Password Protected

Mar 08, 2018 at 05:22 pm by Staff

Simple Steps to Enhance Cybersecurity

From U.S. elections to national healthcare providers and payers, the news is filled with examples of massive organizations with massive IT departments that still got hacked. So how do much smaller healthcare companies and medical practices avoid the same fate?

Scott Augenbaum, who recently retired after 29 years with the Federal Bureau of Investigation, said there is any number of best practices ... most of which cost little or nothing ... that healthcare practices should put in place to maximize protection.

"I've dealt with thousands of cybercrimes in my career," noted Augenbaum, who spent the last 14 years working exclusively in this arena. "When a large healthcare organization has an issue, they are able to throw a lot of money at the problem ... but not the smaller companies, and when the smaller companies have a breach, it can be devastating."

First, the Bad News

He added most healthcare practices that are victims of cybercrime have five points in common:

  • They believe they are too small to attract the attention of cyberthieves. Augenbaum noted, "Nobody ever expects to be a victim." He added that many healthcare providers believe larger health systems or insurers are at greater risk than a small practice or payer ... but security is often easier to breach at smaller organizations.
  • They don't think they have anything of value to hackers. "I don't hear this as much in the practices but do from insurers and consultants. Even without patient records, they have financial records and emails," he noted.
  • A mistaken belief that law enforcement can fix it. "When the bad guys steal your stuff and you call law enforcement, law enforcement doesn't get your stuff back," he said of the impossibility of recovering data after it's gone.
  • "The chances of us putting the bad guys in jail are tougher than getting your stuff back," he said, adding that most bad actors are overseas.
  • While points one through four are depressing, Augenbaum said the last common trait is the hardest for him. "Why does it make me depressed? Because 90-95 percent of what I have dealt with could have been prevented without spending money on technical solutions."

Some (Slightly) Better News

While companies buy a lot of tech products that are supposed to keep them safe, there is no real silver bullet, cautioned Augenbaum. "People are now HIPAA compliant, HITRUST compliant, PCI compliant ... but being compliant is completely different than being secure."

Scott Augenbaum

He continued, "Most organizations are not doing the basic things ... they're not doing the fundamentals. All the bad guys need to do today is steal your password - that's it. It really comes down to securing that password."

The ways to steal passwords vary and are becoming more sophisticated. A practice administrator might receive an email that appears to be from someone they know and trust that has a document, usually in a PDF format, to be accessed. To look at it, the person must log in with their Microsoft 365 credential. "They enter it and nothing happens," said Augenbaum. Instead, a pop-up appears saying that didn't work so please enter Gmail credentials to access. "Now a bad guy sitting in Africa has both your Microsoft 365 and your Gmail credentials."

Since most people use the same password or slight variation of a password for everything, having that information realistically opens the entire organization to the hackers. But ... here's the good news ... it's relatively easy to avoid catastrophe.

First, said Augenbaum, "You need to be your own human firewall. Think before you click." Second, he continued, "Have separate passwords for mission critical platforms - anything bad guys can use to weaponize against you." Create a strong password (see below), use two-factor authentication, and back up the most important information you have so that if ransomware is deployed, you have a copy of your critical information. Those five steps, he continued, cost almost nothing but go a long way in protecting a medical practice or healthcare company.

Password Protected

So what does a strong password look like? Augenbaum said, for starters, it isn't a common word. "A good password is 12 characters, upper/lowercase, has a special symbol and number with no dictionary words," he explained.

To come up with a great, seemingly random password, think in terms of 'pass phrases' with a hint that can be written down without tipping off the password to a random viewer.

For example, your hint might be 'my child's latest accolade.' The actual phrase from which the password is derived is: 'Tommy came in first at the state swim meet in backstroke.' And, the actual password is: Tci1@Tssmib!

Another option is to pick a special number and character that you use at the beginning and end of most passwords and just change the center part. Perhaps you always use the number four and the # symbol. Your hint is how you feel about your patients. Your actual pass phrase is 'We love helping our patients feel great,' and your password is #4wLhopfG4#.

The idea, he continued, is to create hints and phrases that mean something to you but would be difficult for anyone else to decipher. Taking a few simple, inexpensive steps, Augenbaum concluded, can certainly avoid a lot of time, effort, heartache and money by making it much harder for cyberthieves.

More Simple Steps to Improve Security

With March Madness in the air, retired FBI agent Scott Augenbaum shared his own 'Sweet 16' when it comes to a winning cybersecurity strategy.

  1. Think before you click on a link or open an attachment, become a human firewall and question every email.
  2. Intrusion Detection Systems are a must but they will not stop everything as virus writers write in excess of 50,000 new viruses a day.
  3. Separate passwords for mission critical accounts.
  4. Strong passwords need to be longer than twelve characters in length with capital and lower case letters, numbers and a special symbol and NO dictionary words. Think passphrase instead of password.
  5. Updated operating systems are a must, as Microsoft doesn't support XP anymore.
  6. Patch your system, Microsoft updates, java and adobe.
  7. Multifactor authentication is a must on Facebook, LinkedIn, Outlook 365, Gmail, LogMeIn, VPNs and financial accounts when offered.
  8. Consider a separate computer for critical business functions. If you can access your client records on a computer that is used for Facebook and personal web surfing you are putting yourself at risk. If you are gaining remote access to your company and you are using a home computer that you share with your kids, you are putting your organization at great risk.
  9. Do not surf the Internet as the Administrator on a computer. If you purchase a computer and you are the only user, chances are you are the administrator. Go to the control panel and create a new profile and give it administrator access and change your profile to regular user.
  10. Back up your mission critical files on a daily basis. There have been numerous cases of ransomware that turns a company's critical data into useless information unless you send $500 in bitcoin to a bad guy in Eastern Europe.
  11. Have a plan for your organization,
  12. Practice smart online banking
  13. Don't store your password in the browser; it's the same as leaving your keys in the car for ease and convenience.
  14. If you can access your information in the cloud and all you have is a password, be prepared for the info to be stolen. Use multifactor.
  15. Once the bad guys get your stuff ... it's usually too late.
  16. You need to have a strong password for your smart phone and if you are using an Android, consider an intrusion security suite.

Learn More at AAHAM

Scott Augenbaum is one of the expert speakers slated fro the upcoming American Association of Healthcare Administrative Management one-day educational meeting in Nashville.

The Music City AAHAM 2018 Conference is set for April 18 at the Envision Conference Center in Brentwood. For more information, go online to and click on the Events section.

Sections: Business/Tech