ransomware attack. Some are simply caused by an executable file that just encrypts data. Some attacks are real breaches into a company’s network AND the lock-up of their data. These situations are a lot more complex and mean the attackers may HAVE copies of some or all of the data. And of course, any payment of ransomware boosts the motivation of these pirates to attempt more plunders. Sometimes even to the same victim all over again.”
Software Updates and Patching
One of the most important things I want to talk about today are software updates and patching and why that’s important. Apple Mac OS recently released an update to address vulnerability that was allowing malware to work around privacy settings. Microsoft 365 had vulnerabilities in email applications. Microsoft also released patches for limited and targeted attacks. What should businesses be doing to assure that updates and patches are installed and used? How important is this? Once again, I asked the experts.
“Remember that HIPAA requires that ‘Covered Entities’ – those subject to HIPAA always use computer systems and software that are still supported by their makers. That’s because we know that weaknesses are continually bubbling up to the surface. And as they appear, companies scramble to push out patches as software updates,” responded Ted F.
“Sometimes these weaknesses are glaring holes. But most often they are rarely encountered combinations of keystrokes and commands that can unintentionally allow hackers to get in or take control of computers. Once a vulnerability becomes known about by hackers, they share with other hackers and malware code is written and deployed around the world. The most common way to spread those viruses is with spammy emails with links we shouldn’t click on…”
And how many times have we seen just that? Employees, again, your weakest link, should know better but they don’t, or they forget. You must train them of the dangers, and you must do it frequently.
“Some exploits can be made on computer servers directly – like the ones in your office or running the stuff “in-the-cloud” without any users clicking on email,” continued Ted F. “These are the kind of exploits that we see when a website is “hacked” and you see ads for ED or cheap drugs. They are also the attack opportunities like Microsoft had with their Exchange email software this year. That one event allowed more than 30,000 Exchange email severs to be attacked by malware before patches were deployed.”
I continued this discussion with Ted F. “Hackers rely on the time window of opportunity between when an exploit is revealed and when software companies publish updates. But most importantly, before users – you and I, update our computers.” Timing, as Ted F said, is everything. And often, only a short amount of time is enough to set the path towards data destruction or ransom attacks.
“Patching is critical, and should be done as frequently as possible,” stated Zach Auta of Zeguro. “If an organization is unable to automate patches so that they are installed as they become available, then patching should be done on regular intervals, more often than just monthly.”
The Travel Industry
The travel industry has also been hit hard recently after a devastating 15+ months. Booking.com, Malaysia Airlines, British Airways and more have been victims. As people and businesses are now starting to finally start traveling again, for both vacations and business, what can they do to keep their information safe?
“Lost or stolen phones are the number one way that data gets intercepted when you’re traveling,” stated Ted F. So, I asked for a list of “to-dos”, and Ted F replied:
- Back up your phone
- Secure your phone with a strong password – just a few thumb strokes or a 4-digit pin.
- Only use public wifi with a virtual private network or VPN. IT Service companies like ours can set up a hardware VPN or you can subscribe to VPN software.
- Don’t text or email secret info like your passwords to family or office while traveling. SMS and email are inherently insecure – like sending postcards. Set up password storage programs – LastPass, Dashlane, etc before you travel.
- Be mindful or who is watching or listening to phone calls when you tell someone your name, address, birthday, social security number, or credit card number over the phone. Use an ear bud and not a speaker phone.”
Because these things are so common, I pressed Ted F. for more information. “We also avoid downloading and installing apps which may be convenient but really are not necessary. These apps from travel companies and smaller businesses may have flaws and may not be updated as quickly as operating systems and big software programs.”
There we are again, back to the dangers of apps on phones… With all of the sports events moving to mobile ticketing only, that was a tough one for me. I may have to buy a second mobile phone just to use for mobile ticketing!
Working From Home Dangers
Another thing we should be concerned about, particularly now with more people continuing to work from home, are kids and online gaming, as there are always issues with security. What about the parents of those kids? What can be done to keep your kids, as well as your data, safe while playing online games?
“The only real way to protect your data and allow online and multiplayer games is to keep the gamers separate from any computers and phones that have your business data or sensitive personal info”, replied Ted F. Don’t allow games on your computers, and never on business machines. Use separate networks. Virtual Local Area Networks (VLANs) use the same internet provider, same wires, but special hardware creates separate virtual networks that can’t talk to each other. So, kids can be on their own, and you or Work can be on another. Risky games on the Kid’s Network won’t affect you on the Work Network. It can be all inside your home. I recommend you call an IT Service company like ours to learn more or have us set it up.”
Zach Ayta had additional ideas on this subject. “Malicious actors will stop at nothing to creatively gain access to information or hardware through gaming platforms. Parents should encourage the following:
- Avoid participating in chat, when possible
- Never share personal information about yourselves or your personal lives
- Avoid clicking links provided in chats
- Online download gaming updates from app stores or within the game, never from external websites/sources
- Only add gaming friends/contacts that they know in real life (IRL).”
New Cybersecurity Regulations
Moving on to another subject, I asked the experts about new cybersecurity regulations. The Dept of Homeland Security is working on regulations… The Transportation Security Administration and Cybersecurity and Infrastructure Security Agency are getting involved. I asked them how much they think the government can help with this problem? Even if we have regulations, will that solve the problems?
“Rules don’t really change human behavior,” stated Ted F. matter-of-factly. “Regulations may lead to more widespread use of security steps like 2-factor authentication (like when your bank sends a confirmation code to login). But rules won’t prevent people from clicking on email links to malware. And we all know that people still have to follow the rules. HIPAA was enacted in 1996, [and has been enforced since the Privacy & Security Rules went into effect in] 2003. But companies still routinely violate HIPAA rules.”
That they do. All you have to do is take a glance at HHS/OCR’s “wall of shame,” which they seem to be very proud of, to see just how many entities violate HIPAA Privacy & Security rules, as well as HITECH, regularly.
“We still need to be aware, train our co-workers to be aware, and assess our risks, put measures in place to help reduce risk, and consider insurance for when the unexpected does happen,” continued Ted F.
“The increase in regulatory frameworks is unsurprising, but necessary,” stated Sidd Gavirneni. “One of the challenges is that passage of regulations is an archaic process, and often by the time they are instituted, the technology world may have evolved well beyond the scope of the regulations. Secondly, current regulations fail to motivate organizations to go above and beyond what is required of them.”
In case you haven’t been reading the news or watching it on television or online, the recent meeting between President Biden and Russian President Putin put cybersecurity in the forefront. Although nothing specific came out of that meeting, the two did agree to “begin consultations on that issue.” (Russian President Putin in a post-meeting interview). But, we all know, actions speak louder than words, and I’m guessing it will be quite some time before we see any real actions from the US and Russia in a combined effort, if ever.
Training for Employees
Let’s talk about proper training for the front-line workers of businesses. Those who sit at a computer most of the day… We’ve mentioned training a number of times in this article so far, but as far as I’m concerned, you can’t talk about it enough. What kind of training do employees need to help protect their company’s security?
Ted F. was more than happy to discuss this topic again. “Know company policies and why it matters to follow them. The key topic these days is email diligence. Don’t click on email links or download files that you don’t really know. Slow down and take time to scrutinize. Teach people how to recognize fakes and legitimate messages,” he stated. “And train people on how to react if malware, ransom, or phishing attempts succeed. Who should they call and what should they do next?” That seems to be one of the glaring missing pieces in most employers’ privacy policies.
“Employees are often the first and last line of defense against security incidents and equipping them with the education they need to change their behavior is important,” stated Sidd Gavirneni. “The key for any effective training is that it is not one size fits all. A robust training program should address both the knowledge gaps in an employee’s cybersecurity aptitude and risks that they face in their job functions. Additionally, many security awareness programs fail because every employee takes the same training at the same time, typically annually. Ongoing training on a monthly basis helps keep security top of mind.”
How do you train your employees? Every company, every industry is different. However, there are easy training tools you can use. Up-to-date video training is cost effective and easy for Human Resources. However, if you use video training, it’s best to incorporate live interactions within it. Personally, I like to create my training videos with stopping points in the video where you can literally hit pause and do role playing with your staff, or other interactions, to keep them engaged and aware. I also include statements in my videos, usually at the end, where I inform the employees that their employer will now distribute your internal policies and review them with you, to make sure that the employer is actually prepared to have the training.
We also find that more than one voice or face in a training is good, particularly in longer training. One voice, no matter how effective they are, can cause someone to lose interest after a time. Short (one hour or less) trainings are usually ok with a single voice, but longer ones may lose the audience.
I personally love in-person, live training, although I had to convert to web-based training during COVID. In-person training allows the trainer to look the employees in the eyes, see where they are confused and stop to see how you can help. Now that we are opening up again, and more people are vaccinated, we will be going back to live training in the next couple of months.
I tend to shy away from on-line only training with no interaction, because people tend to not pay as much attention. If you are using an online only training tool, be sure to use one that has tests that employees must pass. If using this type, use also double-authentication to be sure that you are in fact training the person you think you are training, and not having one person take everyone’s test (and perhaps get paid to do it by others).
The most important thing is to decide what groups need to be trained, and train specific to each of those levels. In HIPAA Privacy & Security training, I generally prefer 4 to 6 hours for Privacy & Security Officers and privacy work group members. Most don’t do that… But I do like to be complete, and it’s far too complicated to do in an hour at that level. I also like to do Supervisor & Manager training, as they have specific roles in monitoring and enforcing the policies of your organization, which is usually about a 2-hour training the first time, with follow-ups ongoing. I believe electronic training and cybersecurity training is mandatory for everyone. If it’s provider group, then of course specific training is needed to address the requirements of a provider. Basic All Employee Training is also needed, which in my opinion, should include electronic security and cybersecurity training today.
Each company’s privacy officer and security officer should appoint a privacy work group to deal with day-to-day functions, including proper training. That group should determine the most appropriate means of training that meets the needs of your organization.
If you’re not sure what type of training you need or how to go about it, you can certainly contact any of us involved in this article for assistance. I know I’m happy to help you, and I know Aditi and Zeguro would be as well.
Cybersecurity Insurance
Cybersecurity Insurance is now available, yet many employers still haven’t even thought about adding it. Is it affordable and is it worth the price? I believe it is, and our experts agree, wholeheartedly.
“This is just like other insurance questions. If you can afford not to be insured, ok. If you can’t afford the potential loss or cost of being without coverage, GET INSURANCE,” stated Ted F. “The cost of ransomware for example could include the ransom itself, cost of forensics investigators to determine if they took your data, the cost of bad press, possible legal penalties for breach, and customer lawsuits for letting hackers get their data. We think insurance is a great idea.”
Obviously, this was an easy question for Sidd, as the CEO and co-founder of Zeguro, a cybersecurity liability company.
“Cybersecurity insurance is a critical part of a robust cyber risk management program. Premiums are determined by a number of factors, including but not limited to an organization’s industry, projected revenue, amount of sensitive/confidential information, and security/process controls. In general, I would describe cyber insurance as being relatively affordable for what is covered, but those costs are rising as insurers realize that their underwriting models were not fit for the risks they were taking on. It is important that organizations work with insurers that have a deep understanding of cybersecurity and cyber risk and uses more than financial modeling to evaluate premiums, so costs stay down over the long term.”
Conclusion
In conclusion, I would ask that you think about the current storm we’re in. The clouds have not yet begun to part. We are a long way from that. But you have tools available to you to help you take shelter and weather the storm, and hopefully, see clear skies ahead…. You may have to invest it in financially and with administrative processes such as real training, but it would be money well spent. Let’s combat the new national emergency with knowledge and action, and take control of our data, before it’s too late. ##
Author’s Note & Mini Biography:
I’d like to thank the contributors to this article, Ted Mayeshiba and Ted Flittner from Aditi Group, as well as Sidd Gavirneni and Zach Ayta of Zeguro for their assistance. Aditi Group can be reached at (855) Go-Aditi (855-462-3484) or info@aditigroup.com, and Zeguro can be reached at (855) 980-0660. If you need or want my assistance, you can reach me at (714) 693-9754 x 3 or email me at dmcociu@advancedbenefitconsulting.com.
Dorothy Cociu is the President of Advanced Benefit Consulting, and a veteran Privacy & Security consultant and trainer, with expertise in HIPAA Privacy & Security, HITECH, GLBA and related laws. She is the author of a HIPAA manual for employers and trains and consults nationally on physical and administrative security, as well as some facets of HIPAA Security. She relies on her technology partners, Aditi Group, for the IT security complexities of HITECH. Dorothy is the host of her company’s own podcast, Benefits Executive Roundtable, and is an instructor for many CE courses for CAHU and its local chapters, as well as SIIA, PIHRA, SHRM and other associations. She is the Vice President, Communications, of CAHU. She is also an HRCI instructor, and her firm is an HRCI provider. Advanced Benefit Consulting is also a CE provider for the California Department of Insurance. They recently launched their new education platform, Empowered Education Center, Powered By Advanced Benefit Consulting & Aditi Group, whichprovides on-demand classes for HRCI credit, general employer education, Privacy & Security education and training, and coming soon, CE credit for agents on the platform (pending DOI approval at this time). Her firm and her technology partners also do live training and have a monthly subscription service available for employee privacy & security training, including Cybersecurity.