07/15/2024    Michael L. Brody, DPM

The Importance of Password Security (Steve Pribut, DPM)

Dr. Pribut brings us some excellent points. Each
member of the practice should have their own login
to practice software. Well-designed software has an
audit log which can be reviewed to see "who did
what and when" This is important should there be
issues or discrepancies in the information in a EHR
system or practice management system. You should
not allow users to 'share' and account. In addition
each user should have their own login for the
operating system.

With each user having their own account, when a
member of your practice leaves you then re-activate
their login information to all practice software
systems as well as their access to the actual
computer. This is an integral part of
administrative security of your computers, network
and software.

Dr. Pribut also mentions the use of password
managers. Password managers have the advantage of
creating unique and quite complex passwords that
can be very difficult to break using 'brute force'
techniques. The disadvantage of password managers
is that you have all of your passwords
stored in a single system. If the password manager
is hacked, the hackers now have all of your
passwords, and no matter how complex they
are, they can simply grab them from your password
manager and break into your account. A very
interesting article about hackers attacking
password managers can be found at Beyond Identity
at this lin :
https://www.beyondidentity.com/resource/password-
managers-hacked-a-comprehensive-overview

In addition the use of a password manager creating
complex passwords does not protect you from hackers
getting your password from the system
you log into and then posting it to the internet,
which is what happened on July 4th with the
Obamacare file I originally referenced in this
thread. I am NOT saying you should not use a
password manager. I am saying it is important to
change your passwords annually so that the
stolen password that is published is no longer a
valid password, and you should monitor
cybersecurity news to watch of announcements of
breaches of your password manager software and when
that does happen take the appropriate steps to
protect yourself.

No system is perfect, each has it's advantages and
disadvantages. With each method of protecting our
data that is developed hackers will work to defeat
that security to access our data. Hackers are now
even using AI to hack into our systems. A very
scary article on this topic can be found at
Keypoint Intelligence titled. The Rise of AI-
Driven Hacking
https://keypointintelligence.com/keypoint-
blogs/the-insiders-guide-to-cybersecurity-the-rise-
of-ai-driven-hacking.


We need to be diligent and make it as difficult as
possible for hackers to access our systems. It is
also important to be aware of the Strengths,
Weaknesses, Opportunities, and Threats that exist
and make informed decisions about how to best
protect ourselves. The best we can do is stay aware
of what is going on and what tools and methods are
available to assist us to maintain security and
threads of this nature are vital to make sure that
everybody is aware of the issues and risks
they face in the cyber environment we work and live
in.

Michael L. Brody, DPM, Commack, NY

Other messages in this thread:

---

07/17/2024    Paul Kesselman, DPM

The Importance of Password Security (Steve Pribut, DPM)

Several years ago, I was employed as the Compliance
Officer for a local podiatry practice with 10 or so
employees and two offices. What I soon found out
was that everyone from the office manager to the
back office medical assistants all had the same
level of access to the EHR and all had the same
password to log into the EHR.

While the doctors all had different sign-ins from
staff they too shared the same password while the
other employees all shared another same password.
This meant that the accounts receivable, postings,
lab orders, accounts payable could not be traced
back to any one individual person.

This meant you would not know who posted a check,
wrote off a balance or entered a claim.

How would you know who entered an order for DME,
placed a lab report into a chart for review, etc.?

How would you know which medical assistant entered
or edited a history or which scribe wrote the note?
For that matter, other than the doctor signing
their name at the end of the note, how would you
know
it was actually any specific doctor?

This went on for some time until the EHR company
paid a site visit and had a very loud and difficult
conversation with the owner of the practice.

The bottom line: Every employee at a practice
should have their own password entry into the EHR.
When the employee is finished entering information,
whether in front of a patient or not, they should
be exiting the EHR.
Leaving the computer for the next employee or
physician to enter their own password.
The password and employee ID should dictate and
limit the employees function and ability to view,
enter and edit data. In this manner, every step
that is entered can be traced back to the
individual performing a specific task.

As for turning or rebooting or starting the
computer or looking at programs other than the EHR,
the same rules apply. Each employee has
a dedicated function and thus limits their
functions.

To keep employees on their toes and not share
passwords today, fingerprinting and face
recognition can be utilized. Having employees
changing passwords on a regular basis is also a
great idea.

Paul Kesselman, DPM, Oceanside, NY