Two years ago I sat in her office as I watched her with her head in hands. Dr. Williams could not understand how an office her size could have been targeted by a hacker. “I always thought they went after the large companies like I hear on the news”, she said. The reality of this is that the large company breaches are the most heard about because they are newsworthy. More importantly, they have expensive monitoring systems in place to detect breaches in the network. So while they do happen, the IT departments find out quickly so they can work to contain them. In many cases the small chiropractic offices I deal with don’t even have a firewall or they have purchased the cheap home use routers from their favorite local electronics store for $69. These routers just don’t have the protection needed to protect your sensitive patient data from breach. A future article will cover proper router protection but there is a much bigger threat that was the cause of Dr. Williams’ breach. It was a weak password. Here are 5 ways to ensure a hacker doesn’t exploit a weak password in YOUR practice.
1) Passphrase not password– Choose a passphrase that is easy to remember but hard to guess. Ilikepig$feet9 would be a great phrase. It’s also not a common word, because it contains upper case letters, lower case letters, symbols and numbers. This combination of phrase and complexity make it difficult to guess. Especially if you have moved your patient data offsite in the “cloud”, the password/phrase is sometimes the only thing that keeps a would-be hacker out.
2) Keep your passphrase to yourself– Giving your kids or anyone your passphrase increases the chance that there will be a leak. Also, no reputable company will ask for your password via email or phone. So if a vendor asks for your password and you feel you need to give it out, at least call that vendor back to ensure they are who they say they are and have a bona-fide need for your security information. This should be a very rare occurrence where you have to give this out. A great rule of thumb would be to just keep it to yourself.
3) Use different passphrases– Don’t use the same passphrase at multiple locations. The passphrase that you use to access patient data should be different from that used to access your home computer. You can have all the security and monitoring at your office that you should have but a breached password at home that is the same as the office can make all that effort moot.
4) Don’t write your passwords down – So I bet you’ve been reading up to this point saying, “I can’t remember these hard passwords.” That’s ok, there are great secure programs available for both the MAC, PC and your smartphones that allow you to have them all “written down” securely. We’ll do a review of these programs in a future article. Reach out if you’d like some suggestions sooner.
5) Watch where you use your password– You should also be very careful about where you use your computer. A friend e-mailed me from his airplane seat to let me know that he was reading patient data through the crack between the seats in front of his. A doctor had logged onto his EMR system, and had no idea he was breaching his patient data. Had this been reported, it wouldn’t be difficult to prove where he was when that breach occurred. Plus you need to make sure someone isn’t looking over your shoulder when you type your password. Have you ever accidentally typed the password in the username field and the person standing over your shoulder saw it? You get the idea.
I know you hear us IT guys harping on password security all the time but in the same way you don’t want to wait until you have a fire to buy insurance, you don’t want to wait until a breach occurs and then implement these simple strategies to solve a very real problem.
QUESTION: Have you come up with any other strategies to create great passwords? Use the feedback form and let us know.
Leave A Reply (2 comments so far)