You Should Be Using Two-Factor Authentication. Everywhere.

We’re not very good with passwords, although we think we are. According to a recent study by security company CSID, 89% of us think we practice safe password routines. Unfortunately, 1 in 5 of us have had an online account compromised and yet only about half of us change our passwords more frequently than once per year. The best passwords typically utilize a combination of letters, numbers, and punctuation, and the longer they are the better (at least 8 characters). Only 6% of users have passwords that meet these criteria. Even worse, 60% of us reuse the same password for multiple sites. This is a recipe for disaster.

Here’s a quick scenario: Tommy has a forum account on a fan-made music site. The music forum that he visits regularly doesn’t maintain their security patches regularly, and a random hacker manages to hack into the site and steal his password. A simple web search reveals that Tommy works for Company X. Company X uses the Outlook web app, and wouldn’t you know it, Tommy uses the same password everywhere. Through a little trial and error, the hacker discovers that tommy@companyx.com is his work email, and boom, the hacker now has access to Tommy’s work email.

So what is two-factor authentication, and how does it solve this problem? Well, two-factor authentication (2FA) is a multi-stage method of verifying that you are who you say you are. Typically it’s a combination of something you know (a password), and something you have access to (a phone). Most commonly, the second factor of authentication will be a code that you will be sent through a text message or an automated phone call, and it’s only valid for a short period of time. This code will be entered on a secondary screen before you can have access to your account.

Unfortunately a lot of people don’t know what 2FA is – roughly 75% of people surveyed didn’t have a clue. It has also garnered a reputation for being a hassle, which is simply not the case. Most two-factor implementations will allow you to “register” a device as a “trusted device” for a period of time (typically ranging from a day to a month). I know what you’re probably thinking – what if I lose my phone? Then what? Well, the answer to that is “it depends.” Every two-factor implementation has different ways to handle account recovery in the event of a lost device, but this shouldn’t deter you from using 2FA – the benefits outweigh the risks by far.

So where are some common places you should start using two-factor authentication to protect your online accounts? Here’s a list:

  1. Google: Sends a 6 digit text message when you attempt to login from a new device. They also provide a Google Authenticator app for Android, iOS, and BlackBerry that can be used to obtain the second factor authentication codes.
  2. Apple: Sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine.
  3. Facebook: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  4. Twitter: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  5. PayPal: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  6. Microsoft Accounts: Sends you a 7-digit code via text message or email when you attempt to log in from a new machine.
  7. Yahoo! Mail: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  8. LinkedIn: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  9. WordPress: Utilizes the Google 2FA app.

For a more complete list of companies and products that support two-factor authentication, please review Evan Hahn’s list. Ask your local security or IT professional if your organization could benefit from using 2FA for email or work accounts. There are also ways to implement two-factor authentication into your own custom applications and web sites.

Passwords are becoming less secure all the time, and hackers are getting better at cracking them (check out the strength of your password). Enabling two-factor authentication provides an extra layer of security at a negligible cost. Protect your financial accounts, identity, and your career by using it wherever you can.

Advertisements

Is Encryption Required by HIPAA? Yes.

Ok… technically that’s not 100% true.  The HIPAA Security Rule doesn’t explicitly require encryption of data at rest, or even during transmission. However, this doesn’t mean what people think it means and that misunderstanding is getting a lot of folks into trouble (literally).

The HIPAA Security Rule is a 3-tier framework broken down into Safeguards, Standards and Implementation Specifications. Within the Technical Safeguards, both the Access Control Standard (i.e. data at rest) and Transmission Security Standard (i.e. data in motion) have an Implementation Specification for Encryption. Neither of them are “Required,” but are both listed as “Addressable.” So we’re done, right? Not so fast…. From the HHS FAQ:

“In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:

  1. Implement the addressable implementation specifications;
  2. Implement one or more alternative security measures to accomplish the same purpose;
  3. Not implement either an addressable implementation specification or an alternative

So… it’s not required.  But HHS goes on:

“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

The key phrase here is “reasonable and appropriate.” As in, encryption IS required if it’s reasonable and appropriate to encrypt. This is really important and we’ll come back to it later. HHS continues:

“This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.”

Basically what they’re saying is that you don’t “have to” encrypt, but if you choose not to you’d better be prepared to demonstrate, in writing, why you believe that. Then, in the event of an audit, The Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you.

Mobile Devices

If you check out the HHS Wall of Shame where breaches involving 500 or more patients are posted, you’ll notice a very large number of lost or stolen laptops that were not encrypted.  In a comment about the settlement with Hospice of North Idaho that involved a stolen laptop, OCR Director Leon Rodriguez said: “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”  And it really can be easy. You can purchase inexpensive encrypted hard drives for all new laptops and install 3rd party tools on old ones (see Five Best File Encryption Tools from Gizmodo).  If you have mobile devices that may contain PHI and are not encrypted, stop reading and go encrypt them right now. Seriously.

The Data Center

Many people have bought into the idea of encrypting mobile devices, but not their servers. To an extent this makes sense given that most breaches have resulted from lost or stolen devices and not so much from hacking.  However, Leon Rodriguez noted in a presentation at HIMSS13 that he anticipates hacking to be a threat that will likely grow as time goes on, and the best protection in that scenario is data encryption. This is a more complicated issue for sure, but there are lots of tools and techniques that make this very doable. I plan to elaborate on those options in an upcoming post.

Data in Motion

I’m not going to get into much detail on this one. Use SSL, VPN, or some other method of encryption when transmitting your data over public lines. Period. If you have a scenario where it is “reasonable and appropriate” to send someone’s health information in plain text over the public internet, I’d love to hear about it.

Conclusion

You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so. I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re beached, you have to convince Leon Rodriguez and the OCR, who think encryption is both necessary and easy, that you’re correct. Is that an argument you want to be making in the face of hefty fines?  Not me… and that’s why I have convinced myself that encryption is required by HIPAA.

Safeguarding Your Data

Many of us deal with sensitive information on a daily basis. Whether that’s financial accounts, healthcare records, social security numbers, or trade secrets (to name a few), it’s imperative that we take precautions to safeguard this data as best we can. I’m going to share a few free or low-cost options that can better accomplish this.

1. Secure Your Smartphone

A lot of damage could be done if your phone falls into the wrong hands. I’d guess that a majority of us have our e-mail accounts configured on our phones in addition to a decent list of contacts. It would be easy enough for someone to impersonate you by sending a text message or e-mail, potentially gaining access to sensitive information. Minimally, you should make sure your phone is protected with a PIN or password. This should buy you enough time to change passwords and/or let people know that your phone has been lost. A better option would be to enable a Remote Wipe utility on your phone, that allows you to factory reset your phone and wipe away any important data. This article offers a good smartphone protection synopsis.

2. Encrypt Your Hard Drive 

If you use a laptop for work purposes, I strongly suggest that you encrypt your hard drive. It’s a lot simpler to accomplish than it sounds and it provides a great peace of mind for you, your company, and, potentially, your customers. Why take the chance that your sensitive data could be compromised so easily? The EFF outlines a few different encryption options.

 3. Don’t Overreact to E-mails

Phishers and scammers love to prey on your emotions. A popular ploy is to send an e-mail claiming that there has been a security breach and that you need to verify your current credentials and then change your current password. Often, this e-mail will include a link to a fake site that asks for authentication. If you’re not careful and react too quickly to a scam such as this, your entire network could be compromised. It’s best to take a second and ask around first and/or call your security personnel directly and verify the e-mail.

 4. Use a Password Manager

Ahh, password security. You know the drill. Create a secure password, usually with a mix of symbols, upper and lower case letters, and numbers. Oh, and don’t re-use passwords. Oh, and change your password for every account every X days. Make it easy on yourself, and ensure that you’re taking proper precautions to safeguard all of your accounts in the event that one of them gets compromised. An easy way to manage this is to install a password management utility. Most of them work the same way; create one ultra-secure passphrase that opens the utility, then copy and paste the specific password for the account you’re accessing. Once again, this sounds more complicated than it is in practice.

5. Enable 2-Factor Authentication for Gmail

If you have a Gmail account that you use for e-mail, consider enabling 2-factor authentication. It’s a free option that Google provides that allows you to add an additional layer of security to your account. In addition to username and password, you’ll be sent an additional token code (by voice or text message) that you’ll have to enter to verify your identity. If you’d prefer to not enter a token every time you authenticate, there’s an option to designate trusted computers instead. Google outlines their 2-factor authentication options on their support site.