Cybersecurity 101: Protecting Your Practice in an Evolving
Threat Landscape
Kemper W. Brown Jr., CISSP

A glimpse of the current cyber threat landscape…

How do you protect your practice?

Annual HIPAA Security Assessments
Security Awareness Training
Robust Data Backup Solution
Layered Security Posture

Layered Security Posture
Perimeter
Defense
Systems &
Applications
People -
Users
• Firewall with deep-
inspection capability
• URL Content Filtering
• Intelligent Spam Filtering
• Vulnerability Patching
• Patch Management
• Antivirus/Antimalware
• Awareness Training
• Safe social media
practice

60% of small businesses don’t use any encryption
on their wireless networks
Two-thirds of these businesses don’t have a
security plan in place
Nearly one-fifth of small businesses don’t use or
have antivirus software
- National Small Business Cyber Security Study

Having a robust firewall and Antivirus software is
no longer enough. The majority of breaches that
occur today are a result of an unsuspecting
employee clicking something they should not
have.

Phishing

Training

JP Morgan dupes 20% of staff into opening fake
phishing emails.
- finextra
20% = 46,871 employees

Social Engineering ALWAYS Works

Considerations if you’ve been breached…

First Things First
• Document, Document, Document
• Contact Critical IT Personnel
• Isolate affected systems from the network
• DO NOT POWER OFF BREACHED SYSTEMS
• Begin analysis and respond according to
organization WISP (Written Information Security
Policy)

• Who is responsible for the breach? External
hackers? Internal personnel?
• When did the breach occur?
• How did the breach occur? Were servers or
systems hacked? Did an employee unlawfully
access the information?
• Was PHI compromised?
Questions You Need Answered

Contact IT Security Professional
• Deep dive of identified security issues
• Remediation of network security issues
• Ensure the network has returned to a secure
state

Contact professional legal counsel
• Assistance with notification plan and
communications/documentation related to the
breach
• Preparation and handling of potential liability
lawsuits

Notify all appropriate parties
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414,
requires HIPAA covered entities and their business associates to
provide notification following a breach of unsecured protected
health information. Similar breach notification provisions
implemented and enforced by the Federal Trade Commission
(FTC), apply to vendors of personal health records and their third
party service providers, pursuant to section 13407 of the HITECH
Act.

Address Risks
• Conduct thorough security audit to identify any
additional risks
• Remediate all identified risks
• Establish proper protections and protocols for
future threats……..they are coming back

What’s next…

An ounce of prevention is
worth a pound of cure

Thank you!