October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness as we are all trying to meet the new challenges of working from home and through the pandemic.
This is week 2 and the theme is Securing Devices at Home and Work.
2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Week 2 of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use.
We asked our experts: How can organizations help staff working from home in helping and educating them on protecting their internet connected devices from potential vulnerabilities?
Organizations can help remote staff by providing frequent reminders that privacy and security obligations do not stop at the walls of the organization. It is important to establish clear protocols and expectations for working from home, especially since the comfort that one experience’s in their own personal environment can result in unintentionally lax actions. Specific actions that an organization can pursue are facilitate secure connections into the organization’s virtual environment and minimize the possibility or need for information to be exported to a personal device. If few opportunities are provided to go around or undercut security, then risks can be appropriately reduced.
The most important things to look at right now are the devices, users of those devices and the network they are connecting from. At the provider’s network, recheck all accesses – – who can come in remotely, how, what data will they have access to. If you’ve sent people home with their own devices or even corporate devices make sure you have Virtual Private Networks (VPN) on those devices. You’ll need to train users to set up and use a VPN – – they are very simple and easy, but only if you’ve been taught how to use it. The whole family is at home now so change those default router passwords on your home network. If you must share devices, look at who is sharing and while little Johnnie may need your computer to go to school, maybe he shouldn’t be able to get to your email on the computer. It is the simple things that will likely trip us up and these are the things that get overlooked when you are acting fast. Now is the time to go back and clean up, check things, provide training and the appropriate tools (anti-malware, VPNs, regular updates and patching for the operating system and applications).
If you haven’t thought about using Multi-Factor Authentication (MFA) for your remote access users or for any cloud-based systems you may have, like email. This is the time to take a hard look. MFA solves a lot of security issues around email and phishing attacks and stolen credentials. This would be a win.
And finally, it isn’t just about your computer or the network at home. One thing that is commonly missed is printing. That ePHI you print out for reconciliations or validations, now winds up in your trash or gets recycled for printing on the blank side by those family members sharing the device and printer. Few homes have shred bins or appropriate disposal of protected information – – even if you shred your personal documents.
Organizations should broaden the concept of the IT help desk to include home networks. After all, like it or not, home networks have nowadays strong and continuous interactions with key hospital IT assets – employee computers. Most workers want to follow security best practices but often don’t know how. So, help desks should emphasize the importance of keeping each home device up-to-date; optimizing home router configuration; and using strong passwords instead of waiting for security incidents at home to prevent someone from working, or worse, expose hospital assets. A forward-thinking help desk will optimize home security by helping staff acquire and use properly the right security products – perhaps even negotiating volume discounts. Prevention is less expensive than correction; what better way to secure home networks and hospital assets.
The key element to a strong overall security program is also the key to ensuring the security of systems and data during the pandemic, and that is building and maintaining a culture of security. This means getting the entire organization’s commitment to securing data. At Arcadia, we have a formal security program that achieved HITRUST CSF ®™ certification, but we also have cultivated an organizational culture where our people are aware of security issues, practice good security habits, and prioritize security in their daily lives – whether in the office or at home. It is imperative that organizations utilize communications channels like Slack and email as well as other mechanisms to accomplish this, including periodic reminders of important items like the use of strong passwords and password hygiene, anti-phishing training, and the importance of patching. It is also important to share the results of various testing that is done with the broader team, including password checking, anti-phishing tests, and system patch testing. By combining the reminder with the results, employees can see that their efforts help in securing our systems and customer data and are things they can apply at work and at home. And, of course, it is critically important to apply a broad set of technical controls across your environment to protect when the human element “slips up”.
Here are 5 quick tips:
- Never allow any employee to use their own equipment to get on your network.
- Have security protocols for offsite email.
- Maintain the same or compensating controls for remote work as you do for in-office work, such as locking down devices.
- Train staff not to access non-secure networks (e.g., at a coffee shop) as this opens them up for risk of cyberattacks.
- Train the workforce via phishing tests and on how to report potential malicious emails.
These days, many consumer devices, such as “smart” devices, thermostats, door locks, coffee machines, smoke alarms, light fixtures and toys, connect to the Internet and offer features that are available when you connect the device to the Internet, most often through your home wifi or internet connection. These features greatly make our lives easier, make it really convenient to interact with, and control or monitor these devices thru apps. However, they also expose us to all sorts of new threats. Just like traditional computers, these devices could have weak cyber security defenses. Connecting consumer devices to the Internet could expose these devices to attackers, and allow them a pathway to your home network; once they are in, attackers can leapfrog to other systems in your home network or steal sensitive data. Devices could also be compromised and co-opted into “botnets” that could be used in cyber-attacks, spreading ransomware, or perpetrate scams on the Internet.
Simple security measures go a long way, including:
- Install devices behind a secured router and turn on your firewall,
- Update your devices to the latest firmware and patches (and keep them updated),
- Set up secure passwords, use different passwords for your online accounts, and use 2-step login for your online accounts,
- Be vigilant and don’t fall victim to online scams and phishing
A key component of any security program is ensuring that the organization has a clear understanding of where risk resides. One of the most effective ways to understand weaknesses within a network is with a penetration test/ethical hacking assessment. Penetration testing has been around for years, but many organizations are missing the mark when it comes to utilizing this security powerhouse. While they understand the need for a penetration test, organizations are challenged with understanding the right level of risk assessment for the organization, the ROI associated and what to plan for or expect during an engagement.