In my last column, I created a mythical residential real estate law firm called, RealFirm,LLC. It has five employees who sometimes work remotely and leverages Microsoft Office 365 for email and office collaboration.
RealFirm wants to Achieve Compliance with its cybersecurity system that meets minimum acceptable implementation of cybersafety policies, protocols, and controls.
We did a Discovery Review and Initial Report for RealFirm that cost $ $5,000-10,000.
Now, let’s go over what we found in our Situation Review and discuss steps for Remediation, costs and priorities to Achieve Compliance for RealFirm, LLC.
SITUATION: RealFirm does not have ransomware-proof data backup.
Risk: Will have to pay ransom if ransomware installed by hackers, like Estes Park Health did earlier this summer; HIPAA violation.
Remediation: Install and configure onto server.
Cost/Priority: High-Priority. $3,000 per year.
SITUATION: RealFirm does not have at least 18 or more cybersecurity policies and procedures customized to the firm.
Risk: Staff does not know what to do if hacked, which increases time-to-detection; for a real-life example take a look at Flipboard, whose customers’ information was accessible to hackers for almost a year.
Remediation: Write 18 policies and customize them based on the security controls.
Cost/Priority: High-Priority. $5,000 one-time, plus Managed Security Services of $1,500 per month.
SITUATION: The firm does not have enough security controls in place to protect against brute force attacks, such as unauthorized intrusions. The managing partner thought its antivirus software was sufficient.
Risk: Antivirus is only 5% effective against the latest threats like ransomware.
Remediation: Install patented multi-layered security.
Cost/Priority: High-Priority. Included in above Managed Security Services.
SITUATION: The firm did not have an adequate security awareness training program in place to protect against wire fraud scams, social engineering, phishing, etc. Firms often cannot provide proof of people going through the training.
Risk: Puts your patients’ ePHI at risk, like the 183,000 Presbyterian Health clients who were breached this week.
Remediation: Train, test and certify all staff.
Cost/Priority: High-Priority. Included in above Managed Security Services.
SITUATION: Real Firm is not continuously monitoring/backing up their security logs which is required for compliance.
Risk: This is another way hackers will be able to stay even longer in your system. They should be reviewed daily, even on holidays like this Timehop breach demonstrates.
Remediation: Install and configure hardware firewall appliance.
Cost/Priority: High-Priority. Included in above Managed Security Services.
SITUATION: The firm is practicing poor password hygiene. It’s reusing simple passwords on multiple sites.
Risk: Easy to hack (80% of all hacking related breaches involved compromised and/or weak passwords); potential HIPAA violation (164.308(a) (5)(ii)(D)).
Remediation: Signup for an enterprise password manager and change passwords to call websites/applications.
Cost/Priority: High-Priority. $300/ User/Year for hardware token plus enterprise password management. Real- Firm has five users so the cost would be $ 1,500 per year.
SITUATION: RealFirm is not using multi-factor authentication everywhere possible.
Risk: Easy to hack; potential HIPAA violation.
Remediation/Cost/Priority: High-Priority. Included with most cloud service providers. Custom software or server-based application may need additional software licenses that range in cost but are around $9/User/ Month.
Of course, no cybersecurity plan is foolproof, as the recent hack of 100 million Capital One customers demonstrates.
The combined cost of getting Real- Firm to compliance could be around $20,000 a year. But without these fixes, RealFirm is ripe for a cyber-attack that could cost as much as $300,000 per client and damage to its reputation that could lead to its demise. This also does not include potential fines for HIPAA violations from the Office of Civil Rights. Craig A. Petronella
