Medicare Compliance & Reimbursement

Know what KRACK stands for.

One of the byproducts of the pandemic has been an increase in online work — and cyberattacks. That’s why your practice should know both the basics and the constantly evolving list of cybersecurity terms.

Why? Keeping in sync with the hot topics in health IT allows you to protect both patient and practice data and align your compliance with federal regulations like the HIPAA Security Rule.

Bulk up your practice’s digital dictionary with these 10 cybersecurity must-knows:

1. Brute Force: A cyber-hijack that involves brute force breaks systems by repeatedly trying different passwords until finding one that finally works. Once the encryption is compromised, the hackers can take down the system. Combat brute force attacks with advice from the Department of Homeland Security (DHS) at www. dhs.gov/sites/default/files/publications/Encryption- Software-TN_0913-508.pdf.

2. Role-based access control: This type of health IT systems configuration adapts access to both hardware and software based on the role you play in your practice. “Care must be taken to assign staff to the correct roles and then set access permissions for each role correctly with respect for the need to know,” advises the HHS Office of the National Coordinator for Health Information Technology (ONC) in its “Top 10 Tips for Cybersecurity in Health Care.”

3. DDoS Attack: Distributed Denial of Service attacks wiggle into your systems and attack your resources, literally stopping your ability to do business. “Hackers accomplish a DDoS attack by literally sending so much web traffic at a target that it is unable to function,” notes DHS in DDoS online guidance.

4. Handshake Traffic: This back-and-forth greeting centers on the agreement of two systems to do business. Technically speaking, it refers to the “protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other,” the National Institute of Standards and Technology (NIST) cybersecurity guidance says.

5. Internet of Things: Also known as the IoT, the Internet of Things concerns the connection of devices, systems, objects, and more to the Internet. This coordination supports the idea that connecting everything in your office and life will make practicing medicine more efficient and easier, but that’s not always the case. With each new hook up, the opportunity for the loss of electronic protected health information (ePHI) rises.

6. Jailbreak: This is a slang term that concerns the override of restrictions, usually on mobile devices like cell phones and tablets, in order to decrypt and install malware, illegal software, and/or other barred applications. For this reason, it is critical to keep all your practice devices locked with multifactor authentication and at-rest protocols as hackers may attempt to jailbreak a mobile unit when you leave these tools unattended.

7. KRACK: Key Reinstallation Attacks, or KRACKs, happen when a hacker uses weaknesses in Wi-Fi systems. “An attacker within the wireless communications range of an affected [access point] AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used,” says the U.S. Computer Emergency Readiness Team (CERT) in online guidance. The only way to eradicate KRACK issues is to consistently install updates to impacted products.

8. Mobile Device Management: Often referred to under its acronym MDM, mobile device management covers the administration of a practice’s mobile devices, and also the security, updates and upgrades, implementation, and protection of these devices. MDM software helps with the organization of your office cellphones, tablets, and laptops to ensure the protection of ePHI.

9. 2FA: Formerly known as two-factor authentication, this type of encryption increases the protection of your devices by requiring both a password and another security measure. This adds another layer of user authentication for covered entities to when securing ePHI.

10. Virtual Private Network: Though many remote users know this term under its acronym VPN, they often don’t know what it actually means. A VPN allows you to securely share your health data in a public network through the utilization of a private and secure network. The VPN offers you online protection virtually, and the utilization of a secure VPN remains a top resource for protecting ePHI on mobile devices, suggests the HHS Office for Civil Rights (OCR) Cybersecurity Newsletter.