Hacking has been in the news a lot because of the upcoming mid-term elections.
The problem is not limited to candidates and politicians alike. Your offices may one day become a target of hackers. Protected health information contains a slew of intelligence that can be used in the aiding of identity theft. Providers collect full names, social security numbers, dates of birth, current addresses, scans of drivers licenses and so much more. It makes one wonder why there are not even more healthcare breaches.
Do not let yourself become a statistic. You will face embarrassment, mistrust and possible regulatory penalties. You’ll also likely be footing the bill for a free year of credit monitoring for all of your patients.
Running anti-virus and ransomeware software is not strong enough of a defense. A firewall helps, but if a member of your staff falls prey to a phishing attack then all bets are usually off.
There are three best practices you can employ to protect your data.
Multi-factor Authentication
Multi-factor Authentication is by far the best way to protect your data. Not only does the user have to enter their usual login credentials, they will be verified a second way before being permitted to login. These days, most multi-factor authentication takes place by phone via app or text message. With an app, the user opens it and is provided a unique code that changes every so many seconds. They must successfully enter this code before it changes. Another method is to have a code text messaged to the user’s phone. Since all of your employees likely have a smart phone, this is a cost effective method for multi-factor authentication. Some vendors also offer dedicated hardware devices, which typically go on a key chain, that produces a similar string of random numbers. When it comes to apps, Google Authenticator (iOS and Android) is widely used.
The downside to two-factor authentication is your provider has to support it. Thankfully, many software-as-a-service providers do. If you are using Gmail, you definitely want to set it up there.
Enterprise Password Management
Weak passwords used across multiple services can sink you very easily.
Let’s say that your practice uses Gmail and JPMorganChase for banking. For simplicity, you use the same password for both. If your Gmail becomes compromised and the hacker sees a JPMorganChase email, then they are going to do everything in their power to try to login to your online banking.
You and your staff should use unique passwords that are at least 12 characters long, including mixed case, numbers and special characters. Keeping track of these is a nightmare and an insecure spreadsheet defeats the purpose.
Instead, you should deploy an enterprise password management tool. I have been using LastPass for years and they are one of the most reputable vendors on the market. I will speak of it based on my personal experience. First, it includes multi-factor authentication, so you do not have to use Google Authenticator. It has user management, making it easy to add or delete a user when they join or leave your practice. It is cloud based, however, data is encrypted both in-transit and at rest. This means that the user — and only the user, not even LastPass staff — can access passwords.
It also offers an area for secure notes. Say for whatever reason a certain employee requires your social security number. This can be saved as a secure note. Each user has their own vault, which is protected by a single master password that they must remember. It is important that this password be strong. This is the only password they will have to remember to gain access all of the others. It also offers controlled password sharing between employees when necessary. Finally, there is a password generator that generates secure random passwords for you.
Single Sign-on
Single sign-on (SSO) is a lot like the enterprise password management described above, but takes things further. SSO takes advantage of the Lightweight Directory Access Protocol (LDAP), which if you’re familiar with Windows Active Directory, is pretty much an open source version of that. Users login with a single set of credentials and then can login into other applications.
Many dental practices are not using any of the above security methods to protect themselves from attacks. You should speak with each of your vendors to determine the strongest security possible and at the very least, utilize an enterprise password management tool and employ two-factor authentication whenever possible.