Kusserow on Compliance: Cyber Security—21 Practical Safeguarding Tips

Cyber security is a growing compliance issue and has enormous implications for the health care sector. Cyber attacks have increased to dramatic levels over the last two year and are likely averaging one attack a day. Ransomware is one of the most disturbing trends in cyber attacks. One of the largest ransomware attacks, known as “WannaCry,” has hit countries around the world.  As with other cyber attacks, ransomware spreads through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. For health care providers, there is not only concern about business, but the risks of breaches of Protected Health Information (PHI). OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further indicates a major increase in breaches resulting from “hackers” in 2016. According to new studies reported, health care now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare: (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware has jumped to record levels.

Camella Boateng is a consultant expert in addressing HIPAA compliance and makes the point that all health care organizations should have a response plan ready, if and when it is needed. This will permit prompt action to mitigate the harm and damage of such a breach to systems, reputation, costs, and potential liabilities. On the other hand, not being prepared with a response plan will likely result in delays, mistakes, and aggravation of the problem. Considerations in developing the plan should include: (a) establishing roles and responsibilities for those who would respond to an incident; (b) outlining the methods to detect, report, and internally evaluate incidents; (c) laying out steps to be followed in containing and eliminating breaches; (d) determining the manner by which the response plan would be initiated operations restored; and (e) deciding what would be involved in developing, executing, and monitoring a post event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify this is being done and validate it is effective in meeting objectives. This can be done through ongoing auditing efforts that can be performed with internal resources or by engaging outside experts to do it.

21 Practical Safeguarding Tips

  1. Don’t assign responsibility for cyber security to someone at a low level in the organization
  2. Ensure software products are up to date with the most recent patches at all times
  3. Establish an aggressive patching schedule for all software
  4. Implement policies/procedures for precautions against malware
  5. Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Restrict permissions to areas of the network on a database access need
  9. Access to systems should be granted on a need to know standard
  10. Limit employee access to files on a single server, so if infected, it won’t spread to everyone
  11. Security efforts should focus on those files that are most critical, patient records
  12. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them
  13. Maintain frequent data backups to permit restoring of lost data in case of an attack
  14. Regularly take full snapshots of your data and store them offline
  15. Monitor email carefully and do not open email attachments from unknown parties
  16. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  17. Develop a business continuity plan to prevent down time
  18. Maintain disaster recovery and emergency operation plan
  19. Regular systems tests can also help flag vulnerabilities before a hacker can get in
  20. On any report of an attack, prevent spreading by disconnecting infected systems from a network; disable Wi-Fi, and remove USB sticks or connected external hard drives
  21. Establish real-time data backups to permit work to continue


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.