Email System Configuration

• Controls to enhance Security
  • Avoid “free” or “consumer” email systems
  • Install spam/antivirus software solutions
  • Deploy Multifactor authentication to access your email system
  • Configure email to tag messages as “EXTERNAL”
  • Implement Email Encryption
  • Provision every employee with a unique email user account

Education and Phishing Simulations 

• Increase staff understanding and awareness to protect your organization
• Implement education and awareness activities to assist your employees in protecting your organization
  • Look for suspicious From: addresses
  • Be cautious with “too good to be true” messages
  • Configure email to tag messages as “EXTERNAL”
  • Check embedded links

What are your endpoints?

Desktops, laptops, mobile devices, other connected hardware devices

Basic Endpoint Protection Controls

• Remove administrative accounts
• Keep your endpoints patched
• Implement antivirus software
• Turn on encryption
• Enable firewalls
• Enable Multifactor authentication for remote access

• Establish a unique account for each user
• Limit use of shared or generic accounts
• Tailor access to needs of user
• Terminate user access as soon as user leaves organization
• Provide role-based access
• Configure systems with automatic log off
• Implement Multi Factor Authentication

• Understand where the data resides
• Reinforce consequences of lost or compromised data
• Policies should address user interactions with sensitive data
• Data Classification Structure
  • Highly Sensitive – SSN’s, Credit Card, Mental Health Information, Substance Abuse, Sexually Transmitted Infection
  • Sensitive – All other PHI
  • Internal – Organizational policies, contracts, business plans, internal business communications
  • Public – Data sanitized and approved for distribution to public

Encrypt all PHI sent via email or text

• Inventory
  • Complete an accurate inventory of IT assets
  • Perform a complete inventory audit and tag
    all assets with unique identification numbers
• Procurement
  • Standard operating procedures to include
    update to inventory records
• Decommissioning
  • Secure destruction process
  • Record of destruction

• Network Segmentation
  • Restrict access, least amount of
  • permissions to perform duties

• Physical Security and Guest Access
  • Keep data and network closet locked
  • Disable network ports that are not in use

• Intrusion Prevention
  • Up to date firewall licenses and firmware

• Conduct Vulnerability Scanning to proactively identify flaws
• Conduct routine patching of security flaws
• Remediate identified vulnerabilities

• Establish and Implement an incident response plan
• Who does staff contact in case of an incident
• Plan should describe steps to follow in the event of a malware download
• Establish a method to receive notifications about cyber threats

• Cybersecurity for Medical Devices follows the practices that we discussed in:
  • Endpoint Protections
  • Identity and Access Management
  • Asset Management
  • Network Management
  • Vulnerability Management
  • Security Operations and Incident Response

• Roles and Responsibilities- Who is responsible for implementing security policies?
• Education and Awareness- How will you train your user?
• Acceptable Use/Email Use- What is permitted and what is not permitted?
• Data Classification- What is PHI? What cannot be disclosed?
• Personal Devices- Give employee expectations on use of personal devices at work
• Laptop, Portable Devices, and Remote Use- Policy on mobile device security
• Incident Reporting and Checklist- What is an incident, who do I report this to?