Enterprise-Level Security for Small to Mid-Sized Businesses
By Gil Vidals, , HIPAA Blog, Resources, Security, Uncategorized

Yes, your startup or small to mid-sized healthcare organization can afford enterprise-level security. 

If recent headlines about high-profile hacks of sensitive data – such as the Scripps Health attack – haven’t convinced you, it’s time to heed the wake-up call: health information that’s protected under HIPAA needs cutting-edge protections – no matter what size your healthcare practice.

Still, you may be thinking: I hear you — but how can we afford that?

Unfortunately, many new and smaller healthcare practices believe their budget requires them to settle for less security, so they end up depending on “homemade” solutions (better routers, etc.) when it’s actually possible – and necessary – to have more.

In addition, this belief may also be prevalent: “Our level of patient and financial data doesn’t compare to the big guys, so why would a hacker bother with us?”

Yet the truth is, hackers believe just the opposite. It only takes a few smaller practices to help them turn a nice profit, while potentially putting your practice out of business. (See Wood Ranch Medical Notifies Patients of Ransomware Attack.)

So then, what does “enterprise-level” or cutting-edge security look like? And why are some of the big guys still getting hacked?

We’ll answer the first question in a moment; in the meantime, let’s put a finger on a typical security problem and try to stop the bleeding.

Identify the Pain Points

One area where exploits are consistently waging an all-out, lethal war against the vulnerabilities in both small and large practices is through phishing attacks.

I know, you’ve heard this before. But understand, these attacks are growing in sophistication and kind. One report notes that “email phishing represented more than 50% of ransomware
attack vectors in the final quarter 2020.”

Traditional methods of phishing rely on a cleverly devised email or SMS that might appear to come from inside your company (including your CEO). In this case, even if the formatting isn’t weird or a word is misspelled (the usual tip-offs), it’s a good idea to check with the person directly before you click.

But in addition to email and SMS notifications, phishing scams may also appear as file-sharing notifications and pdf scams in your drive. The latest trick includes sending you a flood of Google calendar entries with links to video meetings with people you’ve actually never heard of. 

So let’s ask: what makes these phishing attacks so effective?

The fact is, phishing attacks don’t depend on the size of your organization, or even your security.

The real reason why phishing works so well is that it uses your own staff to open the door. Once you’ve unknowingly ushered the bad guys inside by clicking a link, they can effectively use credential-theft techniques to obtain the “keys” to your vital systems.

With access to your sensitive data, the hackers can now use their latest technique: “double extortion.” This involves stealing your data, then posting it online before it’s encrypted, and threatening to encrypt it themselves for a ransom. One saving grace might be to prevent illicit access altogether with a secondary layer of security, such as two-factor authentication or MFA.

Other Types of Phishing Scams

As mentioned, a phishing scam may impersonate a file-share notification that seems legitimate and enticing because it makes use of Google Drive to send you a pdf, or Google Slides with links. (Unfortunately, every Android phone is susceptible to this one. The good news is that a system-wide infection is unlikely to be involved; if the files are removed without clicking on them, you should be fine).

The Google Calendar scam is a newer phishing attempt that is designed to fill your calendar, and tempt you to click meeting links. Fortunately, there’s an easy solution.

To stop this one from happening, follow these steps:

  • Open Google Calendar by going to Calendar.Google.com.
  • Tap the settings cog on the top-right of the page and select Settings.
  • Choose “Event Setting”
  • Change the option that says “Automatically add invitations” from “Yes” to “No, only show invitations to which I have responded.”
  • Now scroll down the page to the section titled “View Options” and uncheck the box that says “Show declined events.” This prevents Google Calendar from showing spam that you’ve declined.
Download Now!

These are just some of the ever-evolving attempts to get at your data. Staying abreast of these methods is critical for your organization’s ultimate health and security.

Now for the good news: While “enterprise” may conjure images of large-scale, significant investment, true enterprise-level security can entail cutting-edge security solutions that are also cost-effective.

It’s true – no matter what size your practice, there are core security fundamentals that should be in play, notes Jen Ellis, co-chair of the Institute for Security and Technology’s Ransomware Task Force.

These include “regularly backing up data, patching systems to reduce attack exposure, filtering emails to weed out malicious traffic, educating employees about how to avoid threats, and deploying access management systems. Many of these measures have traditionally been seen as challenging for clinical healthcare environments to adopt, but the reality is that without them, hospitals are effectively sitting ducks for attackers.”

Lest this sound expensive, HIPAA Vault will handle your security on the infrastructure side while saving you money on IT expenses such as monitoring, capital equipment purchases, and maintenance.

For your own staff, the following will also be invaluable:

1. Since email and file-sharing are so prone to phishing attacks, your company can help ensure that only legitimate messages get opened by using a password-protected link with built-in two-factor authentication.

A trusted solution like HIPAA Gmail can integrate with your existing email solution and provide fully encrypted messages and attachments — for as low as $18/mo. Or if you prefer a Windows solution, there’s HIPAA O365 Outlook that will also provide these protections, for only $12/mo. (billed annually).

Ideal for small and mid-sized businesses, HIPAA Drive provides a secure hub for file sharing and storage that also utilizes password protection and two-factor authentication. This excellent solution is available for as low as $20/mo./user.

2. True enterprise security will also consider the risk factors of your whole enterprise (including all staff), and address them regularly.

It’s an unfortunate reality: staff will sometimes use the quickest means to expedite a task (such as email on their phone, or another “shadow-IT” solution), even if those means are inherently insecure.

To ensure that this doesn’t happen, perform periodic (monthly, at least) checks and training so that your staff is “phishing-aware” and is using the solution(s) that will protect your organization.

Help them to see that a secure solution like HIPAA email or HIPAA Drive is also designed to be user-friendly, and can save the company and the patients you serve from a world of hurt.

In the end, enterprise-level means not only using cutting-edge productivity tools for tasks like email and file-sharing but using them in compliant ways. This will go far to protect your vital systems and preserve sensitive data.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.