In our year-ender on the biggest data breaches of 2009, we noted that every one of them could be traced to mundane, easily preventable lapses rather than new hacking schemes or attack techniques.
For example, Transportation Security Administration officials failed to e-redact sensitive information about passenger screening protocols from a document they subsequently posted on the Web. And the massive breach of personal health and financial information at Health Net happened when an employee removed a hard drive containing sensitive information for 1.5 million enrollees and placed it in his car so he could work from home. The hard drive was then stolen from his car.
And most recently, a physician at UCSF fell for a spearphishing scam that resulted in the potential exposure of his patients’ personal confidential information. UCSF vowed to re-educate its staff to prevent similar mishaps in the future.
So the good news is that adherence to common-sense security measures can prevent many breaches.
Now for the Bad News
If physicians who must log-on to electronic health records (or billing systems or research data bases) are as lax in selecting passwords as a recent analysis revealed consumers to be, we have a problem.
Security experts have said for years that consumers need to mix-up their passwords as they navigate their connected lives – on Facebook and Amazon, on their Web-mail accounts and cell phones, and of course, their online banking sites.
But most people, it seems, don’t do that.
According to the results of a study by the security firm Trusteer, 73% of Web users use their online banking password on other Web sites. Even when banks enforced strict password controls such as assigning a customer ID, 42% of people used that ID on other sites.
This greatly simplifies things for hackers. While banks (and indeed most medical applications) rely on sophisticated technology and strong password creation requirements to protect password information, such methods can be prohibitively expensive for the local boutique that you shopped at online last week.
So a hacker can break into a poorly defended Web site, steal a cache of passwords and then hit-up an online bank site. Or an EHR. In other words, banking and medical security technology is only as strong as the weakest site where a particular password is used.
“It is sad that such a large portion of users use their banking credentials at other sites,” Amit Klein, Trusteer’s CTO told MSNBC. “It exposes those users to attacks that would otherwise be impossible. I thought people would take banking credentials more seriously."
The Trusteer study confirmed the findings of an earlier one by the Gartner group, yet the director of that study, Avivah Litan warned that even habitual use of multiple passwords won’t thwart sophisticated hackers.
“The truth is criminals steal your passwords lots of ways, such as recording keystrokes,” she told MSNBC. “And if they do that, it doesn't matter whether your password is 15 characters and unique or 7 characters and the same for every site. People have figured this out."
Of course, banks and most medical software providers do more than enforce tough-to-crack user/password combinations to keep your financial information safe, Litan added. One approach is “device fingerprinting,” in which banks identify your computer by analyzing processor speed and time and date settings.
Banks also flag attempts to transfer money to unknown accounts and monitor users that click through their sites at high speed. Such behavior is uncharacteristic of humans who, it turns out, take about 10 seconds before clicking "confirm" during online transactions.
So What Should You Do?
Handle your medical software and banking passwords with care. Don’t share them with anyone, and don’t use these passwords on other Web sites.
Remember that many Web sites—including some social networking sites and e-commerce sites where you have placed critical personal information—do not have high-grade security systems on their back end.
And while it may be impractical to create a unique user/password combination for every site you visit, a practical goal might be to create separate password families for medical software sites, financial sites, sites that store your personal information (e.g. Facebook), and another one for all those blogs you post comments to.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs Practice Fusion
Monday, February 8, 2010
Annals of Security: Don't Pass the Password
Subscribe to:
Post Comments (Atom)
Posts
1 comments:
I have 3 levels of username/password for the 3 levels of websites that I use. They are all based on one of 3 phrases that I have in my head and then plying a first character from the phrase. So long as I remember the phrase, I can pretty much always remember my password. An example which I often used while instructing the lawyers who used our legal software was: "We the people of the united states in order to form a more perfect union." became wtPotU5mpU or something like that. As long as its over 10 characters, has a nice mix of stuff in it and isn't dictionary recognizable, it's a decent password.
But the onus of protection is on the website itself. There are many layers of protection to use, but I think a great thing to do (and we did this on our legal website which required high-levels of security) was to publish a 3rd party report of a penetration test of our security. A double-edge sword, to be certain, but it showed that we took security seriously and were proactive in that.
It's one thing to say, "I'm secure". It's another to actually show it.
Additional
Post a Comment