By CINDY SANDERS
Simple Steps to Enhance Cybersecurity
From U.S. elections to national healthcare providers and payers, the news is filled with examples of massive organizations with massive IT departments that still got hacked. So how do much smaller healthcare companies and medical practices avoid the same fate?
Scott Augenbaum, who recently retired after 29 years with the Federal Bureau of Investigation, said there is any number of best practices ... most of which cost little or nothing ... that healthcare practices should put in place to maximize protection.
"I've dealt with thousands of cybercrimes in my career," noted Augenbaum, who spent the last 14 years working exclusively in this arena. "When a large healthcare organization has an issue, they are able to throw a lot of money at the problem ... but not the smaller companies, and when the smaller companies have a breach, it can be devastating."
He added most healthcare practices that are victims of cybercrime have five points in common:
While companies buy a lot of tech products that are supposed to keep them safe, there is no real silver bullet, cautioned Augenbaum. "People are now HIPAA compliant, HITRUST compliant, PCI compliant ... but being compliant is completely different than being secure."
He continued, "Most organizations are not doing the basic things ... they're not doing the fundamentals. All the bad guys need to do today is steal your password - that's it. It really comes down to securing that password."
The ways to steal passwords vary and are becoming more sophisticated. A practice administrator might receive an email that appears to be from someone they know and trust that has a document, usually in a PDF format, to be accessed. To look at it, the person must log in with their Microsoft 365 credential. "They enter it and nothing happens," said Augenbaum. Instead, a pop-up appears saying that didn't work so please enter Gmail credentials to access. "Now a bad guy sitting in Africa has both your Microsoft 365 and your Gmail credentials."
Since most people use the same password or slight variation of a password for everything, having that information realistically opens the entire organization to the hackers. But ... here's the good news ... it's relatively easy to avoid catastrophe.
First, said Augenbaum, "You need to be your own human firewall. Think before you click." Second, he continued, "Have separate passwords for mission critical platforms - anything bad guys can use to weaponize against you." Create a strong password (see below), use two-factor authentication, and back up the most important information you have so that if ransomware is deployed, you have a copy of your critical information. Those five steps, he continued, cost almost nothing but go a long way in protecting a medical practice or healthcare company.
So what does a strong password look like? Augenbaum said, for starters, it isn't a common word. "A good password is 12 characters, upper/lowercase, has a special symbol and number with no dictionary words," he explained.
To come up with a great, seemingly random password, think in terms of 'pass phrases' with a hint that can be written down without tipping off the password to a random viewer.
For example, your hint might be 'my child's latest accolade.' The actual phrase from which the password is derived is: 'Tommy came in first at the state swim meet in backstroke.' And, the actual password is: Tci1@Tssmib!
Another option is to pick a special number and character that you use at the beginning and end of most passwords and just change the center part. Perhaps you always use the number four and the # symbol. Your hint is how you feel about your patients. Your actual pass phrase is 'We love helping our patients feel great,' and your password is #4wLhopfG4#.
The idea, he continued, is to create hints and phrases that mean something to you but would be difficult for anyone else to decipher. Taking a few simple, inexpensive steps, Augenbaum concluded, can certainly avoid a lot of time, effort, heartache and money by making it much harder for cyberthieves.