Last year, the U.S. Office of Personnel Management (OPM) database of personal information was breached by hackers. The compromised data contained valuable personal information such as names, addresses, social security numbers, health histories, employment histories, and much more – affecting over 21 million federal employees. Even the fingerprints of over 5 million federal employees were exposed. The hacked information was referred to as “an espionage goldmine” potentially affecting our gross national security. How could this possibly happen in the U.S.?
Here's How the Hackers Get In
One theory is a type of “social engineering” or psychological manipulation involving (among other methods) decryption of passwords. Many schemes have been developed by those wishing to access protected information through a simple process of tricking people into giving up their credentials. It is not a matter of complex technical knowledge, but a reliance on the trusting (gullible) nature of good-natured individuals. A former computer criminal who later became a security consultant has stated, “…that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.”
While there are many methods of authentication, passwords in some format are one of the most common methods of authentication used by virtually everyone in relation to computer systems. The HIPAA privacy and security regulations have specific administrative, physical, and technical safeguard requirements. One of the administrative requirements is an addressable requirement for password management. In other words covered entities (CE) under the HIPAA privacy and security regulations must have addressed “procedures for creating, changing, and safeguarding passwords.” Additionally, every CE must have policies and implementation procedures in place to “...train all users and establish guidelines for creating passwords and changing them during periodic change cycles” according to guidance material from the Department of Health & Human Services.
Construction of Passwords
It is true that the criminal element has become more and more adept at breaking pattern-based password protocols due to software advances, but every effort should be made to have strong passwords. Suggestions considered effective by security experts include the following:
- Passwords should be long. Best practices suggest a minimum length of at least 12 characters.
- Using random words is advisable since the “random” element makes pattern evaluation more difficult.
- Use a mix of numbers, symbols, upper case letters, and lower case letters.
- Avoid only dictionary words or combinations of words that are sensible. For example, “bright red rose” is not a strong password. A word string such as “flavor roof wrench fish” is better.
- Do not rely on obvious substitutions such as number “0” for the letter “o”.
- Use a method of password construction, e.g. use the first two letters of each word of an easily recalled sentence then change characters to include symbols and numbers that are not obvious.
Password Protection in the Medical Office
The Department of Health & Human Services (HHS) suggests the following questions should be considered:
- Are there policies in place that prevent workforce members from sharing passwords with others?
- Is the workforce advised to commit their passwords to memory?
- Are common sense precautions taken, such as not writing passwords down and not leaving them in areas that are visible or accessible to others?
Email is one of the frequently used methods of acquiring password information from individuals. An email or some other electronic communication may appear to come from some trusted area, e.g. a bank, a Facebook site, Google, PayPal or others. However, the message is actually a method of obtaining information. This type of attack is known as phishing, which is “…a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.”
To avoid falling victim to hackers, any communication requests for password information or a “reset” of a password should be given careful scrutiny. Areas to consider include:
- Using a different password for each website or system. One statistic is that 55 percent of people use the same password on websites. If one password is compromised, other sites could follow suit.
- Using a password manager. There are many available and easy to use software managers, which will make the necessary job of handling and remembering multiple random passwords much easier.
- Change passwords frequently. Changes should be done as a planned, scheduled process and is most easily done with a password manager.
- Improving passwords when possible by using two factor authentication (2FA). This is a process allowing much more security than the good construction of cryptic passwords. With this type of system, a thief knowing a password is not enough. An example of 2FA would be a computer log in with ID and password (the single factor authentication) plus the additional use of a single one time code which is separately received on a smart phone after the log in attempt (the second factor). In this process, the two factors are involved sometimes referred to as “something you have” and “something you know”.
- Do not store passwords on mobile devices due to potential access or loss.
- Do not share passwords with others.
The CE policies required by the HIPAA regulations should address these elements and others as deemed necessary based on particular CE environments.
Hackers Want Your Health Information
Some estimates show the value of protected health information to be 10 times the value of credit card numbers. As electronic systems and the use of electronic communications in medicine increases, so also have the attempts to breach systems due to the high value of protected health information. Protection of individually identifiable health information is required by the HIPAA privacy and security regulations ‒ and every office should be prepared.
As always, preparation should include policies and documentation of required risk assessments and as the assessments dictate, the necessary authentication measures such as passwords and other authentication methods.
For more information on medical-specific hacking techniques and proactive privacy protection, read other articles from LAMMICO:
- Whale Phishing, Meatware & Medjacking
- Ransomware: Protect Your Practice Now or Be Prepared to Pay Up
- Protect Your Practice from an IT Security Breach
- Avoiding Electronic Health Record Hazards
- Top Three Ways to Prevent Patient-Employee Privacy Breaches
- If Your Devices Can Access PHI, Patient Privacy May be at Risk
- HIPAA and Hurricanes
LAMMICO includes Medefense™ Plus/Cyber Liability insurance in most policies to protect you against these threats. However, the option to purchase higher limits of protection through our subsidiary agency, Elatas Risk Partners, is available. To increase your Cyber Liability and Medefense coverage limits, contact an Elatas Risk Partners representative at 800.331.5777 or www.elatas.com/contact today for a thorough review of your options.