Passwords make doctors vulnerable, but solutions are easy
■ Strengthening the log-in credentials on your practice computer systems can go a long way toward reducing the risk of online hackers stealing information.
Using the word “password” — or something else simple to remember — for your actual computer password might be an easy way to remember your login credentials. But it could be the biggest thing making your computer system vulnerable to hackers.
A recent report by Verizon that looked at cyber attacks on health care organizations in 2011 and 2012 found that 72% of them were caused by hackers guessing, or using automated systems to guess, the passwords and other credentials that allowed them access to computer systems.
Practices are required under the Health Insurance Portability and Accountability Act and meaningful use rules to perform security assessments. Those assessments are a great way to develop a baseline and identify areas for improvement, such as strengthening passwords, said Brian Lapidus, senior vice president of Kroll Advisory Solutions, a security response and mitigation firm. Many practices overlook simple things like password security because they are too focused on the big issues, and on protecting health information while overlooking their other assets, said Jay Jacobs, managing principal for the Verizon RISK team, which investigates breaches of Verizon's enterprise clients.
But password security doesn't have to be part of an overall assessment. It can start by checking — right now — whether passwords are strong, where they are used and how they are stored if someone forgets one.
Verizon published an in-depth, industry-specific report in October looking at cybercrimes based on its 2011 and 2012 Data Breach Investigations Reports. It found that breaches in the health care sector represented 7% of the breaches used for Verizon's 2012 report, up from 1% in the 2011 report. Most of the breaches were at organizations with fewer than 100 employees. These small practices are considered by hackers to be easy targets not only because of their lack of basic security systems, such as firewalls, but also because of a lack of zero-cost security measures such as hard-to-guess passwords.
While the chances of being attacked by a hacker might be small, the chance that a successful attack would cause a large amount of hassle, financial costs and patient ill will for a practice is very high, analysts said. For example, Michigan-based Ponemon Institute's annual “U.S. Cost of Data Breach Study” found that the average organizational cost per breached record was $194 in 2011.
In many cases, the hacking comes from people who use automatic systems that try to guess passwords without tripping any systems that would lock out a user after a certain number of tries. SplashData, a mobile technology vendor that develops productivity tools including password management systems, produces an annual list of the top 25 most common hacked passwords. Topping the list, compiled using files of stolen passwords posted online by hackers, for the second year in a row were “password,” “123456,” and “12345678.” Paranoia doesn't automatically make a password secure: No. 12 on the list was “trustno1.”
What makes a password secure
Experts say good, secure passwords should be at least eight characters long and use a combination of letters and symbols. Suggestions include using short phrases with underscore spaces between each word such as “see_spot_run.”
Brian Gay, director of Think First Consulting in Danvers, Mass., suggests coming up with an easy-to-recall phrase, then using the first letter of each word in the phrase as the password while replacing a letter or two with a symbol to increase the complexity. For example, “my favorite food to eat is pizza” become “mff2e!p.”
Robert Siciliano, an online security expert for McAfee, said passwords also can be created by using the keyboard as a palette to create shapes. For example, if you start with the “%” key and follow it in the shape of a V, you have “%tgbhu8*”
Ryan Permeh, chief technology officer for the security firm Cylance, said different passwords should be used for each account requiring login credentials. “Unfortunately, when people reuse passwords to access multiple points, a compromise of one could result in the other,” he said.
Multiple passwords are a lot to remember, and cloud-based password managers can help store them safely. But, Gay warns, those should be used only if the master password is extremely secure.
Siciliano said it's OK to write down passwords as long as they are kept separate from the machines, and it's not made obvious that they are passwords. Or, he said, “tip sheets” can be used to offer clues to the password but not the actual key stroke combination.
Experts also say passwords should not be shared between employees. This makes it harder to determine who was on a system at what time, thus making audits difficult to perform. Plus, a physician loses the ability to revoke access to individuals who leave or are fired, Permeh said.
Also, analysts said all passwords should be changed once every 60 to 90 days.
Other steps to safety
The Verizon report found that hackers weren't necessarily targeting organizations because they were health care-related. They were targeted because they were vulnerable, Jacobs said, and because they had financial information or personal information that would help in setting up fraudulent accounts. At 64%, point-of-sale systems were the most frequently targeted, according to the report. The Verizon Data Breach Investigation report includes breaches investigated by Verizon or one of the five other international organizations it partners with to produce the report.
In a physician practice, a point-of-sale system would be any that accepts payments, such as machines connected to credit card skimmers.
Jacobs said the more those systems are exposed to the Internet, the more likely they are to be hacked. Therefore, machines used to process financial information should be limited as much as possible to only that function. But if such machines are at work stations for employees performing other job functions, Internet use should be limited as much as possible, and employees should be trained not to click on random links or plug in thumb drives from unknown sources.
Because many attacks happen through the “back door,” or network server, practices need to ensure that they have good firewalls in place. While no security measure, including firewalls, will protect the practice 100%, it will provide an important layer if a password is guessed.
The Verizon report also recommends talking to contractors about their safeguards. Many small practices get service support from third parties that provide services remotely. The networks need to be set up in a way that contractors can access the systems to do their work — while keeping the hackers out.