We hear about data breaches all the time in the media, however, these are often high-profile cases – large companies with lots to lose.
What we don’t hear about are the smaller breaches, of companies and clinics which aren’t big enough or high profile enough to make the news. Dental and medical practices suffer breaches frequently, as we can see for example on the HHS Wall of Shame.
Most people don’t think they’ll be the victims of a data breach – until they’re the victims of a data breach.
Today we’re going to take a look at the 2020 data breach of vision benefits provider EyeMed, what security issues led to the breach, and what could have been done differently.
Not Using Two Factor Authentication
One of the main failures in the EyeMed case was they had not implemented two-factor authentication, also sometimes referred to as multifactor authentication, or shortened as 2FA or MFA.
This allowed hackers to gain access to an EyeMed email account holding customers’ personal information, including names, Social Security numbers, email addresses, and more.
Furthermore, with access to that account, they were able to send phishing emails and obtain further information from customers.
Essentially, two-factor authentication is a two-step log-in process that requires an additional code as well as your username and password in order to access your accounts.
When you attempt to log into your account, if you have two-factor authentication turned on, a separate code will be sent to you, generally either by text message or by email.
This adds an extra layer of security because even if your password is compromised your account can’t be accessed without this additional code.
Poor Password Management
Another finding of the EyeMed case was that they did not use appropriate password management systems.
Most of us would be lying if we said we have never reused a password.
Unfortunately, password reuse is one of the most common reasons for accounts to get breached.
When information from data breaches is leaked, they often show long lists of usernames and passwords.
If you have the same user information across multiple accounts, it becomes easy for bad actors to take that information and try it across multiple platforms.
In addition to not reusing passwords, it’s important to ensure you’re changing your passwords at least every ninety days, and more frequently if you have reason to believe your information has been compromised.
Changing passwords is important because once a site has been breached, bad actors can use lists of breached passwords to attempt to access other sites, knowing that many people will use same PW across different platforms.
Not Using Strong Passwords
Have you ever gone to register a new password and been told it needs to be a minimum of eight characters long, include at least one capital letter, one number, and one special character?
Some sites even have a gauge that shows you if your selected password is weak, medium, or strong.
Strong passwords are important because they are harder for people to guess, especially when so many passwords are easily guessable, such as the name of a child, partner, or pet.
Another technique is to use passphrases, as these are difficult to guess, but easier to remember than a random string of characters.
This is exactly as it sounds – using a phrase that incorporates a number and special character. So instead of Rain1951, you would instead use TheRainInSpain1951? (including that question mark at the end).
If you have a lot of passwords to remember, using a reputable password manager can be a good idea, although they may have a small fee associated with them.
Other Ways To Protect Information
We’ve looked at some of the key ways to keep your patient information secure and protected, however there are lots of other steps you can take to ensure data integrity.
Let’s look at some of these now.
Be sure to lock the screen and make it a policy: any time you or your staff needs to step away from the computer for any length of time, it be must locked out.
Not only is this important in areas where the public may be around, such as the waiting room, but also in staff-only spaces, so that someone else can’t try to look up information while logged in under someone else’s name.
In addition, every individual who needs to access a system should have their own unique login and password – this includes all staff, as well as third parties such as IT providers and consultants.
These two steps will help to ensure an audit trial is created, so if information is leaked or breached it’s easier to determine who was logged in at the time.
This next one may seem obvious, however it needs to be said: don’t write down or share passwords.
Keeping information such as passwords near your computer is just asking for it to be found and used by someone with bad intentions.
Finally, don’t send sensitive information via email.
This was the crux of the EyeMed breach – because sensitive, personal, information was sent via email, hackers were easily able to obtain access to it once they breached the email account.
Unless you are using secure, encrypted email systems, never send patient information.
Implementing these tips can help you to ensure you’re maintaining the CIA of data: confidentiality, integrity, and availability.
And for help implementing these systems in your dental practice, reach out…
Whether you need a cyber security risk assessment to help you identify areas where you could be doing better, to cyber security awareness training for your staff or creating a disaster plan, I can help..
Contact me today for a quick chat.