Steps to stronger cybersecurity Insight Article - February 1, 2019 Risk & Compliance Business Operations Technology Sign in to save MGMA Staff Members According to Andrew Jahnke, founder and chief technologist for managed IT and custom cloud service provider RainTech, there is no such thing as being “too small” to be a target for hackers. All healthcare organizations are susceptible to cyberattackers seeking to exploit weaknesses in the security of a computer network. Ultimately, preventing a cyberattack is much less expensive than reacting to a hack or breach, which is why Jahnke recommends a thorough assessment of your organization’s cybersecurity to get a baseline for the current level of readiness and identify areas for improvement. This list offers a detailed collection of key areas that medical practice leaders should examine to be prepared for a possible cyberattack. Cybersecurity assessment Number of users _________________________________ Number of workstations ___________________________ Number of physical servers ________________________ Number of virtual servers _________________________ Number of locations ______________________________ Endpoint protection Antivirus Brand: _________________________________ Installed on all workstations? Installed on all servers? Are definitions monitored for automatic updates? Do infections automatically produce alerts? Does someone respond automatically? Does it have a web browser plug-in and classify search results? Does it provide sandboxing for executables? Can IT provide a recent status and threat report? What is the next renewal date? ____________________ Network protection Firewall make/model: ____________________________ Is the firmware up-to-date? Is packet inspection enabled? Does it have intrusion prevention enabled? Does it use a sandbox solution for downloaded files? Does it have antivirus scanning enabled? Does it have anti-spyware scanning enabled? Does it have flood protection enabled? Does it have Geo-IP blocking enabled? Does it look for and filter botnet traffic? Does it have a web content filter enabled? Are internet-facing servers protected from brute force attacks? Can IT provide a recent status and threat report? Are guest networks completely isolated from the business network? Is internet usage monitored? What is the next renewal date? ____________________ Email protection Email filtration product: ___________________________ Is email encryption available? Are filtration rules administered by IT? Are executable attachments blocked by default? Are links re-written and scanned when accessed? Are artificial intelligence (AI) and heuristics used to stop spoofed email? Is outbound mail scanned, or only inbound? Are data loss prevention filters in place for outbound email? How is the SPF record configured? ____________________________________________________ Network administration/management List any users who have local administrative permissions on their computers: ___________________ Is user account control enabled on all workstations? Are all users’ passwords set to expire automatically? Are password length and complexity required? Are accounts locked out after multiple unsuccessful login attempts? Are screensavers engaged automatically after inactivity? Is multifactor authentication used? Is patching managed and monitored on all workstations and servers? Are non-user account passwords stored in a secure location? Are non-user accounts documented for use? Do all accounts follow principle of least privilege? User instruction/policies and procedures Do you have an acceptable use policy for organizational computers? Are users given security awareness training? Are users sent phishing messages to find out who needs additional training? Are risk assessments conducted at least annually? Has a remediation plan been produced? Backup/disaster recovery How often are backups taken? ___________________________ How long are backups retained? _________________________ Is there a written policy for disaster recovery/mitigation? Are backups “air gapped” from potentially infected workstations? Do backups go offsite automatically? Do failed backups produce alerts? Are backups tested periodically? Advanced security measures Do you have/utilize a security operations center (SOC) that monitors 24/7? Do you utilize a security information event management (SIEM) system? Is host-based intrusion detection in place? Is network-based intrusion detection in place? Are servers monitored for ransomware-like activity? Are monitors in place for administrative changes (e.g., domain admins)? Are independent penetration tests performed periodically? MEMBER RESOURCE To learn more about the methods used by cyberattackers and how to minimize the risk of their success, access the member-exclusive on-demand webinar, “Threat Potential: Steps to Stronger Cybersecurity”: mgma.com/cyber-webinar.