Simple Steps to Enhance Cybersecurity
From U.S. elections to national healthcare providers and payers, the news is filled with examples of massive organizations with massive IT departments that still got hacked. So how do much smaller healthcare companies and medical practices avoid the same fate?
Scott Augenbaum, who recently retired after 29 years with the Federal Bureau of Investigation, said there is any number of best practices ... most of which cost little or nothing ... that healthcare practices should put in place to maximize protection.
"I've dealt with thousands of cybercrimes in my career," noted Augenbaum, who spent the last 14 years working exclusively in this arena. "When a large healthcare organization has an issue, they are able to throw a lot of money at the problem ... but not the smaller companies, and when the smaller companies have a breach, it can be devastating."
First, the Bad News
He added most healthcare practices that are victims of cybercrime have five points in common:
- They believe they are too small to attract the attention of cyberthieves. Augenbaum noted, "Nobody ever expects to be a victim." He added that many healthcare providers believe larger health systems or insurers are at greater risk than a small practice or payer ... but security is often easier to breach at smaller organizations.
- They don't think they have anything of value to hackers. "I don't hear this as much in the practices but do from insurers and consultants. Even without patient records, they have financial records and emails," he noted.
- A mistaken belief that law enforcement can fix it. "When the bad guys steal your stuff and you call law enforcement, law enforcement doesn't get your stuff back," he said of the impossibility of recovering data after it's gone.
- "The chances of us putting the bad guys in jail are tougher than getting your stuff back," he said, adding that most bad actors are overseas.
- While points one through four are depressing, Augenbaum said the last common trait is the hardest for him. "Why does it make me depressed? Because 90-95 percent of what I have dealt with could have been prevented without spending money on technical solutions."
Some (Slightly) Better News
While companies buy a lot of tech products that are supposed to keep them safe, there is no real silver bullet, cautioned Augenbaum. "People are now HIPAA compliant, HITRUST compliant, PCI compliant ... but being compliant is completely different than being secure."
He continued, "Most organizations are not doing the basic things ... they're not doing the fundamentals. All the bad guys need to do today is steal your password - that's it. It really comes down to securing that password."
The ways to steal passwords vary and are becoming more sophisticated. A practice administrator might receive an email that appears to be from someone they know and trust that has a document, usually in a PDF format, to be accessed. To look at it, the person must log in with their Microsoft 365 credential. "They enter it and nothing happens," said Augenbaum. Instead, a pop-up appears saying that didn't work so please enter Gmail credentials to access. "Now a bad guy sitting in Africa has both your Microsoft 365 and your Gmail credentials."
Since most people use the same password or slight variation of a password for everything, having that information realistically opens the entire organization to the hackers. But ... here's the good news ... it's relatively easy to avoid catastrophe.
First, said Augenbaum, "You need to be your own human firewall. Think before you click." Second, he continued, "Have separate passwords for mission critical platforms - anything bad guys can use to weaponize against you." Create a strong password (see below), use two-factor authentication, and back up the most important information you have so that if ransomware is deployed, you have a copy of your critical information. Those five steps, he continued, cost almost nothing but go a long way in protecting a medical practice or healthcare company.
So what does a strong password look like? Augenbaum said, for starters, it isn't a common word. "A good password is 12 characters, upper/lowercase, has a special symbol and number with no dictionary words," he explained.
To come up with a great, seemingly random password, think in terms of 'pass phrases' with a hint that can be written down without tipping off the password to a random viewer.
For example, your hint might be 'my child's latest accolade.' The actual phrase from which the password is derived is: 'Tommy came in first at the state swim meet in backstroke.' And, the actual password is: [email protected]!
Another option is to pick a special number and character that you use at the beginning and end of most passwords and just change the center part. Perhaps you always use the number four and the # symbol. Your hint is how you feel about your patients. Your actual pass phrase is 'We love helping our patients feel great,' and your password is #4wLhopfG4#.
The idea, he continued, is to create hints and phrases that mean something to you but would be difficult for anyone else to decipher. Taking a few simple, inexpensive steps, Augenbaum concluded, can certainly avoid a lot of time, effort, heartache and money by making it much harder for cyberthieves.
More Simple Steps to Improve Security
With March Madness in the air, retired FBI agent Scott Augenbaum shared his own 'Sweet 16' when it comes to a winning cybersecurity strategy.