In continuing our discussion on Healthcare security, here are additional recommendations that upper management can take to help strengthen your organization’s information security:
- Following up with login audits, it’s good to know that there is a thing called a “dictionary attack” where someone will attempt to login to your network or application with commonly used passwords. Humans are creatures of habits, and that holds true when it comes to developing passwords. IT security professionals will occasionally post a list of the “X number of most commonly used passwords” (Here are examples; note that the contents may be not safe for work (ironically): 25 worst passwords, 10,000 most common passwords, analytics of common passwords ). It is well worth it for your organization to force every employee (including upper management!) to see if their favorite password(s) appear on these lists. Most people generally aren’t aware of the larger lists published out there, so it can be personally eye opening for them.
- To continue harping on password security, it is also advisable to review the credentials used by various software applications used within your organization. Most of the time there are default/generic credentials used by software developers and contractors for ease of use. While this is very convenient for IT teams, developers, and the contractors that install this software, it can be a potential point of failure if this information gets out. IT people like myself may grumble about how annoying it is to keep track of different passwords for everything, but we all know deep down it’s the best thing to do. In one instance, a large healthcare software company was found to have the same set of default passwords for most of their accounts, and that information leaked to the internet. The passwords were forever banned in the application, but damage could have been done quite easily with this information. The number of data breaches due to this wasn’t calculated, but it only takes one incident at an organization to cripple it. As a member of management, it is very easy to ask the vendors, contractors, and IT teams “Is this password going to be used anywhere else or by another client?” If necessary, get it in writing.
- Use PASSPHRASES and push for your vendors and partners to adopt them as well. Passphrases are just like passwords, only longer and more secure. Most hackers that try to get into organizations will use either social engineering, dictionary attacks, or what are called “brute force” attacks that tries every password combination possible. Brute force is the most arduous, but most reliable. For a brute force attack, hackers will set up a machine, or an army of machines, to methodically count up every password letter-number-symbol combination until one is found that works.Most websites or applications require a minimum of 8 characters (and some have a max of 20 characters, which in my opinion is inexcusable). Guess how long it takes for a machine to potentially crack that? About 4 weeks, theoretically, from outside your network. From within your network? A matter of seconds to hours. Of course most applications have login denials for failed attempts that will lock accounts, but these don’t exist in every application, and there are ways around lockouts and timeouts that can be exploited. Also, consider that many lockouts typically last just half an hour, but the hacking computers never sleep. This link is a great resource to see just how long it can take to crack certain passwords with a brute force attack. The password “DJ%*#*FJ%$(”, for example, can take 3.75 days for an array of machines to crack, whereas “galen_is_the_best” would take 4.11 million centuries with the same amount of brute force. Which one do you think is more secure while still being easier on your employees to use?It is worth noting that most software companies have been notoriously slow to adopt passphrases because we’ve all been using passwords for a long time now. It is worth your time, and your security, to demand from your software vendor that they apply sensible password practices. The reason most of them don’t is because of outdated holdover practices from primitive database technology that are no longer necessary. It’s time for us to lead the charge to improve this situation.
- Hire outside contractors to provide regular penetration and social engineering tests for your organization. You may have a sensible password policy, secured all your networks’ access, and trained your employees to hell and back about social engineering, but there’s no way to confidently know how secure your organization is without tests. IT teams typically don’t like to be challenged on how they structure their environments, but again, deep down they/we all know that it’s a necessary annoyance. It’s much better to pay someone to try and break in than to have an unexpected breach. This recommendation may be the most costly part of securing your organization, but it can also be the most important. Even the most crack IT teams in the world have vulnerabilities they are not aware of and hackers can find these easily because they are endless, relentless, and they employ machines that never sleep.
I hope these recommendations help illustrate how easy it can be to protect your organization’s data and help you understand the risks involved by ignoring the topic. Most of them are extremely cost effective and can result in not only increasing your security, but can help start that conversation with your IT team so everyone gets on the same level. At Galen, we work with our clients to plug up any security holes and use current best practices. The cost of data compromises can be very high, the cost of implementation can be low, and your patients deserve to have their information stay private.
For additional information on how Galen can help your organization with information security, please contact us at firstname.lastname@example.org.