Federal guide aims to help small providers tackle cybersecurity
The National Institute of Standards and Technology has just released new guidance on the information security fundamentals for small businesses, including small physician practices, across the nation.
NIST, which is out of the Commerce Department, released the guide to prepare organizations for rising cyber security threats, which are evolving and targeting smaller organizations, often perceived to have less budget and acumen for preventing attacks.
The report covers many security issues, including managing risks, which calls for identifying what types of information require certain levels of protection and then implementing and monitoring the protection. Essential personnel who should be involved in risk management include project managers, executives, legal experts and information technology professionals.
Small providers and other entities may think that cybersecurity is too expensive or difficult, but the guide is written for those not experienced in cybersecurity and walks users through basic steps to protect their information systems, says Pat Toth, a small business cybersecurity specialist at NIST. “In fact, they may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival,” she adds.
Tips from NIST include:
* Review and update risk management plans at least annually and when considering changes to the business.
* When a security event happens to a business partner such as suppliers or technology vendors, use the event to make sure your business remains adequately protected.
* Identify information the practice stores and uses. It is unreasonable to protect every piece of information, so identify the most important to the business and partners. This task can be made easier by having employees make a list of all information they use in regular activities.
* Determine the value of each information type identified, and then consider what would happen to the business if this information was made public; what would happen if the information was incorrect; or if the organization or customers could not access the information.
* Require individual user accounts for each employee and ensure all employees use computer accounts without administrative privileges to perform typical work functions. This will hinder attempts—intentional or not—to install unauthorized software.
* Conduct a full nationwide background check as well as a credit check if permissible on all prospective employees. Consider also during a background check on yourself as results could let you know if your identity has been stolen.
* Do not allow a single individual, including senior managers, to initiate and approve financial and other transactions.
* When an employee leaves the practice, collect their business ID, delete username and account from all systems, change group passwords they may have known, and collect any keys that were given.
* Use surge protectors to prevent spikes and drops in power that could damage electronics. Implement Uninterruptible Power Supplies technology that provides a limited amount of battery power to enable enough time to save data if the electricity goes out.
* Patch operating systems and applications on each device owned or used. Assign a day each month for patching duties.
* Set up Web and email filters to remove emails that may have malware attached to them. If web browsers support web filtering to notify a user of potential malware, enable the option.
* When buying new computers, check for updates immediately and do the same when installing new software. Only use currently supported vendor software.
* Use encryption for sensitive information and save a copy of the encryption password or key in a secure location separate from backups. If needing to send someone a password or key, send it via phone and never in the same email as the encrypted document.
The complete 54-page report from NIST is available here.