The IT security failure spanning every healthcare organization.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
October is National Cyber Security Awareness Month so I thought I’d close out the month with a security tip for our IT friends in healthcare.

First, let me give you a big high five on EHR security. Your EHR security is gaining serious traction. Most of you have started to implement unique usernames and passwords on the EHR level.

Now let me break the bad news. You still have work to do. And I’m not just talking to small practices here. I’m talking to medium entities. Big hospitals. Even organizations with a large IT staff. Here’s why.

HIPAA mandates each healthcare organization employ unique login IDs and passwords. IT professionals, doctors, and compliance managers think that requirement is covered because their EHR has a unique username and password for every employee. But at the network level, they don't.

What that means:
  • You’re not HIPAA compliant
  • You’re leaving patient data unsecured
  • Your network’s vulnerabilities pose great risk to your EHR security
Password security and HIPAA password requirementsLet’s pretend you have a very secure password for your EHR, but your networked computers aren’t protected by a secure and unique password. Let’s also pretend that your organization left remote desktop protocol wide open, or some IT guy left the Telnet protocol wide open. Both scenarios are extremely common in any healthcare network size.

A hacker cracks your crappy network password and gets in. He installs keylogger malware that records everything you type on your keyboard. He starts watching your traffic. In a matter of hours (or minutes) he now has the password to your ‘super duper secure’ EHR system.

Whoops.
Mark my words. If you are breached in the next few years, it will likely be because of one of these three reasons:
  1. Bad business associate practices
  2. Insecure remote access
  3. You didn’t use secure and unique IDs, passwords at the network level
You’ve got to make sure the network security on your systems is buttoned down. And it all starts with unique login IDs and passwords.

It’s not just about good passwords; it’s about unique ones too

Let me give you an example that applies to practically every healthcare environment. My example dentist office has 4 stations for patient cleaning, running a Dentrix EHR system. The computer login to station 1 is hyg01. The password is drbrown1.

SEE ALSO: HIPAA Compliant Passwords

Any security professional (or hacker) could crack that username/password combo in a matter of moments. The dentist office probably thinks that password is totally secure because it has more than 8 characters and a number. Wrong.

But the most grievous part of this scenario is that the username and password are static. They’re not specific to the hygienist or doctor. Anyone can log on to that computer. The dentist’s EHR (Dentrix) may have unique user IDs and passwords, but each station doesn’t.

Riddle me this. If your organization has a breach, how do you prove who got in if every single person at your organization has the same login as everyone else? How would you prove, as an employer, who stole or lost patient data?

Consider this healthcare scenario. A 21-year-old former employee lost his job. He’s bitter about it. And guess what? He knows your usernames and passwords because no one has their own. He vindictively thinks, “I’m going to take some patient data. Besides, you can’t track it back to me anyway.”

In 2014, Intermedia found at least 89% of employees retain access to at least one login and password from their former employer. 45% retained access to confidential or highly-confidential data.

Here’s another example.

Sometimes, computer stations aren’t even locked. I was recently consulting at a dental office and asked the office manager if I could walk around. As I walked passed one of their computers, I flicked the mouse. The computer popped right up at Dentrix with an open patient record. Not only had the dental hygienist not closed out of the patient record, but the system hadn’t been configured to require machines to pop up at the login screen when opened.

If an attacker had walked in and grabbed a machine, their entire system would have been available to him.

The problem? Laziness? Lack of direction?

Now, I used to work at Dentrix. I know Dentrix systems have the capability to require users to authenticate every time they login to Dentrix, if configured appropriately. I also happen to know that most (if not every) computer system in the world has the ability to set up uniquely identifiable usernames and passwords for multiple users across a network.


So why is no one implementing screen savers? Why is no one implementing unique IDs and passwords? IT guys know better. They’re often lazy, or don’t have the stomach to inform the C-level their current password situation isn’t good enough. Or worse, the C-level is restricting the IT staff from implementing these measures because they don’t think it’s necessary.

Setting up unique user IDs and passwords does require a bit of work (hours depend on organization size) from IT. It takes enabling the Active Directory Domain Services (AD) role. A system has to be set up with a domain controller(s) that pushes the policies for unique user IDs and passwords to the forest of computers at an organization.

Need active directory guidance for Windows Server 2008, Windows Server R2, and Windows 2012?

How to implement strong password policies on computers running Windows 2000, Windows XP, and Windows Server 2003.


Conclusion

I don’t mean to be too harsh here, but healthcare’s security is embarrassing.

Please, for the sake of your organization and your patient’s data, make the simple change to require unique usernames and passwords on the network level for each one of your staff members. Don’t let the myth that ‘our EHR security covers patient data’ convince you otherwise.

Remember, your security matters!

(Thanks to SingleHop for inspiring the Get Involved NCSAM campaign for cybersecurity, and this post!)

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.


Is Healthcare Ready for Password Security?