Enterprise-Level Security for Small and Mid-Sized Businesses

Yes, your small-to-mid-sized healthcare organization can afford cutting-edge security.

by Stephen Trout

If recent headlines about high-profile hacks of sensitive data haven’t yet convinced you, it’s time to heed the wake-up call: health information that’s protected under HIPAA needs cutting-edge protections.

You may be thinking: Sure, I hear you — but how can we afford that?

Unfortunately, many smaller clinics and businesses believe their budget requires them to settle for less, so they end up depending on “homemade security” (using better routers, etc.) when they really don’t have to settle— and shouldn’t.

Or maybe some suffer from this belief: “Our level of patient and financial data doesn’t compare to the big guys, so why would a hacker bother with us?”

Truth is, hackers believe just the opposite. It only takes a few smaller practices to help them turn a nice profit, while potentially putting the practice out of business. (See Wood Ranch Medical Notifies Patients of Ransomware Attack.)

So what does “enterprise-level” or cutting-edge security look like? And why are some of the big guys still getting hacked?

We’ll answer the first question in a moment; first, let’s put a finger on the security problem(s) and try to stop the bleeding.

Identify the Pain Points

One area where exploits are consistently waging an all-out, lethal war against the vulnerabilities in both small and large practices (not to mention major health systems, such as in the recent Scripps attack) is through phishing attacks.

I know, you’ve heard it before. But understand, these attacks are growing in sophistication and kind.

Not only will they come through email and SMS notifications, but also file sharing notifications; the latest tricks also include fake Google calendar entries and pdf scams in your drive.

So let’s ask: what makes these phishing attacks so effective?

The fact is, phishing attacks don’t depend on the size of your organization, or even your security.

The real reason why phishing works so well is that it uses your own staff to open the door. Once you’ve unknowingly ushered the bad guys inside by clicking a link, they can effectively use credential-theft techniques to obtain the “keys” to your vital systems.

With access to your sensitive data, the hackers can now use their latest technique: “double extortion.” This involves stealing it and possibly posting it online before it is encrypted, then threatening to encrypt it themselves for a ransom.

For these scenarios, the only saving grace might be to prevent illicit access altogether with a secondary layer of security, such as two-factor authentication or MFA.

Other Types of Phishing Scams

Traditional methods of phishing rely on a cleverly devised email or SMS that might appear to come from inside your company (including your CEO). In this case, even if the formatting isn’t weird or a word is misspelled (the usual tip-offs), it’s a good idea to check with the person directly before you click.

Or, the phishing scam may impersonate a file-share notification that seems legitimate and enticing because it makes use of Google Drive to send you a pdf, or Google Slides with links. (Unfortunately, every Android phone is susceptible to this one. The good news is that a system-wide infection is unlikely to be involved with this one; if the files are removed without clicking on them you should be fine).

As mentioned, the Google calendar entry scam is a newer phishing attempt that will often create a flood of calendar entries inviting you to click links for meetings with people you’ve never heard of.

To stop this one from happening, follow these steps:

1. Open Google Calendar by going to Calendar.Google.com.
2. Tap the settings cog on the top-right of the page and select Settings.
3. Choose “Event Setting”
4. Change the option that says “Automatically add invitations” from “Yes” to “No, only show invitations to which I have responded.”
5. Now scroll down the page to the section titled “View Options” and uncheck the box that says “Show declined events.” This prevents Google Calendar from showing spam that you’ve declined.

These are just some of the ever-evolving attempts to get at your data. Staying abreast of these methods is critical for your organization’s ultimate health and security.

Now for the good news: While “enterprise” typically conjures ideas involving significant investment, here is what true enterprise-level security looks like, with simple yet cutting-edge security solutions that are also cost-effective.

1. Since email and file-sharing are so prone to phishing attacks, your company can help ensure that only legitimate messages get opened by using a password-protected link with built-in two-factor authentication.

A trusted solution like HIPAA Gmail can integrate with your existing email solution and provide fully encrypted messages and attachments — for as low as $18/mo. Or if you prefer a Windows solution, there’s HIPAA O365 Outlook that will also provide these protections, for only $12/mo. (billed annually).

Ideal for small and mid-sized businesses, HIPAA Drive provides a secure hub for file sharing and storage that also utilizes password protection and two-factor authentication. This excellent solution is available for as low as $20/mo./user.

2. True enterprise security will also consider the risk factors of your whole enterprise (including all staff), and address them regularly.

It’s an unfortunate reality: staff will sometimes use the quickest means to expedite a task (such as email on their phone, or another “shadow-IT” solution), even if those means are inherently insecure.

To ensure that this doesn’t happen, perform periodic (monthly, at least) checks and training so that your staff is “phishing-aware” and is using the solution(s) that will protect your organization.

Help them to see that a secure solution like HIPAA email or HIPAA Drive is also designed to be user-friendly, and can save the company and the patients you serve from a world of hurt.

In the end, enterprise-level means not only using cutting-edge productivity tools for tasks like email and file-sharing but using them in compliant ways. This will go far to protect your vital systems and preserve sensitive data.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.