Cybersecurity Program Development

Cybersecurity Program Basics
An effective cybersecurity program will:
– assign responsibility
– identify information asset
– conduct periodic risk assessments
– implement security controls
– monitor effectiveness over time
– conduct regular effectiveness reviews
– address third party risks
HIPAA Security
The HIPAA security rule outlines a series of security standards and implementation specifications, such as the requirement for healthcare providers to conduct risk analysis and protect against all reasonably anticipated threats. Healthcare providers must evaluate their systems from both a technical and nontechnical standpoint to ensure that policies and procedures meet HIPAA security requirements. HIPAA risk evaluations should occur routinely, after environment changes, and after operational changes.
Cybersecurity HIPAA Risk Management Guideline
– Determine the scope of the analysis
– Collect data
– Identify and document potential threats and vulnerability in the system (including policies and procedures involved in the system)
– Assess current Cybersecurity Training, standards and procedures
– Determine the probability of threat occurrence
– Determine the potential impact of threat occurrence
– Determine current risk level
– Finalize documentation of the risk analysis
– Periodically review and update the risk analysis
Routine Cybersecurity Tests Include:
drills & table top exercises – active participation discussion on roles, policies, responsibilities, and response efforts should an incident occur
external vulnerability scanning – using a external software-based tool to analyze vulnerabilities
penetration testing – a penetration test, also known as a pen test, pentest, or ethical hacking, is an authorized simulated cyberattack on a computer system. Ultimately, penetration testing is performed to evaluate the security of the system and identify the routes and methods attackers could use to enter the system and compromise data
phishing & spearfishing – create a mock phishing scam using social media, the phone, or email to trick employees into accessing the network or providing information