by Felicien | Nov 3, 2017 | Education
Latest Update Includes KRACK Patch but Comes Alongside News of iOS Zero-day Vulnerability
On November 1st, 2017, Apple released its latest stream of updates for a variety of devices and programs across its product line. First and foremost, the update has a number of security fixes for device programs like Siri and Messenger as well as browser vulnerabilities. Furthermore, there is a full OS update with the unveiling of iOS 11.1.
However, perhaps the most important element of the update is the included patch for the KRACK Wi-Fi vulnerability. Unfortunately though, as the door slammed on one cyber threat, the door for a new one swung open. An iOS Wi-Fi Zero-day vulnerability, also emerged November 1st, from the annual Mobile Pwn2Own hacking competition. The details aren’t entirely clear, but recent reports state that:
“Tencent Keen Security Lab gets code execution through a Wi-Fi bug and escalates privileges to persist through a reboot.” – Zero Day Initiative
So, needless to say, it’s been a rollercoaster in the Apple security camp this week. To better understand both the good news and the bad, let’s break down exactly what they’ve fixed with the KRACK patch and what’s left to be addressed in light of the iOS Zero-day news.
What They Fixed: Understanding The KRACK Vulnerability
Recently, conversations in the technology and business communities have been dominated by reports of a new cyber threat dubbed KRACK or Key Reinstallation Attack. KRACK has been described as a security flaw in the WPA2 protocol, which could allow criminals to break the encryption between a router and a given device. Once encryption is broken, criminals are able to intercept and interfere with network traffic.
Security vulnerabilities like KRACK can be hard to wrap your head around so here’s a quick breakdown of how KRACK happens:
Hackers find WPA2-PSK networks that they want to infiltrate and wait for a user to connect. In a modern business world, users connect to Wi-Fi hotspots everywhere – maybe in the office, but often in remote locations like a public park, coffee shop or their parked vehicle.
As the device works to legitimize the Wi-Fi connection, hackers can quickly interfere and decrypt any traffic being exchanged over Wi-Fi. This means hackers have the power to cause a lot of trouble without being on the network itself. Without an actual connection to the network, hackers take advantage of this vulnerability to intercept, modify or forge data as well as install malicious malware.
What makes KRACK especially scary is the fact that the security flaw isn’t contained to a specific software program, rather it targets WPA2 Wi-Fi – a widely used protocol that countless business and individuals rely on daily.
Apple’s Next Security Obstacle: What Is a Zero-day Vulnerability?
Zero-day may sound like some kind of apocalyptic blockbuster, but in the tech world, Zero-day is sort of like a hyped-up way of saying “we didn’t know before, but we know now and we’re working on it.” In short, Zero-day signifies the initial day that companies, like Apple, are made aware of security glitches that, up until that point, had been unknown. That means, if something is described as a 30-day vulnerability, Apple has known about it for 30 days, and so on.
The closer a security glitch is the Zero-day mark, the more successful hackers are at exploiting the threat. Developing patches and fixes to bugs take time, and when cybercriminals and scammers are in the know about Zero-day vulnerabilities, they become serious threats to an organization’s network security.
Apple Security Response: Latest Update Patches KRACK Vulnerabilities and Puts Timeline on Zero-Day
So, for Apple this week has meant some problems solved and others just were begun. Luckily, included in this iOS 11.1 update is a fix for the Wi-Fi-related vulnerability known as KRACK which is available for some – but not all – iOS devices. According to Apple’s official support documentation, the KRACK fix only applies for new iDevices, launched in early 2016 and later.
It’s unclear why the KRACK patch is only being made available for newer iDevices only, but it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined older versions aren’t vulnerable to KRACK at all. Either way, if any of your team members use a pre-7 iPhone, have them on alert an additional update from Apple just in case. Additionally, any users with an iPhone 5s, iPad Air or later can apply this update. In short, if your Wi-Fi-enabled iDevice can update, you’re strongly encouraged to update asap.
As for the newly identified zero-day vulnerability, Apple is now on a strict timeline to get the bug addressed and have patches released. Tencent Keen Security Lab, a competitive hacking team, earned a cool $110,000 thanks to their discovery of the vulnerability at the Mobile Pwn2Own competition. Apple now has just 90 days to fix the problem lurking on iDevices before details are made public.
As you can see, today’s cybersecurity developments move at lightning speed. Just as one problem is fixed, another presents itself. Companies like Apple are in a constant battle against increasingly sophisticated hackers, looking for OS vulnerabilities. Staying up-to-date on these issues is critical for any business that relies on technology to operate.
Knowing what’s out there and what’s being done to address it is critical to protecting your company’s devices, data and continuity. If the technical talk leaves your head spinning, you’re not alone! Reach out to local IT experts to help get a better grip on what’s putting you and your company at risk.
by Felicien | Nov 3, 2017 | Education
The New York State Department of Financial Services (NYSDFS) has issued an updated version of its proposed Cybersecurity Requirements for Financial Services Companies, known as 23 NYCRR 500.
The recently unveiled regulation update comes following the mandates original publication earlier this year in March. These guidelines require banks, insurers and other financial service companies regulated by the NYDFS to set up a cybersecurity program aimed at protecting consumer information from being compromised or stolen.
Who Should be Paying Attention? Getting to Know the Industries Impacted by 23 NYCRR 500
This NYDFS regulation applies to any New York State business who processes or holds personally identifiable information to implement adequate security measures to protect personal data loss. This includes all New York State insurance companies, banks and other regulated financial service institutions including accounting agencies, wealth management companies, and non-US bank branches.
The regulation is wide-sweeping, will impact Wall St. and at least 1900 organizations with combined assets valued at 2.9 trillion. Plain and simple, if you provide a service or serve as a contract vendor in any of these industries, your business will be subject to these rules.
The NYDFS refers to these organizations as Covered Entities under the regulation and has outlined clear and dated compliance deadlines. Since March, New York insurance and finance organizations have been watching closely and working swiftly to ensure cybersecurity infrastructure and planning is up to snuff with 23 NYCRR 500 provisions.
The 23 NYCRR 500 Timeline: Important Dates in the Regulation’s Roll Out
For impacted business, here’s a timeline of 23 NYCRR 500 roll out dates:
March 1, 2017 – Original 23 NYCRR 500 regulation takes effect.
August 28, 2017 – 180-day transitional period ends. Covered Entities are required to comply with requirements of 23 NYCRR 500 unless otherwise specified.
February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
March 1, 2018 – One-year transitional period ends. Covered Entities are required to comply with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR 500.
September 3, 2018 – Eighteen-month transitional period ends. Covered Entities are required to comply with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR 500.
March 1, 2019 – Two-year transitional period ends. Covered Entities are required to comply with the requirements of 23 NYCRR 500.11.
Breaking Down the Regulation: What You Should Know About 23 NYCRR 500
23 NYCRR 500 was derived from National Institute of Standards & Technology (NIST) standards. The regulation holds Covered Entities strictly accountable for protecting client data – both in transit and at rest, through strategic security, data storage, and encryption solutions. The regulation seeks to clearly establish who is to be held accountable for data breaches and urges that organizations have clear-cut awareness and action plans for breach response.
Companies are required to set criteria, develop an incident response plan and implement the right cybersecurity mechanisms to prevent the breach or loss of personal information. Furthermore, organizations are required to explicitly disclose data encryption standards in contracts with all third-party service providers and ensure that standards are held up across the service experience. Finally, the regulation stipulates that these cybersecurity implementations should be overseen by a Chief Information Security Officer (CISO).
Head spinning yet? State regulations can be bogged down in overly-technical talk, so let’s break down the exact mandates that Covered Entities should be aware of:
Organizations must implement a strong cybersecurity framework, including requirements for a plan that is sufficiently funded, staffed and overseen by qualified management, as well as, reported on periodically to the most senior governing body of the organization
Organizations must utilize risk-based minimum standards for technology systems, including access controls, data protection, encryption and penetration testing. Encryption requirements for in-transit data protection take precedence and must be met by January 2018. Compliance for at-rest data protection must be met by January 2022.
Organizations must set out mandatory minimum standards to address any cyber incident, including a dynamic incident response plan, proactive protection of data in response to the breach, and swift notification to the Department of Financial Services (DFS) of all material events.
Organizations must ensure that company executives certify compliance with the NYDFS regulations on an annual basis. If certifications are not maintained or falsely reported to DFS, organizations leave themselves open to legal claims in the case of a breach.
Staying 23 NYCRR 500 Compliant: How to Get Your Business Up to Code
Now that the basics are laid out, most organizations are wondering – how do I put a plan in action to get and stay compliant? First and foremost, organizations should assess and take a detailed inventory of their current cybersecurity situation.
Evaluate the sheer amount of personal data your organization is accountable for and get rid of old data archives that are no longer relevant. Additionally, take inventory and log all the machines and devices that will need to remain monitored and compliant. By understanding the demands of your organization’s environment, implementing customized and reliable security standards will be easier.
In terms of implementing new standards and policies, here are the top areas for consideration:
Appoint a Chief Information Security Officer (CISO)
Having a specific employee designated to spearhead and monitor security and compliance issues is a fail-safe way to ensure client data is safe and 23 NYCRR 500 standards are upheld. Appointing a CISO is also helpful in streamlining security challenges, as team members are clear on who to approach with questions and concerns.
Establish a Dynamic Cyber Security Program
Organizations should ensure they deploy cybersecurity programs that are dynamic and all-encompassing. The program should cover all aspects of data security and compliance including strategies for data classification, access controls, systems operations, network monitoring, network security, disaster recovery, business continuity, etc.
Develop Detailed Cyber Security Policies
Cybersecurity policies should be clear-cut and consistently enforced. All employees should have access to the organization’s cybersecurity policy documents to ensure efforts to remain compliant are understood and brought full-circle. Policies should include clear guidelines for incident response, client data security, asset inventory, system control and management, vendor relations, risk classification, etc.
Proactively Manage Vendor Relationships
Organizations should ensure that vendor contracts have detailed stipulations about security and compliance standards. Furthermore, there should be a consistent effort to ensure compliance and security standards are upheld by all third-party service providers. This includes implementing annual penetration tests and bi-annual vulnerability assessments to ensure activity with all vendors remains secure and compliant.
Create a Transparent Incident Response Plan
No matter how prepared an organization is, cyber-attacks and data breaches still happen. The key here is making sure your organization has a transparent and strategic plan for responding to cyber-attacks. 23 NYCRR 500 requires organizations to not only create detailed incident response plans but also demands that all cyber incidents be reported to the NYDFS within 72 hours.
For New York state finance and insurance agencies, 23 NYCRR 500 may seem like a nuance or a huge hassle. But organizations should remember that these regulations are designed specifically to support these industries in an increasingly tech-based environment.
While protecting client data is the number one priority, these regulations also ensure that protections are in place for finance and insurance bodies. By getting up to code, these organizations protect themselves from the larger operational and legal hassles that can result from unexpected attacks and weak cybersecurity planning.
Whatever you do, don’t put off these compliance concerns. Putting 23 NYCRR 500 compliance on the back burner can result in NYDFS sanctions. Not to mention the risk you put your business in by avoiding the regulations or falling behind the pack.
Take the time to understand your network and determine how to best implement custom-fit cybersecurity plans and policies. If you’re overwhelmed, reach out to a team of local cybersecurity experts for guidance and consultation. Don’t get caught up in non-compliance – protect your clients and protect business by adhering to 23 NYCRR 500 standards.
by Felicien | Nov 2, 2017 | Education
It’s no longer surprising to know that we live in a world where business networks are constantly at risk and under attack. With cybercriminals getting more organized and sophisticated, no company is safe from the potentially catastrophic impacts of a network breach or malware infection.
However, as we continue to learn more about the ways in which cybercrime is becoming unavoidable, many business owners are refusing to roll over and simply wait for an attack to take their systems hostage. Smart business leaders are looking for the best ways to make their network security systems smarter and stronger.
How Smart are These Criminals? Understanding Modern Cyber Crooks
Business leaders hear this all the time nowadays. Cybercriminals are everywhere, they’re smart and strategic and getting more organized and efficient every day. But what exactly does this mean and is it an exaggeration? First, though it may sound like a fear-mongering cliché, the fact of the matter is, cybercriminals are getting better at what they do. In fact, just this year, Philip Celestini, Section Chief from the FBI’s cyber-division, announced that cybercriminals are becoming more organized – often working in large networks to infiltrate business networks.
“What we have seen, especially over the last two years, is that multinational cybercrime syndicates are right up there with the nation states,” says Celestini. “They are very, very sophisticated. They are doing extensive reconnaissance on all of us.”
As cybercriminals become organized into networks and as the digital transformation of the business landscape becomes more ubiquitous, criminals have increased the opportunity to research organizations and their employees to determine the best ways to infiltrate and infect organizational networks. These criminals will go to extensive lengths to make their invasion channels more easily accessible.
Some cybercrime networks will assign specific team members to the sole task of researching and getting information on and from company representatives. This can involve countless hours of social media and search engine research or can involve collaborating with people on the inside to get their hands on otherwise impossible to access company resources like passwords and flash drives.
Second, it’s important to note that no person or business is safe from unexpected hacks and attacks. Often, SMB’s think they’re safe – far off the radar of devious cybercriminals who are seeking large-scale networks to breach. Think again. According to Keeper Security’s report called “The State of SMB Cybersecurity”, an astounding 50% of small-to-mid-sized organizations reported suffered at least one cyber attack in the last year. Not to mention, as technology evolves and more opportunities for unauthorized access are discovered, the rate of cyber incidents is bound to grow.
Lightning Fast and Quiet as a Mouse: How Attackers Slip Inside Business Networks Undetected
Cybercriminals are also getting good at finding ways to infiltrate networks sneakily to avoid being detected. Criminal strategies for working quietly and quickly include:
Setting up phony diversions like attacking web servers from the outside while invasions are taking place to distract business owners from any abnormal activity.
Searching for additional hosts to gain access in case initial access points are detected and blocked.
Installing malware right away to establish a command and control channel and start stealing data with astounding speed.
Cybercriminals rely on making all of this happen very quickly. Invasions are secretly launched, malware is activated, command and control are established, data is stolen, systems are disabled and the command and control channel is shut down as fast as possible to avoid detection.
For the sophisticated criminals behind the control panel, attacks are becoming more efficient. Cybercriminals are becoming more and more like the conductors of flawless classical music orchestras. To them, attacking poorly-prepared network endpoints is truly like taking candy from a baby.
Mismanaged and unmonitored network endpoints can:
Become entry points for attackers looking to gain a foothold in your organization
Enable attackers to move laterally within an organization to breach specific targets
Be used to capture data, send unauthorized Tor traffic, or become part of a botnet.
Even a simple router, network firewall, or segmentation misconfiguration can provide an attacker with an entry point to penetrate infrastructure and gain access to sensitive data. For business owners, it becomes harder and harder to stay a step ahead of the threat.
Vigilance in the Face of Constant Threat: Building A Superhero Security Strategy
Very often business owners make a similar mistake: they let breaches or cyberattacks be the sole driver of their cybersecurity improvements. A word to the wise – don’t fall victim to this trap. If your business’ cybersecurity strategy is only responsive and not proactive, you won’t stand a chance against the worsening cybercrime climate that is impacting businesses of all shapes and sizes and across all industries.
So, in the face of constant and worsening cyber threats it becomes clear that IT security teams need to be more vigilant than ever. Additionally, security infrastructures need to be designed in a way that keeps businesses one step ahead of sophisticated cybercriminals. To counteract these attacks, businesses need strong and dynamic security networks that can close the door on attacks as they’re happening.
Network protection policies need to be designed in a way that allows the network to be both the sensor of attacks and the enforcer for protections, detecting and stopping attacks simultaneously. This is the only way to keep a step ahead of criminals and contain network attacks before data can be stolen and systems disabled. This kind of security strategy requires that cybersecurity solutions be built into networks proactively.
Business leaders should consider the following priorities when building proactive and protective IT security infrastructures:
The need to address urgency
Before all else, businesses need to make the conscious decision of making cybersecurity a top priority. Proactive solution strategies and consistent monitoring are key factors in making sure cybersecurity strategies respond adequately to the urgency of cybercrime threats. Poorly implemented and unmanaged IT infrastructure and endpoints leave an organization vulnerable to bigtime risks.
The need for tried & tested processes
Next, it’s critical to develop and uphold processes for every aspect of cybersecurity implementation and management. Furthermore, these processes should be consistently tested and re-tested to ensure they remain current and strategic in the face of new and evolving threats.
Deliberate and detailed best practices help to ensure proactive protections are in place and deployed correctly. Additionally, in the case of a breach, processes make response and recovery times quicker, limiting potential damage.
The need for detailed reporting and regular system audits
Auditing and reporting are key to the maintenance and improvement of any business. Business owners implement reports and audits for nearly every aspect of their operations and cybersecurity should be at the top of that list. Forensic incident reporting helps security teams adapt strategies to be even better prepared for future attacks.
Also, performing regular audits of the network’s devices is critical. Business owners should conduct regular and automated inventories of all devices and systems that connect to the network. Failure to do so could leave devices unmonitored and susceptible to attack.
To make this kind of security environment a reality, organizations need to constantly enforce real-time, context-driven security intelligence. Without it, attackers can and will find the ways to move around a network and wreak havoc before they’re even detected.
Implementing a robust and reliable cybersecurity infrastructure may seem like a huge undertaking but rest assured that it will be much less of a hassle than trying to rebound after being attacked off guard. Putting the time and effort into a proactive and informed cybersecurity strategy will pay off dividends in the long run.
Not sure how to be a proactive cybersecurity superhero? Don’t be afraid to reach out to local IT experts for help or consultation. Don’t let cybercriminals call the shots – work to keep the bad guys out of your business space before they even try.
by Felicien | Nov 2, 2017 | Education
Learn how to implement the five-folder email system and get rid of email overload.
It’s easy to become a slave to your email inbox. Unless you take control and implement a strategy, those emails can become just an unruly inbox, especially when you’re using email for business.
If you’re in a position where a lot of collaboration is needed between teams and other organizations, your inbox can truly turn into a painful mess.
A lot of folks make mistakes when trying to manage their inbox. Some create folders based on topics, and others try to use their inbox as a to-do list, while some save every single email. Either way, you’re just shooting yourself in the foot. What do you do when an email requires a response?
Where do you file an email that covers two separate projects? How do you even find enough hours in the workday to respond to emails that just pile up one after the other? It’s easy for emails to get pushed further down and actually get lost. However, there is actually a way to better manage emails, and it’s fairly simple. You only need to create five folders to make your work life easier.
The Five-Folder Email System
The inbox is a holding pen and should be seen as that. You don’t need to keep an email in the holding pen any longer than it takes to file it in another folder. The only exception is if you have to respond immediately and need an immediate response.
Set up a “today” folder for everything that must be responded to today. This way, you reach those deadlines.
Create a “this week” folder. This will keep you on track on which emails you need to respond to by the end of the week.
Create a “this month/quarter” folder. These type of emails give you a longer-term response period. It’ll help ease up on the pressure and get you more organized.
Set up an “FYI” folder. Often, people send you emails just for your information. If you think you may need it for future reference, save it in an FYI folder.
A More Detailed Look at Taking Control of Your Inbox: An Inside View
Become the master of your inbox with the five-folder email system and stick to it. Don’t just do it halfway either. Don’t get lax once the newness of it wears off. Show no mercy when it comes to the five-folder rule. Here are some inside tips to make the five-folder email system more effective.
Don’t get mixed up about the mounting email in your inbox with other pressing job responsibilities. Keep a specific to-do list. For example, delete emails once you’ve attended to it. If you have an email thread regarding the scheduling of an important meeting, once you’ve handled it, get rid of it in your mailbox.
You may not be as important as you think. Not every email requires your response, input or opinion. Know the difference between when to speak and not to speak. In addition, not everyone else is all that important also. While other people may want a response today, it’s not always deserved or needed. Learn to separate the wheat from the chaff. Do not put these types of emails in the today folder and make no exceptions. Today’s email folder should only include important messages from bosses, customers, and urgent projects. If your work is project-based, just create a five-folder system for each individual project.
You can also multi-task different folders at the same time. A good strategy is to keep your “today” folder small and give yourself more time to handle longer-term emails in the “this week” folder. Select a day to handle this week’s emails. You can always begin a response as a draft and sent it later.
Another tip to make the system work is the create a five-folder system for each project. If you have multiple projects running at the same time, the five-folder system still works. Once the project is finished, go ahead and archive the whole structure.
Like anything else new, the system may feel unnatural when you first implement it. Give yourself time to feel comfortable with it. Just stick to it, and you’ll find that those days of being overburdened with email are over. The benefits of implementing the five-folder email system include:
Less email overload
Less compulsive email checking
Reduction in time email takes to read and respond to
Increased work productivity
Less stress
More time to complete other work-related duties
Many email programs are easy to create folders. For example, Microsoft Outlook allows you to create folders for personal organization. It has a built-in create new folder dialog. Just set the folder up and use the create rule tool. It will automatically organize all emails into your folders. It doesn’t get any easier than that.
Inbox email overload is a common problem in the workplace today. It’s like trying to climb a mountain. Once you think you’ve reached the peak, the mountain just gets taller. It can be a never-ending trek to the summit. Most workers receive at least 100 emails a day in their inbox. Throughout the day, more and more emails continue to just get dropped into the inbox. It’s a flood of constant communication. It’s time for workers to attack the problem with a strategic plan that works. The five-folder email system works. Get started with the five-folder email system today and enjoy the freedom it gives you.
by Felicien | Nov 2, 2017 | Education
HIPAA compliance is critically important, but unfortunately not at all simple. Here are 5 deadly sins you might be committing, and the secrets to avoiding them.
Okay, so we’ll admit, we’re pretty biased. We’re all about the strong, secure and streamlined managed IT environment, not only because it’s just so much easier for you … but also because it’s so much more secure. And when it comes to HIPAA (Health Insurance Portability and Accountability Act of 1996), that’s really, really important.
Now, we could spend a lot of time spewing legislative babble at you in an effort to make this point, but you already know what HIPAA is. Besides, all that babble boils down to one outcome: If you’re not careful, HIPAA will bite you in the rear. Big time.
Consider the numbers. According to the U.S. Department of Health & Human Services, there have been more than 36,000 HIPAA complaints since 2003. Of those, 69 percent of them resulted in corrective action.
It doesn’t take a genius to know that “corrective action” isn’t in the practice’s favor, and doesn’t typically do much for PR. Quite the opposite, in fact. If you want to ensure this doesn’t happen to your business – and that you avoid the potentially disastrous consequences of being found flouting HIPAA compliance rules – it’s time to get it together.
It’s time to face your sins now because when it comes to HIPAA, deathbed conversions just won’t cut it. Here are the five main sins you might be committing unintentionally … and how to avoid them.
Forgetting About Physical Security … or Cloud Security
Many companies rely more heavily on either paper or electronic records-keeping systems. That’s fine, except for the blind spot it creates regarding the other medium. “Oh, we don’t really use paper anymore,” a tech-savvy physician will say, forgetting about the stockpiled files in the back room. Or, “Oh, we don’t do much in the cloud,” the old-school doctor claims, forgetting that she uses several vendors who store plenty of data there.
When it comes time to perform risk assessments or put safeguards in place, you need to pay attention to both. Otherwise … curtains. And not the lacy, soft lighting kind.
Failing to Unify Vendors, Services, and Platforms
Many businesses, without intending too, end up juggling multiple products and services from multiple vendors. Over time, as you add this and that IT application or hardware to keep your business running smoothly, you build up so many that it’s hard to keep track of them all. Result: Low security. Additional result: Overwhelm. Final result: Head in the sand, mimicking ostrich, hoping it will all go away.
Instead, you need to unify those products and services, bringing them into one complete system that eliminates the need for multiple vendors. Don’t know how? That’s normal; you just need a managed IT specialist at your side. So get one. Now. Before your coffee break.
Relying Too Heavily on General Insurance
Yes, it’s important to ensure you have watertight data security. Yes, it’s critical that you choose the right combination and in-house and cloud-based IT services. Yes, it’s an absolute must to have excellent insurance. And no … that’s not enough.
Why? Because no matter how many safeguards you put in place for both your physical and electronic environments, whether you store your data on-site or in the cloud, it doesn’t do you a lick of good if you break compliance and don’t have the insurance to cover your proverbial behind.
Believe it or not, many practices aren’t aware that most general insurance doesn’t cover electronic data storage. That means if you have a breach, you may not be covered. Whoops. Time to talk to your insurance guy and make sure you’ve got across-the-board coverage, then find an IT provider who will reduce the risk of a breach as much as possible.
Performing Audits Internally
Internal audits! What a money-saver! Why pay others to do what you could do for yourself, right?
Nope to the nope. Not a good idea. Even if you work hard to stay apprised of changes in policy or the evolving abilities of cybercriminals, it’s still unlikely you can stay up-to-date enough to remain fully secure. You need the help of an outside auditor, who can pinpoint your outdated security practices and help you bring them up to speed. Plus, you’re poorly positioned to perform your own audits simply because you become used to a way of doing things, and you’re therefore less likely to change even when you know you have too.
So don’t rely on you. Go on, say it out loud: I shall not handle audits internally. I understand that this might ruin my company and steal my soul. I shall atone for my sins by outsourcing my audits today, and I shall never look back.
Thinking Risk Assessment Is Enough
Risk assessment is not enough. The very nature of the word “assessment” means you’re supposed to do something with that information. So by all means, get assessed … but then take the next step.
Usually, when you perform a HIPAA compliance assessment, you’re looking for weak links in your data security. The assessment will point to missing safeguards, both physical and technological. Working with your IT provider, it’s important you manage login information, automatic log-offs, clearance levels, security training and more. Only when you put an ongoing plan in place can you be sure you’ve done your best to remain in compliance.
Another common mistake: thinking a single risk assessment is enough. That’s not the case. Rather, you need to perform them continually, responding to changes as they come.
The takeaway? Remaining in compliance isn’t easy, but it’s absolutely crucial. It’s time to think about it and make a plan that will last well into the future. And it’s time to do it today … before your coffee break, remember?
