HIPAA Compliance for Medical Practices
61.1K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Creating and Managing Passwords - Total HIPAA Compliance

Creating and Managing Passwords - Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

How many times a day do you access applications or websites that require passwords? The temptation is to make passwords simple or reuse the same password. The 2017 Verizon Data Breach Investigation Report found that 81 percent of hacking-related breaches succeeded through stolen passwords or weak passwords. That’s an 18 percent increase from last year’s report, suggesting that rather than getting better, password security is getting worse.

Common password problems are using simple passwords that are easy to hack and the same one for many sites. Then there is the problem that you can’t remember them all! Ah, the joy of managing passwords. Here are two ways to protect your data. First, learn how to create a solid password. Next, consider a password management system.

Creating Passwords

You know that your passwords have to be unique and strong. But what exactly gives passwords these traits? This list of Dos and Don’ts will help you create a super strong password to safeguard your patient’s or client’s protected health information:

Do:

  • Do use 12-15 characters for each password. The longer, the better.
  • Do consider using a phrase or sentence you can easily remember your password including numbers and special characters.
  • Do use special characters in atypical places. For instance, use a number in the middle of a word rather than before or after it.
  • Do consider length more than complexity. Studies show that a 15-character password with special characters is more secure than a short one of all unique characters like 5&Hq%.

Don’t:

  • Don’t use easily guessed passwords like family members’ names or birthdates.
  • Don’t use single words found in the dictionary such as watermelon or even watermelonseeds as standalone passwords.
  • Don’t reuse passwords at multiple sites.
  • Don’t share your passwords with anyone. If you have to, immediately change your password as soon as someone else has used it.
  • Don’t use passwords based on adjacent keys on the keyboard, like asdfjkl;.

Password Management

Since you’re now the resident expert on password creation, how can you organize all of them? A password management program lets you store and organize passwords in a single spot, so a single, master password gives you access to your complete password database. Last month, PC Magazine published an article comparing several different password management programs. For roughly $12 to $45 dollars a month, you can pay a service like Dashlane, 1Password, LastPass, etc., to securely keep your passwords at your disposal.

Within these programs, you can define your own passwords, or they can create unique passwords for you. To make it easy, these programs can be accessed not only on your work computer but also on your cellular phone or other devices. They may be a great help, but remember that your master password to the program becomes the one and only access point to all of your other information. Concerned about the security of these management programs? A recent article in Macworld will reassure you they are a reliable tool.

Password creation and accessibility aren’t for the faint of heart. Will it always be so difficult? Maybe not. Biometric sensors like iris scanning and facial recognition are becoming increasingly popular forms of authentication. These biometrics sensors can’t stand alone as a strong security solution, but we’re already seeing them more and more as part of a multi-factor authentication solution.

For the meantime, with security breaches rampant, password security is something you and your company can’t take lightly. Make it a habit of creating strong passwords. If you can’t organize them in a safe way, a password management system just might be the help you need to secure the PHI for which you’re responsible.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Anthem Was Wrong Not to Encrypt

Why Anthem Was Wrong Not to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

Being provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.


I don’t disagree with Fred’s narrow technical argument, but there is definitely a larger issue that he chose to ignore. That larger issue ‒ and one I’ve written about frequently ‒ is what industry experts call a “culture of security.” The sheer volume of data breaches suggests a serious lack of that culture specifically in healthcare.  The SANS Institute report last year highlights the dire state of cybersecurity in healthcare. New Cyberthreat report by SANS Institute Delivers Chilling Warning to Healthcare Industry

Less than 6 months prior to the time Anthem pulicized their breach earlier this month, Community Health Systems (CHS) announced their breach of 4.5 million patient records. Some of the top security analysts have already begun to link the two (Anthem and CHS) ‒ right down to the lethal vulnerability that was discovered last April ‒ the Heartbleed bug. There’s even speculation that the actual breaches at both Anthem and CHS may have occurred in fairly close proximity to each other (after April of last year). Again, something I covered here: Are the Data Breaches at Anthem and CHS Linked?

That “culture of security” means that there’s a technical basis ‒ and logic ‒ to use the appropriate technology (both software and hardware in tandem) to ensure that adequate data (and network) security is in place. Note the use of that word ‒ adequate.

There will never be a perfect. The attack surface in increasing ‒ exponentially with IoT ‒ and the attackers have only to find one vulnerability once. Defenders, on the other hand, need to defend against all vulnerabilities ‒ all the time. That equation gives the attackers the upperhand and the gap between attacker and defenders is widening.

In the end ‒ we’ll likely see at least 2 outcomes from these new mega breaches.

  1. If it’s determined ‒ in court ‒ that the breach was the result of the Heartbleed bug,  both Anthem and CHS will have a much harder time defending against negligence ‒ which means the damage awards will be significant.
  2. Whatever the final cost of both breaches (and those yet to come), as always, they will be passed on to each of us as patients and healthcare consumers in the form of higher premiums.

This last one is simply an extension of many other perverse incentives that exist throughout our for‒profit healthcare system. Why bother paying for an expensive barn door that locks when we can simply pass the cost of the all the lost animals onto someone else? Sure there will be hits to profits and earnings, for awhile, and some heads may actually roll (the CIO at Sony was summarily dismissed), but will these mega breaches (and others yet to happen) be enough to change the “culture of security” inside healthcare? Probably not ‒ and certainly not if strong technical voices like Fred’s continue to defend what amounts to a cavalier attitude of security on the basis of a narrow argument – even if that argument is technically correct.


more...
No comment yet.