Posts Tagged with security

posted by adgrooms on June 18, 2019

Encouraging and enforcing secure passwords is an ongoing challenge for any organization. In healthcare, patient data is a valuable target. The easiest, cheapest, and lowest risk hack is to guess a password. It happened to Mark Zuckerberg in 2016. There is no easy, perfect answer. So what can help?

Brute force attacks are a common form of password attack. This method uses trial and error of an automated program that runs through every combination of characters possible. Instead of random characters, it can be faster to start by trying common passwords and dictionary words. Hackers draw on resources such as lists of compromised passwords and common words. The longer and more random appearing the password is, the harder it will be for a password cracking program to find the combination. Furthermore, including numbers and special characters expands the number of combinations and increases the difficulty of guessing with brute force.

These attacks succeed because most passwords are short and/or easy to guess. A password needs to be personal, meaningful, and difficult to guess. The usual approach is to pick a combination of significant names and dates. There is a simple trick to help that builds on the psychology of password selection. To help users create a password that is easier to remember but harder to guess, you can share this method and make it fun: Choose a long phrase that is meaningful to you. It could be song lyrics, a line from a movie, or a favorite poem. Use the first character (or two or three) of each word in the phrase. For example "When you eat pickles, don't get your hand caught inside the jar", but don't use that, that one's mine ;-) Decide on a character substitution that is easy for you to remember. There are common substitutions like the number zero for the letter 'O' that hackers already try. You can foil this by making your own meaningful substitution for example: substitute the number zero for the letter 'Z' because they both start with 'Z'.

Using the same password for different accounts is unsafe. Did you read that linked article about Zuckerberg? Oh yes, it does happen. The above method helps users create a better variety of memorable passwords, but if you have a lot of passwords to remember, a password manager can help. All passwords are securely stored, you just have to make and remember one really really good (and memorable) master password.

One last thing that helps: The National Institute of Standards and Technology recommends ending policies of changing your password every month. The practice of requiring scheduled password changes leads to using less secure passwords. Users' response has been to change one character of a base password, keeping it easy to remember and meeting the bare minimum requirement to change. Bad actors know that this is a common practice. If a password is compromised and changed, a similar password is an easy target to obtain access again.

The best way to combat hackers is awareness and education. Understanding user friction and creating smoother and more fun solutions eases the burden for the security team and everyone else.

posted by adgrooms on June 12, 2019

Ransomware is in the news again for a weeks-long ordeal for the city of Baltimore. Healthcare is another favorite target. In cities and health systems the need to access data is vital to operation. Attacks are growing in number and becoming more sophisticated. The FBI reported that healthcare lost $4.5 million over 337 victims in 2018. The cost could be even higher if patient data was also stolen for exploitation. What is ransomware, how can an attack be avoided, and how can it be dealt with effectively?

Ransomware is a type of malware that prevents users from accessing data, usually by encrypting the data. The hacker demands a fee to restore access. However, there is no guarantee that the attacker can or will restore access once payment is made. Bad actors apply this technique wherever they can, to any industry and even personal systems. Unfortunately, these bad actors have realized that data lockouts create dangerous and life-threatening conditions when applied to critical systems in healthcare. This urgency can motivate an unprepared health system to comply in order to protect patients.

Ransomware spreads like a virus. It requires a person to run malicious code that locks the system. Phishing and drive-by downloads are two common ways to spread ransomware. Phishing is a trick that deceives a person into running a malicious program with a legitimate-looking email. Drive-by downloads either trick a person into running a malicious program off of a website or secretly download and run a program while the person visits a site. All healthcare employees should be extensively trained on how to spot malicious emails and suspicious links. Regular security meetings should be held to remind and update employees on the latest tricks and traps.

The best overall tactic in security is to make yourself a difficult and undesirable target. You want to become not worth the effort. Either the value is too low or the cost is too high. The best defense against ransomware is a disaster recovery plan. With a solid disaster recovery plan in place, ransomware is neutralized. They can go to the trouble of getting in and locking your data up, but you'll sidestep the attack and resume operations. It may cost some time to restore data and systems, but showing yourself as able to recover and unwilling to negotiate will deter future efforts. A good disaster recovery plan should be in place for any medical institution.

The only perfect security is zero access at all. If authorized individuals can access a system then motivated, unauthorized individuals can find a way in. Vigilance from all employees is the first line of defense, and quick recovery is dependant on good planning.

posted by adgrooms on June 3, 2019

With the digital transformation of healthcare, everyone is using more software systems and apps, each one requiring a secure password. A password is supposed to be long, complex, and never reused. Creating and remembering many passwords that meet those guidelines can be a challenge. Password management software can help generate and store complex passwords and is more secure than other methods like - writing down passwords or reusing a handful of secure passwords. A Pew Research Center report found that most people memorize passwords and relatively few are using password managers. The reasons for this are unclear. Let's look at whether mistrust in password managers is a well-founded reason.

To get into a password management system you are usually required to have a master password. Password managers have very good encryption and cryptography to keep out hackers trying to crack the system, but if a hacker gets a hold of the master password, then they have access to ALL of the user's passwords. With a password manager, it is important to choose a very secure master password.

One vulnerability is the ability to retrieve your master password if it is forgotten. This allows for hints to help remember the master password, or even a password reset email to be sent to the user. This makes it easier for a hacker to obtain the master password, especially if they already have access to the user's email. A secure password management system should have no retrieval available, and the master password should be complex, but memorable.

Another potential vulnerability is if a malicious person has access to a target device, they could install a keylogger to capture a master password, as it is entered. A good prevention method is to make sure the password manager has two-factor authentication. This requires a code generated and sent to a second device to be entered for access.

The HIPAA Password policy does not mention specifically password management software, but the majority of experts believe that use of a password manager is the best way of achieving compliance. Nothing is 100% safe, but if properly used, a password manager can be an effective way to combat medical data thieves.

posted by adgrooms on May 30, 2019

We have recently looked at the risk of phishing scams in healthcare and how to avoid them. We have seen that the number of patient data breaches has reached one per day in 2018. But why do hackers continue the relentless attacks on healthcare institutions? What are the hackers after? What reward do they receive?

Patient records are incredibly valuable as far as stolen data goes. A patient data record carries a potential wealth of information. A single patient record could contain a driver's license number, credit card numbers, insurance information, and all of the individual's collected medical data.

Once a hacker obtains the data they can sell it in blocks to other criminals. The information can be purchased and used many times over. For example, a criminal can augment the information into false credentials to sell, or the information can be divided up and sold as individual drivers licenses, social security numbers, and insurance cards. And at any point in the sales, the information can be used for other criminal activities.

From the personal identification information (social security number, drivers license, date of birth), the medical record can be used for Identity theft. From insurance card numbers and personal health information, it can be used for health insurance fraud, filing and receiving payment for false claims. The personal health information can also be used to purchase medical equipment, drugs, and even medical procedures.

While a stolen credit card carries an immediate payoff, mechanisms are in place to quickly discover abuse and shut it down. There is no protection mechanism for health data comparable to the protections on credit cards, and there is no limit on the number of times it can be sold and used. The damage to victims of healthcare identity theft can be far-reaching and last for years.

The high value of medical data and the large number of records amassed in health systems will perpetuate the threat of hacking for medical institutions into the foreseeable future. The threats will continue, but the precautions are relatively simple. The key to security is to make access so difficult as to be not worthwhile. We can go a long way toward accomplishing this by remaining informed and vigilant against phishing and keeping passwords secure.

posted by adgrooms on May 28, 2019

Stealing and exposing patient data is, unfortunately, a lucrative activity. Hackers are relentlessly looking for vulnerabilities in institutions that amass personal health data. In 2018 there were 365 data breaches involving patient data, that is one per day! In addition to the personal costs to the individuals who are compromised, data breaches are expensive to the institutions. In 2018, healthcare systems paid out over 28 million in HIPPA fines and penalties.

Although hospital IT departments do a great job of thwarting attacks, having a secure, single-user login is the last line of defense before a breach happens. Hospital systems are increasingly interconnected, and one piece of software treated with lax security could jeopardize the whole organization.

It might not seem like a big deal to share a password among colleagues, especially if there is a rotating staff. It can seem like an administrative efficiency; instead of having to add and remove user accounts periodically, just give the login to new staff. In a trusting environment of medical professionals, it may seem highly unlikely that this practice would lead to a problem, but it does increase exposure to hackers in several ways.

First of all, the distribution of a shared login creates opportunities for hackers. If a password is emailed or sent as part of onboarding materials to temporary team members, it can be more easily stolen. Lack of accountability gives a user less incentive to keep the shared login as secure as possible. Use of a login that has been passed around may cause users to save the password insecurely on their computer desktop or a similarly convenient location for easy access. If the password storage device does not have a secure password itself, it can be an easy win for a hacker.

Another problem is the lack of changing the password periodically. Those who use shared logins typically hand out the same password over a long period of time. The more logins that are handed out to team members, the more important it is to change the password from time to time in case the password is mishandled or ends up in a compromised situation. However, changing a password and notifying all users is inefficient and could cause a lapse in access if they don’t receive the notification.

Shared logins also prevent an IT team from tracing the source of a security breach quickly. In the event that a breach occurs, time plays a role in the effectiveness of containment. Single user logins give an easier path to find the attack and shut it down to limit the damage. Many IT departments have policies against shared logins for this reason.

Passwords are highly prized targets for hackers. Not exercising the highest level of security practices in healthcare can lead to compromising patient data. How can we encourage or make it easier for users to never share a login and to change their password regularly?