Cybercriminals continue to target businesses of all sizes by launching cyberattacks and phishing campaigns in order to exploit us at a potential time of weakness. There have been warnings issued by government agencies related to cybercriminals targeting businesses that are turning on remote access to their systems to help with business continuity. Remote access is a very powerful tool but, if not implemented correctly, may result in a cyber or ransomware attack against the business. As more businesses continue to utilize a remote workforce, the improper configuration of these remote access systems can be an easy way for cybercriminals to attack.

Please follow these best practices:
 Unless your IT resources clearly understand the risks associated with using Remote Desktop Protocol (RDP), do not allow them to install it. RDP is a highly exploitable technology that is a primary target of cybercriminals.
 Utilize a remote-control software that allows you to “log in” to a computer at your office. It is imperative that you use the “Pro” or “Business” versions NOT the free versions.
 Make sure the remote-control software utilizes Multi-Factor Authentication (MFA) so it makes it more difficult for a cybercriminal to hack into your system. MFA sends a text message to your cell phone or an App on your phone to authenticate your log in. Passwords
 Enforce a strong password policy:

o Age (number of days a password can be used before it must be changed)

o Complexity (strong passwords that incorporate multiple words, numbers and special characters for the authentication for the remote-control software)

 Use strong passwords on all remote and host computers The key to a strong password is the length; a mix of letters (upper and lower case), numbers, and symbols, no ties to your personal information, and no dictionary words.
 Never share your password with anyone.
 Avoid using similar passwords across multiple accounts and services. Keep Work and Personal Separate
 Do not check personal emails on work computer.
 Do not conduct personal matters over work email.
 When sending confidential or personal information (ePHI, PII, NPI) utilize encrypted email solution.
 If you are using a VPN, make sure your IT vendor has updated all the VPN software. As of just a few months ago, many VPNs had vulnerabilities that could allow a breach to occur.
 Make sure all remote computers are running the latest versions of Windows 10 or MAC.
 Make sure all remote computers have anti-virus software installed and the virus definitions are up-to-date. Links and Attachments
 Never click unfamiliar links or download unfamiliar attachments.
 Never click on unsubscribe on spam emails, they may have malicious programs.
 If unsure that links or attachments are legitimate, use another method (telephone call or text), to contact the sender and verify.

Spam Filters and Anti-Virus Software
 Make sure to enable spam filters.
 Run malware and anti-virus software. Wi-Fi
 For Wi-Fi enabled devices, use the strongest encryption protocol available. WPA3 is the newest. At a minimum, you should be using WPA2.
 Avoid using public or unsecured Wi-Fi sources. Working Remotely
 Do not allow family members to access any device that is used to remote into a work computer.
 Make sure you lock the computer before you walk away from it. On a Windows computer, this can be done by pressing the “Windows” key and the letter “L” at the same time.

Data Backup
 Confirm that 100% of your data is, in fact, being backed up.
 Before you leave the office, make a backup of ALL your data. This includes imaging, patient databases, attachments, financial systems, images, etc. This backup should be saved to an encrypted external hard drive that is stored offsite.
 Confirm that all your Cloud data backup is up-to-date and all your systems are being backed up. Phishing Attacks/Social Engineering Cybercriminals continue to leverage the COVID-19 crisis (now related to vaccines) as a methodology to attack systems. Be extremely careful when receiving any emails related to COVID-19. These phishing emails are designed to lure you into clicking on links or attachments that may seem relevant to the current situation.

Signs of a COVID-19 Phishing email may include:
 A link to a fake government or state agency designed to look real
 A link to a government or state agency with a legitimate name, but a fake hyperlink
 A warning to download a document related to COVID-19
 A link to a hospital or other healthcare institution Be extremely careful regarding these types of emails and always use the link hovering technique to verify the final destination. Place your mouse over the link or image, look at the bottom left corner of your screen and validate the URL (web address).

Other  Correctly configure mx, dmarc, dkim and spf/txt records for your domain.
 Provide those end users whose job function requires them to send confidential information (ePHI, PII, NPI) with an encrypted email solution.
 Implement vulnerability management.
 Conduct annual cybersecurity awareness training.
 Perform periodic (at least annually) reviews of all active accounts, to ensure those accounts which should not be active are disabled.

Follow email provider best security practices:
Microsoft 365 Security Best Practices: https://docs.microsoft.com/en-us/microsoft-365/admin/security-andcompliance/secure-your-business-data?view=o365-worldwide
Microsoft 365 Security Center: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/overview-securitycenter?view=o365-worldwide
G-Suite Security Center: https://support.google.com/a/answer/9184226?hl=en https://gsuite.google.com/products/admin/security-center/