All of us make security decisions every day. Information security is not just the responsibility of your organization’s IT department. Rather, information security is everyone’s
responsibility. We make decisions all the time which impact the security posture of our organizations. For example: 1) Do I open this email attachment? 2) Do I visit this website? 3) Do I click on this web link? 4) What information do I share online? All of these decisions can positively or negatively impact the security posture of your organization.
Here are five things you can do to positively impact your organization’s security posture. Remember: Your actions can make a difference!
Use strong passwords and practice good password habits
You should choose a strong password which is easy for you to remember but difficult for others to guess and for hackers to crack. Your password safeguards your account, as well as system resources and applications to which you have access. Avoid sharing your passwords with other people, and make a unique password for each account. Additional tips are available on the HIMSS World Password Day web page. And of course, always follow your organization’s password policy and procedures.
Don't catch that phish!
Phishing is a type of social engineering scheme that is commonly deployed by email. Phishing may also be deployed by voice calls (vishing) or SMS text messages (SMiShing). Phishing is designed to collect sensitive information from you or prompt you to perform a desired action (e.g., opening a malicious attachment).
As an example, a phishing email may actually contain a malicious link or attachment which could infect your computer or device with malware. Your computer, shared drives and other devices on your organization’s network may become infected. As a result, your organization may experience unplanned downtime, and the flow of patient information and business operations may be negatively impacted. Your organization may also experience data loss and system unavailability.
So, what do you do if you get a suspicious email? Do not click or open any suspicious emails or email attachments yourself. Immediately call your IT help desk or designated point of contact, report the incident to them and follow their instructions. By working hand in hand with your organization, you can mitigate security incidents!
Surf the internet safely
Many organizations have web gateways in place that filter or restrict which websites you can access. These web gateways exist for a good reason: to allow you to access legitimate websites so that you can do your job and block illegitimate websites (such as phishing websites) to prevent attackers from compromising your computer. If you are having trouble accessing a website which you feel is necessary for you to do your job, contact your IT help desk or appropriate point of contact.
Remember: not all websites are innocuous, and some websites are malicious (including legitimate websites with malicious ads, also known as “malvertising”). Attackers will use any open door they can (including the web) to compromise your organization’s network, computers and devices. Be cautious and check with your appropriate point of contact instead of doing a “workaround” to access any websites which have been blocked by your organization.
Your organization may also have an “acceptable use policy” in place that outlines what you can and cannot do when using your organization’s resources (e.g., computers and the internet). If this acceptable use policy is in place, adhere to it and be sure to ask your policy’s point of contact, in case you have any questions.
The dangers of removable media and mobile devices
Unless authorized by your organization, do not insert CDs, DVDs, USBs or other removable media into your system. There are several reasons why doing so is not a good idea. First of all, removable media may have malicious software, and inserting them into your system may infect your system (and potentially your organization’s network). Second, if the removable media is writable (e.g., USB flash drives, solid state drives, hard drives, DVDs, etc.), sensitive data may be written to the media and this may be a good way for data to leak from your organization (if the removable media is lost, stolen or otherwise compromised).
Mobile devices may also pose a risk to your organization. Your organization may allow you to use your own personal mobile device for work purposes (also called “Bring Your Own Device” or “BYOD”). If your organization does allow BYOD, then here are a few tips. Remember to lock your device when not in use. Physically safeguard your mobile device and never leave it unattended. Encrypt all removable media and mobile devices. For more mobile device safety tips, you can view the HIMSS infographic Healthcare Industry’s Guide to Keeping Information Safe & Secure When You are Mobile.
Social media: not just for fun and games
Social media has grown beyond just personal use. Many organizations use social media for business purposes. Given the popularity of social media, an organization’s social media presence can be a powerful tool. However, social media can also be a double-edged sword. Social media can be an open door to you and your organization. That open door can be used by an attacker to gain access to your organization’s computers and network.
The hidden dangers of social media include shortened links. There is no guarantee that a shortened link leads to a legitimate website. Instead, the shortened link may lead to a malicious,phishing website. So, take necessary precautions before you click on shortened links. Consider using a shortened link expander service to determine where the shortened link leads.
There are also other hidden dangers of social media. Malware may hide in images, presentations, PDFs, word processing documents and more. Be careful in accessing content from social media. Just because someone is sharing content on social media platforms does not mean it is legitimate content. Finally, be careful with whom you connect online – the person could be an attacker trying to elicit sensitive information from you and/or your organization.
For more security tips and advice for your organization, check out HIMSS’ Privacy & Security Library or visit staysafeonline.org.
About the Authors
Josh Black, Bayardo Alvarez and Carrie McGlaughlin are members of the HIMSS Privacy and Security Committee. The Committee guides implementation of strategic initiatives that promote the privacy and security of healthcare information and management systems.
Josh Black, MA-BOSM, Security+, has worked in information security for 15 years – 10 for the U.S. Air Force and five in healthcare. Josh currently serves as a health administrator for the Arkansas Air National Guard and as the information security specialist for Baptist Health.
Bayardo Alvarez is the director of IT for Boston PainCare Center, an interdisciplinary pain management practice serving the Greater Boston area. Prior to working in healthcare, he served in various industries, including telecommunications, manufacturing and higher education.
Carrie McGlaughlin, CISM, has worked two decades in healthcare IT and is the director of IT and HIPAA security officer at the Buckeye Ranch, a behavior and mental health organization for youth and families.
Lee Kim, J.D., CISSP, CIPP/US/FHIMSS, is the director of privacy and security at HIMSS. Lee is also an AV-rated attorney in healthcare and intellectual property law. Prior to her legal care, she worked as an IT administrator for healthcare, software and academic institutions.