When it comes to the cybersecurity of our devices, many of us turn a blind eye because the complexity can seem overwhelming. Questions like:

• What operating system are you running?
• Do you have anti-virus AND anti-malware security?
• What’s the difference between anti-virus and anti-malware?
• When was your last update?

The list can be longer, but a few “I don’t knows” will make anyone stop wanting to try. Keeping your operating system, antivirus and antimalware up to date is your best front line defense for cybersecurity. Vast improvements have been made to make it easier and less complicated for your PC or Mac to stay well protected. Here is a simple step by step guide to check your computer status.

Windows Users

The operating system of most PCs is Windows. That’s the easy part. The important question is, what version of Windows is on your computer? To find out, follow these simple steps:

• Hold the Windows logo key + R. A search box appears in the bottom corner of your screen.
• Type winverin the Open box, and then select OK.
• A new box will pop up showing you the version of windows your computer is running.

I’ll give you a minute to check it out.

If your box shows anything other than Windows 10, you need a major upgrade.

Mac Users

Macs are believed to be inherently safer than Windows because of the operating system. However, cybercriminals are not shying away from finding loopholes to attack your Mac. You still need diligence and the most up-to-date OS for best protection.

• From the Apple menu in the corner of your screen, choose About This Mac.
• You’ll see the macOS name followed by its version number.

What is the latest version? As of the day of this publication, macOS Catalina 10.15.5 is what you should see. You can reference Apple support for the most up to date list here.

How to update your Windows computer

So you need an update. Let’s look at options.

For Windows 10 users, updates to the operating system are pushed through from Microsoft. Follow their directions (click here) to make sure you have Microsoft Updates configured correctly to keep your PC updated automatically or at least with reminders.

Windows users running anything less than Windows 10 should visit Microsoft’s site (click here) to evaluate the best next step. Your out of date operating system is at very high risk for a cyber breach.

If your device is too old, it may not have the built in features you need to run Windows 10, meaning you will need a computer upgrade. If it is compatible, you will have to purchase the new operating system. Whatever your need, check with your IT department before you purchase. You may be able to get the upgrade from them if you use your personal computer for work purposes.

How to update your Mac computer

For Mac users, updates to the operating system are pushed through from the Apple. Follow their directions (click here) to make sure you have updates configured correctly to keep your computer updated automatically or at least with reminders. If you are running an older device, at some point the company updates will not be compatible. If that is the case, you need to contact your IT point person about upgrading your computer or consider purchasing a new Mac. Your out of date computer is at very high risk for a cyber breach.

Benefits of Updating = Cost savings for you and your company

If you want to tap out because I just mentioned spending money, stay with me a little longer. The number one reason to have the most up to date operating system is the built in security. While nothing will be full proof, Windows and Apple are constantly learning of threats and vulnerabilities. They create patches and protections to stop cybercriminals from getting in. The catch is that they only do this for their latest product.

While it might cost some money upfront, you will save money too. For years, the expectation was that you needed to purchase a 3^rd party software to protect your computer from being infected with viruses and malware. That is no longer the case. Both Windows 10 and macOS systems have built in antivirus and anti-malware software. When compared to 3^rd party options, the difference in security level is minimal. There is a slight argument for layering your protection, but that is not a guarantee to block everything. If you want to read more about this, Windows users can click here and Mac users can click here.

More importantly, a breach can cost your company dearly. In fact, 60% of small businesses go out of business within six months of falling victim to cyber crime. Cybersecurity is not about latest technology, it is about safety of your customers and company data.

The Human Firewall is Required

Mike Moran, with Third Rock, put it this way; “Vigilant employees are still the best defense. If you are running Office365, assume that it is only going to catch 40% of the bad things coming through, you still have to be smart enough to recognize the other 60% and not click on them.”

No matter how much you pay for antivirus, anti-malware and top of the line cybersecurity, you still have to be a smart user. Use best practices for passwords that are hard to crack, tips to recognize phishing attempts and smart choices when searching the internet. You can’t prevent a breach, but you can reduce your chances.  Train ALL of your employees at least once a year on cybersecurity awareness.

Defend yourself and your company:

1. Limit the personal information you post on social media
   • Remember that these scams involve researching the target. The more information you willingly post, the easier it is for them to create a character that will connect with you
2. Go to the source
   • If a representative from a company contacts you either in person, on the phone or via email, verify their identity directly with the company. If someone shows up at your house, find the corporate company’s phone number and call from your personal phone. It may seem rude and take longer, but you could be protecting yourself from a scam.
3. Never give out personal information
   • Real company representatives will never ask you for your password, full account numbers or credit card numbers. General conversations that steer in a direction asking too many personal questions about your family and job should be a red flag. You can decline answering in a polite way while not giving away information.
4. Protect your organization
   • Do not give out company information, even if the requester appears to be from within the company. Know your company’s procedures for how they communicate when there is an issue, or they need information from you.

Since 1995, Third Rock has been creating solutions to help businesses navigate the confusing world of cybersecurity and compliance. We took our combined knowledge and years of experience to build a better way to manage cyber risk.

As our business continues to grow, Third Rock is on the move. In order to better serve our local clients, Third Rock is upgrading its office space. With more room for conferencing, we are ready to help your business work toward cyber resilience. Contact us to set up a time to talk about starting your journey toward Cyber Confidence.

595 Round Rock West Dr Suite 401, Round Rock, Tx 78681

• gain a practical understanding for HIPAA regulations.
• how to best incorporate them with your staff and throughout the practice
• improve your HIPAA compliance with our built in completion tracking

Third Rock, powered by CyberCompass®, now includes the NYDFS security risk assessment required by all New York financial entities.  The NYDFS Cybersecurity Regulation (23 NYCRR 500) is “designed to promote the protection of customer information as well as the information technology systems of regulated entities”. This regulation requires each company to conduct a risk assessment and then implement a program with security controls for detecting and responding to cyber events.

The NYDFS has supervisory power over banks, insurance companies, and other financial service companies. More specifically, they supervise the following covered entities:

• Credit Unions
• Health Insurers
• Investment Companies
• Licensed Lenders
• Life Insurance Companies
• Mortgage Brokers
• Savings and Loans Associations
• Private Bankers
• Offices of Foreign Banks
• Commercial Banks

There are some exceptions to entities that have to meet the regulations.

NYDFS requires entities to complete the following:

• Risk Assessments
• Audit Trail including updated policy and procedures
• Incident Response Plan

CyberCompass® automates the numerous steps to completing a risk assessment with its on-demand, cloud-base software so a security risk assessment can be completed in 70% less time.  It offers the unique feature to go beyond technology for information security and add the people, process and vendor compliance for information security.  

“We expect what is happening in New York to happen across the country,” stated Robert Felps, CEO.  “We have engineered CyberCompass to help companies meet regulations faster and require less work hours through built-in expertise and automated workflow.”

With Third Rock expertise and guidance, we work with you to use CyberCompass® to increase your compliance and manage your cyber risk.

Cyber security breaches are constantly in the news. Hundreds, if not thousands, occur across every kind of industry each year. Healthcare has consistently been a prime target for cyber criminals to gain access to personal health information (PHI) which can be sold for high profit on the dark web. In fact, 2018 marked an all-time high of $28.7 million in fines from HIPAA entities and their business associates.

 In an effort to encourage healthcare organizations to better protect their patients’ information the Health Information Technology for Economic and Clinical Health (HITECH) Act was instituted, though the wording of the original bill left much open to interpretation. An element of the Act created tiers for HIPAA and breach violations. However, HHS admitted there was inconsistent language in the HITECH Act about the penalty scheme. Due to this, the penalty cap for every tier was set at $1.5 million. Commenters expressed concerns that the “penalty scheme is inconsistent with the HITECH Act’s establishment of different tiers based on culpability.”

 So what is the culpability? Webster defines it as the “guilt or blame that is deserved”. HITECH tiers define it like this:

•  the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
• the violation was due to reasonable cause, and not willful neglect;
• the violation was due to willful neglect that is timely corrected; and
• the violation was due to willful neglect that is not timely corrected.

Under the new payment scheme, fines will increase based on which tier your breach falls into:

This is all great and nice to know, but what does this look like in practice? It might look something like this: 

• You have completed a wholistic Security Risk Assessment and have made efforts to improve your cyber security. Even with reasonable policies and procedures in place, a breach still occurred.
• You have certain elements of security in place, but a breach got through by a reasonable cause, such as an employee falling for a phishing scheme.
• You made no effort to protect your cyber security, but worked to correct the problem after a breach.
• You made no effort to protect your cyber security and did not attempt to correct it after a breach.

If you read the HHS OCR’s audit summary letters you can conclude that doing number one will keep you from being fined $50,000 for willful neglect regarding a risk assessment, but option four will land you a $50,000 fine.

Which tier best applies to you?  Do you even know where to start?

 Our Cyber Quick Check can have you on the path to a better understanding of your current cyber security in less than 2 minutes. Because knowing is the first step toward empowering you to manage your cyber risk.

https://cyberquickcheck.com/thirdrock

 Patient safety in the healthcare industry has always been a priority. Mainly, that referred to physical safety, but with the changing landscape of technology, information security needs to also become a priority. Healthcare is repeatedly a prime target for cyber criminals looking for quick access to valuable data.

A recent article from HealthIT News claims that CEOs need to make information security (infosec) their number 2 priority. Why not number one?  James Doulgeris, CEO of Osler Health believes “that responsibility belongs to the CIO or CTO. It should be their number 2 or number 1. The only time something like that hits a CEO’s top five is if the person responsible is not doing their job.” This culture is what needs to change in healthcare, because by the time it reaches the top, it’s too late. The breach has occurred, you have let down thousands of patients and you’re losing money.

Fear of a breach, and the potential consequences, will not be the driving force toward change. CEOs need to see this as a business move to shift the prioritizing of funds. Not enough of a hospital’s budget is dedicated toward security and that is a CEO issue. Infosec needs are constantly changing, so investing funds cannot be one and done. Structures, processes and procedures have to be in place and continuously monitored to create a secure environment.

“Security is important enough to be above everything else,” said David Chou, a veteran hospital executive who is currently VP and principal analyst at Constellation Research. But he knows the reality of that takes a culture change that must come from the top. “[It] means turning the culture upside down and thinking about security as aggressively as many hospitals focus on hand washing. That same effort has to be there for every employee.”

Richard Staynings, Chief Security Strategist with Security Associates and an HIMSS Cybersecurity Committee member, agreed that patient safety must be a top priority for CEOs. “Cybersecurity is, like it or not, a primary component of patient safety now.” Patient confidentiality goes out the window when a breach occurs, and everything can become public knowledge. This is the battle hospitals, clinics and every doctors’ office now face.

CEOs also need to recognize that investing in security now actually helps with innovation growth . Just as innovation growth is a multi-step process that will happen over time, so is infosec, and they need to be viewed as a combined entity. If you are designing a plan to increase technology within a hospital, then best practices would have you increase your security at the same time. CEOs need to see these as mutually inclusive instead of exclusive.

As many can attest, culture comes from the top. What a CEO sees as a priority, so will others in the company. That change needs to start with seeing that patient safety now includes information security.

Protect your data. Protect your practice. Protect your patients.

Health IT has come a long way since the HITECH Act was introduced almost 10 years ago. Technology availability and accessibility has also increased dramatically in that time frame. While better connectivity has revolutionized healthcare, it has also opened the door to cyber risks.

Testimony before the Texas Health Services Authority Board at the Texas State Capitol on Friday, October 4 reinforced recent headlines that cybersecurity is a persistent problem; one that will require greater resources at all levels of healthcare and healthcare governance. Representatives from the Texas Attorney General’s Office, the Texas Medical Board, Texas Medical Liability Trust, University of Texas, and Cynergistek[1], along with Third Rock CEO, Robert Felps, took turns presenting data and observations on the “current state of cybersecurity and privacy in Texas healthcare” from their professional perspectives. Though some gains have been made in recent years, key points across the presentations made clear that Texas healthcare organizations – and the supporting governing bodies – still have work to do to safeguard patient data.  Here are the key takeaways:

1. Available data indicate that Texas healthcare organizations remain extremely vulnerable to cyber threats.

• In 2017, TMLT received reports of 600 data privacy and security incidents, or breaches. There have only been 103 incidents so far in 2018 (Jan-Sept), but that’s still an average of 11.4 incidents/month.
• Mac MacMillan, CEO of Cynergistek, reported that his firm is notified of at least one security incident a day by one of their 1500 hospital clients, which includes 70 academic medical centers.

2. Both formal and informal reports indicate that healthcare organizations have an incomplete approach to cybersecurity and HIPAA compliance.

• In 2016, the OCR Random Audit Program evaluated 63 Covered Entities. Of the audited organizations, 13 had not attempted to perform a Security Risk Assessment (SRA). Of the 50 organizations that had completed an SRA, none satisfied the OCR’s requirements.
• MacMillan also reported that fewer than half of Cynergistek’s client organizations meet the NIST requirements for cybersecurity; a situation he attributed to a lack of both human and financial resources.

3. Too many healthcare organizations are financially unprepared for a cyber event.

• 70% of healthcare organizations report having no cyber insurance.
• The combination of legal fees, penalties, increased administrative costs, and loss of business resulting from an information security incident can potentially put a healthcare organization out of business.

4. There is a significant shortage of adequately-trained cybersecurity personnel.

• According to MacMillan, there are currently about 780,000 cybersecurity employees and approximately 350,000+ cybersecurity job vacancies. By 2021, labor experts are predicting 3.5 million cybersecurity job vacancies.
• When he visits a client hospital and asks “Who’s taking care of ‘x’ cybersecurity technology?” he is often referred to an IT employee with no cybersecurity experience.

5. Enforcement responsibility for healthcare data privacy and security is distributed across multiple state agencies, resulting in incomplete data and inconsistent enforcement.

• At the state level, responsibility for enforcing HIPAA and HB300 falls to the Texas Medical Board, Texas Board of Nursing, Dept of Health Services (DHS), Office of the Attorney General and others.
• Agencies report aggregate numbers to the Office of the Attorney General of complaints received and of incidents resulting in disciplinary action. However, specific cases are only referred to the Attorney General’s Office when the Agency believes an incident warrants civil or criminal penalties that only the AG’s office can impose.

6. Information security incidents negatively impact patients – both directly and indirectly.

• Healthcare records are worth substantially more on the black market than credit card or even social security numbers, making healthcare records a prime target for cyber criminals.
• A security incident resulting in identity theft can take years, and thousands of dollars, for an affected patient to correct.
• A ransomware attack can bring care delivery to a standstill, freezing infusion pumps and other medical devices, putting patients at risk.

Are you cyber confident?  Can you afford no action?  Third Rock makes it simple and affordable.

Protect your patients, protect your practice, protect yourself

[1] A cyber security consulting firm, https://cynergistek.com/

[2] Texas Medical Liability Trust, the largest medical provider in the state, https://tmlt.org/tmlt