Government agencies – state and federal – have spent the past several months trying to get healthcare’s attention about cybersecurity and simple steps that organizations can take to reduce their risk of ransomware (aka minimize risk).
“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns- the ones we don't know we don't know.”
Donald Rumsfeld, February 2002 Tweet
The California Office of the Attorney General recently decided to follow the trend, and issued a Bulletin that lays out the simple preventive steps that healthcare entities can take to help minimize risk –
- Keep all operating systems and software housing health data current with the latest security patches;
- Install and maintain virus protection software;
- Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
- Restrict users from downloading, installing, and running unapproved software; and
- Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.
"To assume makes an a** of u and me."
High Schoolers throughout the US Tweet
The Danger of Assumptions
I saw a poll on a compliance officer forum that I follow. Out of roughly 100 respondents, 90% stated that their organizations had fully implemented all 5 steps to minimize risk.
I don’t believe it.
Based on our experience out in the real world, it’s just not true. Let’s just take the easiest, most non-technical control. The organizations that replied likely have implemented annual HIPAA training that touches on the HIPAA Security Rule and discusses security practices that employees are expected to follow. It may even make mention of not clicking suspicious links and guarding against phishing emails.
But has the organization implemented phishing exercises? Is once a year “regular”?
When you move on to the security controls, most of the compliance officers would need to defer to their information technology counterparts. The compliance officers only know what they’re told. And IT has too much to do – just like compliance – so tradeoffs are made routinely. There may be a patching backlog. There’s likely a data backup and recovery plan – but is it ever tested? And so on and so forth.
These are the unknown unknowns, and if one of them comes back to bite the organization through a successful ransomware attack, you will know you’ve been bit!
Apgar and Associates security risk analysis services help organizations take a holistic look at the threats they face, and at their vulnerabilities – and to minimize risk. Take a look at what we provide here. Then give us a call.