Another year has passed, and it was a banner year for breaches.  In December, 12 states launched a coordinated HIPAA suit over a data breach.  According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

Let me reiterate failure to implement basic industry-accepted security measures.  Due diligence may not have prevented the breach but would have rendered the breach much less costly to the entity if they followed industry best practices.

A new year, a new chance to implement safeguards to keep your business and customer data safe:

1.      Train Your Employees – Business Email Compromise (BEC) was through the roof in 2018.  The FBI's Internet Crime Complaint Center estimates 2018 BEC losses exceeded $12 BILLION USD last year.  While software that detects potential phishing can help mitigate, the best prevention is to teach your employees how to identify and report potential threats.

2.      Antivirus Everywhere – AV is still an integral part of a layered security approach.  The number of viruses caught via signatures continues to drop but still significant enough to warrant antivirus on endpoints.  Don’t rely on free AV which typically only protect from well-known viruses.  Business class AV typically uses a combination of signature-based detection and heuristics that evaluate the behavior of executed code as well.

3.      Housekeeping – Although time-consuming and mundane, keeping your systems up-to-date is crucial.  Make sure server/workstation operating systems, line of business applications, and third-party applications are updated regularly.

4.      Multi-Factor Authentication – Another integral part of a layered security approach, implementing MFA is a necessary requirement to meet PCI DSS and NIST compliance.  While HIPAA doesn't require MFA, there are several provisions in the Security Rule subparts that emphasize the need for a strong authentication process.  MFA can mitigate brute force password attacks.

5.      Active Reporting – Having all these layers in place helps but you need to collect logs from devices and act when something anomalous happens.

6.      Backups – Even today, storage fails.  Make sure you take regular backups of all business data and test them!  The question is not will it happen but when.

7.      Protect Mobile Devices – More and more business is done from smartphones and tablets.  Implement device security to ensure business applications are executed in protected compute space and that the devices can be remotely wiped if lost or stolen.

8.      Remove Consumer Surveillance Systems – The convenience and price point of consumer surveillance cameras is undeniable but don’t rely on them for surveillance of interior workspaces.  Several cloud-based video surveillance systems have been compromised over the past years allowing bad actors access to archived video, camera controls, and audio.

9.      Encrypt Devices – Encryption helps you meet compliance regulations, protects your data in multi-tenancy cloud instances, and gives you safe harbor from breach notification if the encryption keys aren’t compromised as well.

10.   Get a Password Manager – Don’t use the same password for multiple sites!  Password managers with autofill capabilities simplify password use and can help by automatically generating unique, complex passwords for each login.

Consider these safeguards like insurance.  If you don’t have the in-house time or talent to implement the above, please find a trusted IT provider.