|
|
|
|
|
Search
07/08/2024 Michael Brody, DPM
The Importance of Password Security
As part of the July 4 activities, a hacking group
known as ObamaCare posted 9,948,575,739 unencrypted
passwords to the Internet in a file titled
rockyou2024. This list of passwords comes from a
combination of old and new data breaches.
Data breaches are now seeming like an almost daily
event with more and more passwords being ‘broken’
on a regular basis. What does this mean for you in
terms of protecting the Protected Health
Information (PHI) you are responsible for as well
as protecting your private data?
You always want to follow good password security
policy which includes:
Change your passwords on a regular basis – at least
once a year for ALL of your account's
When changing a password do not just append a 1 to
the end or a password or change the 1 to a 2. Come
up with a totally different password
Do not use the same password for each site, if you
do then if one of your passwords is compromised
then all of your passwords are compromised
Use a strong password that contains numbers,
uppercase characters, lowercase characters, special
symbols and is at least 8 characters long. Many
sites now require 12-character passwords.
The question becomes How do I do this and remember
all of my passwords? I have a method that I will
share with you.
Step 1 Choose a phrase. This can be the title of a
song you like, the name of your favorite artist or
sports figure, the title of a book, anything of
that nature that you will remember
Step 2 Do ‘substitution’, for example replace the
letter L with a number 1 or an exclamation point
character, replace the letter A with the @ symbol.
Step 3 Somewhere in the password add in and remove
some characters that relate to the account. For
example, of adding if you are creating a password
for your AMAZON account you may want to use the
first and third letters of the account in this case
AA The last letter of AMAZON is “N” so remove all
of the N’s from the password
Let’s go through this exercise. As our phrase will
use the title of our National Anthem (the hack
happened on July 4 after all. We have
starspangledbanner as our base
For Capitalization we will capitalize the LAST
letter of each word we now have
staRspangleDbanneR
For substitution we substitute $ for the first s, &
for the g and 2 for the b (second letter in
alphabet) so now we have
staR$pan&leD2anneR
For adding in the site name we add the AA after the
first word but we do it with substitution so we add
in @a so now we have
staR@a$pan&leD2anneR
If the password was for our EHR system, we would
add in ER we might make this 3R that would give us
staR3R$pan&leD2anneR
Finally remove the N’s
staR3R$pa&leD2aeR
This may seem complicated but once you create a
formula you can use it to create a unique password
for each site, that as long as you remember your
formula will allow you to ‘figure out’ your
password for each account you have.
By changing your password for all accounts each and
every year, when large password breaches like this
are published, only you old passwords will be made
available to hackers, and they will not be able to
use them to break into your accounts.
Even better security is achieved by utilizing what
is known as Multi Factor Authentication (MFA), in
fact HIPAA guidance documents from the government
strongly recommend MFA whenever available. MFA is
getting a code texted to your cell phone, or
emailed to you, or from an authentication
application that you need in addition to your
username and password to log in. These codes
typically change every 60 seconds.
This way even if somebody has your username and
password, they still do not have that third factor
necessary to get into your account. Whenever a site
or service that you log onto enables you to turn on
MFA turn it on. These days more and more sites
that store sensitive information either require MFA
or make it an option.
Disclosure: Dr. Brody is the CEO of TLD Systems.
Michael Brody, DPM, Commack, NY
Other messages in this thread:
07/17/2024 Paul Kesselman, DPM
The Importance of Password Security (Steve Pribut, DPM)
Several years ago, I was employed as the Compliance
Officer for a local podiatry practice with 10 or so
employees and two offices. What I soon found out
was that everyone from the office manager to the
back office medical assistants all had the same
level of access to the EHR and all had the same
password to log into the EHR.
While the doctors all had different sign-ins from
staff they too shared the same password while the
other employees all shared another same password.
This meant that the accounts receivable, postings,
lab orders, accounts payable could not be traced
back to any one individual person.
This meant you would not know who posted a check,
wrote off a balance or entered a claim.
How would you know who entered an order for DME,
placed a lab report into a chart for review, etc.?
How would you know which medical assistant entered
or edited a history or which scribe wrote the note?
For that matter, other than the doctor signing
their name at the end of the note, how would you
know
it was actually any specific doctor?
This went on for some time until the EHR company
paid a site visit and had a very loud and difficult
conversation with the owner of the practice.
The bottom line: Every employee at a practice
should have their own password entry into the EHR.
When the employee is finished entering information,
whether in front of a patient or not, they should
be exiting the EHR.
Leaving the computer for the next employee or
physician to enter their own password.
The password and employee ID should dictate and
limit the employees function and ability to view,
enter and edit data. In this manner, every step
that is entered can be traced back to the
individual performing a specific task.
As for turning or rebooting or starting the
computer or looking at programs other than the EHR,
the same rules apply. Each employee has
a dedicated function and thus limits their
functions.
To keep employees on their toes and not share
passwords today, fingerprinting and face
recognition can be utilized. Having employees
changing passwords on a regular basis is also a
great idea.
Paul Kesselman, DPM, Oceanside, NY
07/15/2024 Michael L. Brody, DPM
The Importance of Password Security (Steve Pribut, DPM)
Dr. Pribut brings us some excellent points. Each
member of the practice should have their own login
to practice software. Well-designed software has an
audit log which can be reviewed to see "who did
what and when" This is important should there be
issues or discrepancies in the information in a EHR
system or practice management system. You should
not allow users to 'share' and account. In addition
each user should have their own login for the
operating system.
With each user having their own account, when a
member of your practice leaves you then re-activate
their login information to all practice software
systems as well as their access to the actual
computer. This is an integral part of
administrative security of your computers, network
and software.
Dr. Pribut also mentions the use of password
managers. Password managers have the advantage of
creating unique and quite complex passwords that
can be very difficult to break using 'brute force'
techniques. The disadvantage of password managers
is that you have all of your passwords
stored in a single system. If the password manager
is hacked, the hackers now have all of your
passwords, and no matter how complex they
are, they can simply grab them from your password
manager and break into your account. A very
interesting article about hackers attacking
password managers can be found at Beyond Identity
at this lin :
https://www.beyondidentity.com/resource/password-
managers-hacked-a-comprehensive-overview
In addition the use of a password manager creating
complex passwords does not protect you from hackers
getting your password from the system
you log into and then posting it to the internet,
which is what happened on July 4th with the
Obamacare file I originally referenced in this
thread. I am NOT saying you should not use a
password manager. I am saying it is important to
change your passwords annually so that the
stolen password that is published is no longer a
valid password, and you should monitor
cybersecurity news to watch of announcements of
breaches of your password manager software and when
that does happen take the appropriate steps to
protect yourself.
No system is perfect, each has it's advantages and
disadvantages. With each method of protecting our
data that is developed hackers will work to defeat
that security to access our data. Hackers are now
even using AI to hack into our systems. A very
scary article on this topic can be found at
Keypoint Intelligence titled. The Rise of AI-
Driven Hacking
https://keypointintelligence.com/keypoint-
blogs/the-insiders-guide-to-cybersecurity-the-rise-
of-ai-driven-hacking.
We need to be diligent and make it as difficult as
possible for hackers to access our systems. It is
also important to be aware of the Strengths,
Weaknesses, Opportunities, and Threats that exist
and make informed decisions about how to best
protect ourselves. The best we can do is stay aware
of what is going on and what tools and methods are
available to assist us to maintain security and
threads of this nature are vital to make sure that
everybody is aware of the issues and risks
they face in the cyber environment we work and live
in.
Michael L. Brody, DPM, Commack, NY
|
| |
|
|
|
