America's Benefit Specialist August-September 2022

CYBERSECURITY 2.0

abilities such as obsolete software and missing patches • periodically conducting penetration tests to identify weaknesses that could be exploited by an attacker. Regulated entities, according to OCR, should not rely on only one of the above techniques, but should consider a combi nation of approaches to properly identify technical vulnerabilities within their enterprise. Once identified, assessed and prioritized, appropriate measures need to be implemented to mitigate these vulnera bilities (e.g., apply patches, harden systems, retire equipment). How often should a risk assessment be done? Flittner recommends a yearly review or when major changes happen with the business. Who should be involved in a risk assessment—just IT? “Risks involve the whole team,” stated Flittner. “Key sup porters of risk assessments should include executives, especially financial leadership, but really everyone should be involved in some way.” What are some of the areas in an orga nization that need to be looked at in a risk assessment? “Everywhere that sensitive info moves throughout your business,” replied Flittner. “This could just be one de partment like human resources, or it could affect everyone.” What sort of questions, tasks, need to be included in a risk assessment? Ted Mayeshi ba of Aditi Group responded: “Physical inventory—what devices hold sensitive data (PHI in HIPAA terminology). Important questions include: Where does the data re side? What’s in ‘the cloud’ with third-party companies? Who should access the sensitive info? And how do you control access? Is there a BA agreement in place? Does the third-party company have access to the data? All of these should be considered and discussed within your organization.” We always recommend that a risk assess ment be done by an independent third par ty. Why? Flittner lists three main reasons:

WEAK PASSWORD RULES AND SINGLE-FACTOR AUTHENTICATION ARE AMONG THE PRACTICES THAT CAN CONTRIBUTE TO SUCCESSFUL ATTACKS.

“First it’s not the main job of employees, so it rarely gets priority. Second, outside eyes tend to notice problems that people who see the process every day can miss (can’t see the forest through the trees in front of them). Third, employees sometimes are reticent to admit to weaknesses in the process.” I asked Flittner what message he would share with every business owner, large or small, related to risk assessments and their importance in protecting their data? “Know before it’s too late. Be prepared. As a former Boy Scout, I learned to live by the motto long ago. Security is always evolving and where you didn’t think you have risk in the past may be totally different today. And the cost of problems like data breaches and ransomware are much higher than the cost of prevention.” WEAK CYBERSECURITY PRACTICES It is well known that a regulated entity that has weak cybersecurity practices makes itself an attractive soft target for hackers and cyber criminals. Weak authentication re quirements are frequent targets of successful cyber-attacks. Over 80% of breaches due to hacking involved compromised or brute forced credentials, according to OCR. 1 Weak password rules and single-factor authentication are among the practices that can contribute to successful attacks. Once inside an organization, if the entity has weak access controls, this can further contribute to an attacker’s ability to com promise systems by accessing privileged accounts, moving to multiple computer systems, deploying malicious software, and exfiltrating sensitive data.

HIPAA rules state that regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authen tication processes. (See 45 CFR 164.312(d): Standard: Person or Entity Authentication.) A regulated entity’s risk analysis should guide its implementation of appropriate authentication solutions to reduce the risk of unauthorized access to ePHI. For example, authenticating users that access a regulated entity’s systems remotely (e.g., working from home) may present a higher level of risk to a regulated entity’s ePHI than users logging into their desktop computer at work. To appropriately reduce the higher level of risk of remote access, a regulated entity may consider implementing stronger authentication solutions, such as multi-fac tor authentication. According to OCR’s March 17 th news letter, implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. (See 45 CFR 164.312(a)(1): Standard: Access Control.) Here, too, the risk analysis should guide the implementation of appropriate access controls. For example, a regulated entity may determine that because its privileged accounts (e.g., administrator, root) have access that supersedes other access controls (e.g., role- or user-based access)—thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. Not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoper

benefitspecialistmagazine.com | ABS 17