October brings cooler weather, Halloween, and a month-long opportunity to reinforce your cybersecurity. That’s because October was designated National Cybersecurity Awareness Month as a collaborative effort between government and industry to call awareness to an issue we’re all facing – how to protect our personal information as we share more and more of it online.
Throughout the year, we write about cybersecurity issues on our blog to inform our readers about possible threats and offer some guidance on how to protect themselves.
We could all do with a little refresher course on some of the most pressing challenges, such as choosing the best password manager and making sure your encrypted emails are truly HIPAA compliant.
In today’s post, we’re going to highlight some of our most popular topics.
1. Cultivate good password practices
This might be the piece of security advice we give more than any other, and yet it’s amazing how often we still have to give it.
Stop using the same password for everything.
With so many suitable password generators, some even built into your web browser, and numerous password managers to choose from, there's no reason to duplicate passwords. Using the same password for different accounts is one of the worst things you can do in your online life, making you vulnerable to cyberattacks of all kinds.
Choosing a good password manager doesn’t have to be difficult, and once the decision is made, your life will be much easier. Take a look at our blog post How to choose a password manager for tips and suggestions on finding the best one for you.
2. Avoid phishing scams and make sure you aren’t mistaken for one
Have you heard about phishing? It’s when a cybercriminal sends you an email that asks for your personal information under false pretenses. If you “take the bait,” your information can be stolen and used for any number of purposes from setting up fraudulent accounts to being sold on the dark web.
Your best defense against phishing is to slow down enough to spot a few red flags. Ask yourself the following questions when you receive an email you aren’t expecting:
- Does the message seem out of place?
- Does the sending email address match who the sender claims to be?
- Is the email awkwardly composed with poor grammar?
- Does the email open with a generic greeting?
If you answer “yes” to any of these questions, that doesn’t necessarily mean it’s a scam, but you have good reason to proceed with caution. Even if the email looks professional, don’t use the link in the email. Instead, log in through the website as you normally would to find out the status of your account. If you’re still unsure about the validity of the email, contact the customer service number listed on the website and explain the situation.
It’s a good idea to make it a rule to never send personal information such as passwords and other credentials through email.
Learn more about phishing in our blog post How to avoid phishing scams (and recover if you’re caught).
Don’t get mistaken for a phisher!
When email services make an effort to catch bad emails, good emails can get caught, too. By setting your SPF records, you can help ensure that your emails aren’t flagged or blocked.
You can read all about how to do this in our blog post Make sure your emails get through with SPF records.
3. Make sure your encrypted emails are HIPAA compliant
If you’re a healthcare practitioner, cybersecurity takes on a whole new meaning. If the security of your system is breached and protected health information (PHI) is stolen or lost, that could require a report to the affected individuals, the media, and the Department of Health and Human Services. One way you can protect yourself is with an encrypted email service backed up by a Business Associate Agreement.
However, using an encrypted email service is just the first step. It’s crucial that you go through a series of checks before you send the email to ensure that it’s secure and HIPAA compliant.
Be careful what you put in the subject line. Subject lines are the most visible part of an email. They are displayed when listing emails and can be seen in notifications on some devices.
Be sure to place any private or identifying information in the body of the email, not the subject line. Examples of inappropriate subject lines include: “Feedback on your depression screening” or “Welcome back to our ADHD support group.” While seemingly straightforward, these subjects tell too much information about the recipient.
Outside of your practice, you probably try to make your subject a clear, concise description of your email. This isn’t always possible when you’re handling PHI. Instead, you may have to rely on more general phrasing. For example, you might rewrite the subject lines above as “Assessment” or “Welcome back.”
Double-check email addresses. This advice might seem simplistic, but you’d be surprised how many errors are made by not looking closely at the recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jon Smith. Or a Heather Bell with a Heather Biel. The solution is to slow down when sending an email and take the time to carefully select the correct address.
Be very careful about sending group emails. As a rule, group emails are a bad idea when it comes to protecting PHI. If the email implies information about the recipients, such as an email welcoming new members to a support group, then it’s considered PHI and under the protection of HIPAA. If you must send group emails, make sure they contain only very general information.
Make sure you enable encryption. All encrypted email services are different and have unique encryption mechanisms. It’s important that you understand what they are, when they’re automatic, and when they require action. For example, with Hushmail, encryption can be automatic between Hushmail users, but if you’re communicating with someone who doesn’t have a Hushmail account, it requires you to turn on encryption when composing an email. Take the time to make sure the encrypted email you think you’re sending is, indeed, encrypted.
Pause before sending. We’re all busy. It’s easy to get caught up in what we’re doing and forget some of these simple checks. That’s why one check should never be ignored - pause before you send.
4. Conduct a risk assessment
One of the most valuable things you can do to shore up your cybersecurity is to conduct a risk assessment. If this sounds complicated, don’t worry. The team at Hushmail has taken the guesswork out of the risk assessment process and laid out steps to get you from having no idea how secure you are to fully confident that your practice is as secure as possible.
It all starts with analyzing your assets. This includes everything from physical goods or digitized data, such as personal information and client databases.
Then imagine what the impact would be if these assets were lost, stolen, or mishandled.
Next, mitigate your risk. This means taking sensible steps to guard your assets. Examples of risk mitigation might be developing an in-depth IT security policy for your staff or subscribing to an encrypted email service.
Our post Risk assessment for small businesses gives a more comprehensive explanation of what risk assessment is and how it can benefit your practice. When you’re ready to conduct an assessment, we invite you to sign up to receive our risk assessment guide that will hold your hand as you go through the steps.
5. Read this HHS cybersecurity report
A risk assessment is one of the actions required by HIPAA and discussed in the report published by HHS about cybersecurity for healthcare practices. This is a very useful report that includes a section just for small practices with actions you can take to help protect your clients’ PHI. We wrote a brief review of the report in our blog post The HHS cybersecurity report that will help you protect your clients’ information.
For a broad view of what cybersecurity is and why cybersecurity practices are necessary; 10 specific practices that can be implemented now; and numerous resources to help in implementation, read the entire report.
If you’ve wanted a clear map to strengthening your online security, this report is definitely worth a careful read, even if you aren’t in the healthcare field.
It’s time to take a closer look at cybersecurity
In celebration of National Cybersecurity Awareness Month, we’re publishing a series of security tips on our Facebook page and Twitter feed. We encourage everyone to interact with us online and let us know what you’ll be doing this month to bolster your security.
October is National Cybersecurity Awareness Month! We could all do with a little refresher course on some of the most pressing challenges, such as choosing the best password manager, making sure your encrypted emails are truly HIPAA compliant, and conducting a risk assessment for your business or personal life.