P-A-S-S-W-O-R-D-S
by V!rU$-Uñk0wN
Objective: Provide safe and secure password
management.
The word Cybercriminal is anyone who
commits cybercrime to perform malicious
activities1, such as spreading viruses, stealing
personally identifiable information, social
engineering, denial-of-service attacks, steal
money or committing healthcare insurance
fraud, and more. All of these are costly to the
healthcare organization from lost downtime,
theft of organization dollars, lawsuits, and the
cause of mistrust between our patients and the
service we provide to them.
This paper is intended to share best password
security practices to reduce these attacks on your
healthcare networks and medical devices. First,
let us begin with the types of malicious activities
and how is the best way to thwart these activities
and then we will finish up with password
security.
MALICIOUS ACTIVITIES
In my introduction, I talked about a few terms
which we will cover more in details. First, as a
biomedical equipment technician or clinical
engineer, we must educate ourselves about how
computer viruses are spread, what type of
operating system our medical devices utilize that
way we can routinely monitor as well as mitigate
harmful computer viruses by periodically
performing updates, patches, virus and
malware scans as well as firewall software
protection. Symantec Corp has a virus database
where you can go check out the latest harmful
computer virus, its threat assessment, risk type,
vulnerabilities, and what operating systems are
affected by it. Additionally, we must collaborate
with IT and make sure our medical devices on
the hospital network are secure to include
service passwords, IP addresses, port numbers,
and AE title information. Any hacker with the
right snooping software can to include wireless
can gain access to this data and other
information. The worst thing any biomed can
do is write down the information on, near the
medical devices, or under your phone, mousepad,
or keyboard in order to store and recall the
password. Another bad habit is keeping
passwords on an excel spreadsheet on your
computer desktop or shop laptop without using
encryption software like Microsoft's Bitlocker
drive tool. Next, cybercriminals are masters of
manipulation and use social engineering skills
to gain entry to unauthorized rooms or access to
your passwords and our patients information.
What are the best way to block attacks?
These are three helpful tips:
1). Educate yourself and if you do not recognize
a person then under no circumstances give out
any information to include service passwords,
user names, IP addresses, etc. Its best to politely
decline all information requests and get them to
the right person.
2). Be friendly but don't be afraid to ask strange
people work-related questions while you get
them to the right IT people. Social engineering
professionals will appear smart, dumb, and have
no problems asking for strangers to help opening
doors for them, saying they forgot their
password, or can they use your computer since
their internet is acting up in the hospital. The
correct answer is no you are unauthorized to do
these tasks but you will get the authorization.
Never tell them but you will call IT or security
to handle the security issue. Additionally, never
succumb to pressure to comply when someone
says "Do you know who I am?"
3). Always secure all patient information or
identifying patient documents. Oftentimes
patient data is mistakenly tossed out and that
makes someone looking through your trash that
much easier to steal patient information, account
numbers, birthdays, social security numbers, as
well as other personally identifiable information
and finally assume that patients identity. The
newest frightening possibility of healthcare
cybercrime is to deploy remotely or timed
intrusion malware to disturb, distort, deny health
care services. These denial-of-service attacks
can range from targeting electronic health care
databases to vandalize, modify, steal or delete
patient information or intellectual property (i.e.
blueprints, plans, or future healthcare designs) to
commit healthcare insurance fraud, access
remotely or wireless the hospital network to
insert a virus bringing down network remote
monitoring medical devices down with it. If a
cybercriminal gets into any hospital and crashes
it, uses an operating system attack to change
DICOM settings, or patient images that could
trigger wrongful site surgeries, or causes an
extended period of medical equipment
downtime, your clinical operations will cease
and your hospital will lose revenue. The longer
your network stays down in addition to your
medical device also being affected then the end
result is the more your hospital as well, and the
hospital will begin to look unreliable and will
lose its credibility and reputation. "According to
Health and Human Services, a major concern to
the Healthcare and Public Health Sector is
exploitation of potential vulnerabilities of
medical devices on Medical IT networks (public, private and domestic). These
vulnerabilities may result in possible risks to
patient safety and theft or loss of medical
information due to the inadequate incorporation
of IT products, patient management products
and medical devices onto Medical IT Networks.
Misconfiguration of healthcare networks or poor
medical equipment security practices may
increase the risk of compromised medical
devices. HHS states there are four factors which
further complicate security resilience within a
medical organization.”
PASSWORDS
The following are easy things users can do to
improve their password security and accounts:
1). Setup a password. Use phrases (or sentences)
at least 12 to 15 characters long—longer is better
—that include at least three of the following:
a. uppercase and lowercase letters: A, B, C
b. numerals: 1, 2, 3
c. punctuation marks: !, @, #
d. and symbols: ñ (alt + 164), Θ (alt + 745)
e. letter-to-symbol conversions: change the
letter "o" to a number "0" or the letter "i" to a
number "1" or a symbol “!”.
2). Never share, write down, or store
unencrypted passwords.
3). Never use any kind of names, nicknames,
birthdate, address, last four of social security,
driver's license number, dictionary words, or
previous passwords.
4). Change passwords every 30 days or more.
Never use the same passwords gain access to
your different sites or equipment.
5). Check your password strength using
Microsoft Password Checker.
For more on information on passwords, check
out Splashdata 2013 most commonly worst
used passwords.
REFERENCE
Technophobia. “Cybercriminal definition.”
Access date 2/20/14.
http://www.techopedia.com/definition/27435/cy
Symantec Corp. Security Threat database.
Access date 2/20/14.
http://www.symantec.com/security_response/lan
DecisionStat.Com. “Denial of service attacks
against hospitals and emergency rooms.”
Access date 2/20/14.
http://decisionstats.com/2011/09/21/denial-ofservice-attacks-against-hospitals-andemergency-rooms/