A new security standard has been gaining popularity because it combats both Zero-day malware and insider threats by taking a “trust no one” approach. This security policy is called Zero Trust.

2020 saw an unprecedented number of cyberattacks on all vectors, from ransomware to IoT attacks. The FBI reported a 400% increase in cybercrime reports during the midst of the pandemic.

Many of these attacks come from insider threats, which are typically much more difficult to guard against without the right IT security in place. A hacker gains access to a user's login and they’re inside the system and seen as a trusted user.

Between 2018 and 2020, insider attacks on businesses have risen by 47%.

Another cause of the increased threat landscape is that brand new malware variants (aka Zero-day) are coming out at a record pace. From file-less attacks to mobile ransomware, antivirus/anti-malware databases can have a hard time keeping up with all the new threat iterations. 

How Does Zero Trust IT Security Work?

In a traditional cybersecurity approach, a ring of protections is placed around a network, this is called a castle-and-moat concept. This approach assumes that anyone that makes it past those protections is approved to be in the castle and may move around freely according to their permissions.

This translates to if a user logs in with approved login credentials, they are assumed to be approved to be in the system legitimately and can perform tasks according to the access privileges attached to that user account.

Once a user gains access to a system, this type of strategy doesn’t continually check credentials for that user, they’re trusted.

When it comes to detecting malware, things like file-less attacks (which don’t use a malware-infected file) and Zero-day malware can make their way past standard antivirus programs because they’re looking for the “bad guys” that are on a list of known malicious malware variants. If malware is brand new, it may not be on that list.

Moving from Default Trust to Trusting No One

How Zero Trust security works is to take away that default trust posture, and instead trust no one unless they’ve been verified regularly. Rather than assuming everyone inside the castle is supposed to be there, a Zero Trust approach will continually challenge the validity of users and devices to verify their legitimacy.

When it comes to malware detection, using Zero Trust security means not only relying on a database of known threats to tag the bad guys but also telling the system who the good guys are (approved programs and commands) and then only allowing those to execute in a system, stopping all that are not on the list of trusted applications.

Zero Trust isn’t just one application, it includes a number of safeguards that protect networks and data from rogue users, unknown malware, malicious systems commands, and more. 

Systems to Use for a Zero Trust Security Policy

Moving to a Zero Trust cybersecurity policy can greatly improve the defenses for your Houston area business and ensure your network and cloud accounts are protected from insider threats.

Here are some of the systems that are used to create a Zero Trust Security network.

Application Whitelisting 

Application whitelisting designates what programs are allowed to run and that can execute commands within a computer or network. This method stops unknown malware and fileless attacks from creating problems. They are blocked automatically because they’re not on the whitelist of approved programs.

This tactic is often used along with application ringfencing, which takes the concept a step farther and designates which programs can interact and how they can interact.

Advanced Multi-Factor Authentication

Part of running a Zero Trust Security network is to not just assume anyone logged in with a legitimate user account is a legitimate user. Users need to be verified continually. 

This isn’t done by interrupting users for another login throughout the day, it’s done by using advanced multi-factor authentication, which can be used to:

• Challenge high-privilege users with additional security questions
• Add restrictions should someone be logging in from outside a set geographical area or during non-business hours
• Log users out automatically at the end of a session

End Point Device Management

Ongoing monitoring of devices connected to company resources is another important part of Zero Trust security. Devices are monitored for where they’re logging in from, what they’re doing when logged in and typical use patterns.

If use falls outside of normal patterns, the endpoint management application has the ability to revoke device access to all system assets.

Additionally, endpoint device management apps allow you to remotely control things like application of security patches and updates.

Is Your Company’s Cybersecurity Strategy Strong Enough for the Newest Threats?

Digital Crisis can help your Houston area business review your current IT security policies and enact Zero Trust Security protections that strengthen your defenses against attacks. 

Contact us today to schedule a consultation. Call 713-965-7200 or reach us online.

Small health care providers, such as private practices and dental offices, can sometimes get intimidated by the thought of Health Insurance Portability and Accountability compliance and what that means.

Failure to comply with HIPAA guidelines can mean higher fines in the case of a breach of protected health information (PHI). The regulation uses a sliding scale, and companies found to be negligent when it comes to a violation face stiffer penalties than companies that did all they could to prevent a breach.

HIPAA penalties range from $100 to $50,000 per incident or each breached record, up to $1.5 million per year.

Compliance with this regulation impacts just about every part of a Houston business’s technology infrastructure. This includes how data is transmitted and stored, employee training, and what types of cybersecurity strategies are in place.

Understanding what’s required under HIPAA is the first step to compliance. Once you see how each part connects, you can gain a better understanding of what your company has to do to be compliant.

Here’s a HIPAA “cheat sheet” to get you started.

Who is Required to Comply with Health Insurance Portability and Accountability?

Is your organization required to comply with HIPAA? The short answer is, if you handle protected health information in any way, then you will fall under this guideline and are a “covered entity.”

Covered entities that need to comply with the guideline include

• Health plans
• Health care clearinghouses
• Any health care provider that transmits electronic health information
• Business associates that help carry out healthcare activities or functions

What Does HIPAA Do?

In a nutshell, Health Insurance Portability and Accountability is designed to create a national standard for protection of patient rights and sensitive patient health information.

Some of the key goals of these rules include:

• Give patients more control over their health information 
• Create boundaries on use and release of PHI
• Establish safeguards that health care providers must follow to protect the privacy of health information
• Hold those that violate Health Insurance Portability and Accountability rules accountable

HIPAA Includes 4 Separate Rules

There are four different Health Insurance Portability and Accountability rules that companies need to comply with. These include:

• HIPAA Security Rule: This rule covers data security safeguards of PHI and what’s known as electronic PHI (e-PHI). Including technology safeguards and physical security.
• HIPAA Privacy Rule: This rule applies to all covered entities, with the exception of business associates. It includes provisions for patient access to their PHI, privacy notices, and regulatory standards documentation.
• HIPAA Breach Notification Rule: This sets parameters for a “minor breach” and “meaningful breach” and requirements for what needs to happen with each one. It includes deadlines for when breach notifications must be made.
• HIPAA Omnibus Rule: This relates to the necessity of Business Associate Agreements and states that they must be executed before PHI can be transmitted.

What Are Some Common Health Insurance Portability and Accountability Violations?

To get a good feel for what not to do when it comes to HIPAA compliance, it’s a good idea to review HIPAA violations, which are public.

Here are a few of the common violations that have occurred so far in 2020:

• Failure to honor the right of access of patients to their health records
• Failure to terminate a former employee’s access to PHI
• Data breach of a database containing patient records
• An unencrypted laptop was stolen, allowing access to PHI

In one case, a small health care provider, Agape Health Services, had to pay $25,000 in fines due to multiple HIPAA violations, which included the impermissible disclosure of over 1,000 PHI records to an unknown email account.

Safeguards That Fall Under the HIPAA Security Rule

The Health Insurance Portability and Accountability Security Rule is one that businesses tend to worry about the most because it involves the physical and digital security of protected health information. 

Here are some of the main facets to this rule that businesses need to be aware of:

• Risk Analysis: An IT risk analysis helps businesses identify areas of vulnerability in their IT infrastructure needed to protect PHI. It also shows a good faith effort to comply with HIPAA.
• Administrative Safeguards: This includes things such as employee HIPAA awareness training, data access policies and procedures, and documentation of HIPAA compliance activities.
• Technology Safeguards: This includes the protection you put in place to safeguard PHI from being compromised, like a firewall or managed IT services.
• Physical Safeguards: This includes physical building security and security of devices like laptops or tablets that contain PHI or access to PHI.
• Cyber Attack Response: This includes the response plan you have in place to mitigate the damage from an attack and report any breaches per HIPAA breach notification guidelines.

Make HIPAA Compliance Easy by Working With Digital Crisis

Digital Crisis can help your Houston area business with Health Insurance Portability and Accountability compliance, taking the burden off your shoulders. We’ll worry about your data security, so you can focus on your company. 

Contact us today to schedule a consultation. Call 713-965-7200 or reach us online.