Cyber Security Part 1: Account Security

Over the next few months we will be posting a series of blogs related to cyber security.  Each will focus on a specific aspect of cyber security that is relevant to the healthcare industry, as well as, your day to day activities.  Our first blog in the series focuses on Account Security.  We hope you enjoy it and find it useful.  Stay tuned for the additional posts in this series.

Cyber security is an ongoing battle between usability and security. Oftentimes, security is sacrificed for ease of use and functionality. With your digital accounts, it is vital that you do not allow this to happen. Protecting your digital accounts is incredibly important, especially in the healthcare industry. Here are some general best practices to secure your digital accounts:

1. Use a unique password per service. 

Many times, an attacker will get a hold of a database of usernames and passwords from some breached service.  Therefore, if your Twitter account password is breached, and you use that same password for your email or OptimisPT account, those could be breached as well, since an attacker will likely try to login to as many services as they can using those same credentials.  A unique password solves this issue, since the password they grabbed from one service is not the same as another.  We will be putting out a blog post on password managers and why you should use them soon.

2. Create a complex and long password.

If a service is worth their salt (pun intended) then they hash and salt the passwords that are stored in their database.  A hash is a one way function that turns a string of text into a random string of text.  A salt is a random string of text that is added to the password before it is hashed for added security.  This combination ensures that just by looking at the database, the password cannot be inferred.  However, this does not mean that the passwords are 100% safe.  While there is no way to reverse a hash, they can effectively be “guessed”.  Let’s take a look at an example below:

The password “password” has an MD5 hash of 5f4dcc3b5aa765d61d8327deb882cf99
The password “password1” has an MD5 hash of 7c6a180b36896a0a8c02787eeafb0e4c

These values never change.  “Password” will always have the same MD5 hash. Which means an attacker can guess random passwords, trying every possible combination, to eventually crack the password.  This is known as brute-forcing.

Now, “password” is not a good password, because it is a dictionary word and commonly used, which could dramatically reduce the amount of time it takes to crack the password.  The below image is fairly generic, but does provide a general guide for password cracking speed.  As you can see, the length of time needed to crack a password increases as the complexity and length of the password increase.  However, length does not mean strength and complexity does not always guarantee strength either.  It is the combination of both, that creates a strong password.

*https://ridethelightning.senseient.com/2020/02/

3. Use a password manager.

We will go into more detail on these solutions in a later blog post, but a good password manager helps you meet best practices #1 and #2 listed above.  The software will manage all of that for you, requiring you to remember only one good password.

4. Enable multi-factor authentication (MFA).

If the service offers multi-factor authentication, you should use it.  This feature can help stop phishing attacks and secure your account much better than just a username and password.  MFA requires you to have something you know (i.e. your password) and a device in your possession (typically a smart device with either text-message (SMS) capabilities or a code generator app).  You would need to have access to both the password and the smart device in order to login to your account.  Text-message is better than nothing, but some sophisticated attacks can grab those one time codes from the SMS, so a code generator would be highly recommended.  Do your due diligence when choosing one for your organization.

Securing your digital accounts is important and necessary in order to protect yours and your patient’s personal information.  There is one account in particular that needs to be locked down like Fort Knox.  Your email account!  Your email account is arguably one of the most dangerous accounts you have.  If that account is breached, the rest of your accounts can crumble.  The reason is simple, where do most of your password resets go? Exactly, to your email!  If someone enters your email account, they can reset the password to your services and gain access.  You might wonder how they would know what accounts you have?  Well likely, the service sent you an email when you signed up.  Your email account needs to be protected almost above everything else.  It is highly recommended to at least enable multi-factor authentication for your email accounts, if possible.  Most reputable email providers have this functionality already.  That, plus a strong password, should offer a great deal of protection.

Now, if your actual machine (laptop, desktop, phone, etc.) is hacked, that presents even more problems, because no amount of password length or multi-factor authentication will stop a keylogger from just sending that information to attackers.  Also, some phishing attacks have been known to be successful in grabbing your multi-factor code before it expires, so it is always best to watch out for phishing attacks. While these attacks are possible, they are out of the scope of this particular blog post and will be discussed in later posts.

Securing your digital accounts is vital to the success of your organization.  As we know, even one breach can have huge implications from a legal, monetary, and ethical perspective.