By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA Chat – Join us on the next broadcast.
Aaron Hayden is one of CliftonLarsonAllen’s 40 penetration testers (often called “Pen Testers”), ethical hackers who try to gain access into your company’s computer network just like a malicious hacker would in order to test your company’s network security, identify your network’s most glaring weaknesses, and then report their findings to you so you can address the issues more effectively. In a recent article with Health Data Management, Hayden has also recently discussed some common weaknesses in network security, and offered some solutions. Here are some of the major take-aways from that article, along with some of our own thoughts on improving your company’s network security.
#1: Phishing
One of the more popular methods of hacking is called “Phishing”, which the Federal Trade Commission describes as a hacker posing as a legitimate business in order to coax information out of their potential targets. For example, Hayden was once able to take over an unsuspecting CEO’s computer by posing as the CFO and sending an e-mail to the CEO’s computer, which gave him complete control of that computer. Gaining control of an administrator’s computer would, in turn, give him access to the database password, and passwords on any other computer within the hacked computer’s network. Moreover, the hacker can even arrange for long-term access to this network by inserting code into the hacked computer’s start-up sequence.
#2: Password Guessing
According to Hayden, a hacker can often get into a computer network by simply guessing at one of the countless passwords that an employee or doctor uses on any given day. Because medical doctors and staff often have too many passwords to remember, employees simply ignoring company policy on updating passwords on a regular basis, and failure to practice incident response, password guessing is one of the easiest ways to hack into a computer network.
#3: The Slow Hack
A hacker doesn’t have to try to get all the data they want in one trip. If they prefer, they can cover their tracks by taking small amounts of data over a long period of time, encrypting it as they take it, so that security will not notice the slow leak of information. But this information does add up over time into a large pool of data that the hacker has gleaned without anyone noticing.
How You Can Improve Your Network Security
Hayden’s two solutions to these hacking strategies are to train your employees to be aware of how a hacker may try to get access to your computer network, and to hold doctors to “structural accountability” of how they interact with your computer network.
We also suggest that your company consider hiring a security team to conduct a pen test on your company. Also, since passwords are such an easy target for hackers, we suggest considering new access controls, such as two-factor authentication, or a single sign-on system. You might also want to consult Gypsy the InfoSec WonderDog’s video about how to build a stronger, more memorable password.
Source: Tips from a Hacker to Improve Network Security | HDM Top Stories
This article was originally published on Health Security Solutions and is republished here with permission. Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.