Securing your practice
These tips have been extracted from a security briefing given when onboarding new users to Scalpel’s practice management platform. Security is a shared responsibility of every member in your organization. Make sure everyone reads, understands and implements the following guidelines in order to protect themselves when using online services.
“So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!” — Dark Helmet, Spaceballs
The most common reason accounts are compromised is poor password management. People often reuse the same password for multiple services out of convenience. If one of those sites gets hacked, the usernames and password information is now in the hands of a bad actor. They can then attempt to crack your hashed password using any one of a wide variety of freely available tools, and if they succeed they now have access to your account details. With this information they can attempt to log into other services such as your bank, or email accounts. If we have complex unique passwords per service, then if one account gets compromised the others will still remain safe.
I think it’s unrealistic for people to remember unique passwords for each service that they use. Unfortunately that is the expectation that most authentication schemes imply when asking you to choose your login credentials. The username/password combination isn’t going anywhere anytime soon, so we need to find a way to better manage this responsibility. Luckily we can automate everything with password management software. If you take anything away from this article, it is that you should be using a password manager. The better ones can notify you if there is a breach, store encrypted backups of your passwords, show if you are reusing passwords, and can automatically fill in your login details with a keyboard shortcut. There are plenty of commercial options out there including 1Password, Last Pass, Dashlane and many others. I personally recommend using 1Password, their product is well designed and they have excellent customer support. If you are a solo practitioner I would recommend buying a direct license, but they have an option for teams if you need to manage access for multiple people.
If you decide to not use a password manager, (it’s your funeral) you should know that password length is the most important feature when choosing a password. It gets exponentially harder to brute force a password for each additional character you add. Avoid using a single word, and avoid passwords that are found in the top 10,000 most commonly used passwords. Remember to keep your passwords only to yourself, never reveal your password to anyone for any reason. Do not share passwords with other employees, family members or spouses. No legitimate service will ever ask you to verify what your password is. Do not allow any employees to share accounts with one another.
If you want to do even more due diligence here are some additional questions you can ask service providers with appropriate answers.
Q: How does your product handle storing passwords?
A: They should be using a battle tested, publicly available algorithm specifically designed for hashing passwords. The following answers are acceptable “scrypt”, “argon2”, “bcrypt”, or “PBKDF2”. If they respond with, “MD5”, “SHA-3”, “SHA-2”, “SHA-1”, “we’ve rolled our own”, “plaintext”, or “I don’t understand the question” run for the hills. There is no reason for this to be kept secret as there are no additional benefits for the company if they have set things up correctly. We use bcrypt.
Q: Does your product do anything to mitigate credential stuffing attacks?
A: If an attacker does manage to get ahold of your login credentials the product may still deny access to your account if details surrounding the request seem suspicious. For example your IP address could point to a different region than your normal usage indicates, or you are using a different device than you typically log on with. For high value targets, you need to know when something out of the ordinary is happening instead of allowing your system to fail silently. We store metadata about your login history and devices, and may deny access and/or send an email to you if we detect anomalous behavior. We will also temporarily disable login access if you have too many failed login attempts in a row.
Two Factor Authentication
“Who are you? Who, who, who, who?” — Who are you, by The Who
It has become a best practice to add an additional verification step when logging into a service. In addition to something you know (your password), you can provide something only you should have to make it more difficult to fake your identity. You should enable two factor auth for every account your business depends on if it is available, and should prefer doing business with vendors who support this option. I will break down the most common forms of two factor auth below and discuss their strengths and weaknesses.
Often people will use fingerprints, or facial/retina scans in order to verify someone’s identity. While this can uniquely verify someone, there is a fatal flaw when using any biometric data for authentication. You cannot change your fingerprints, your face, or retina. So if this data leaks out to the public, you run the risk of people being able to bypass this method entirely. For this reason, we should avoid using this method where possible.
Some websites support sending a text message to your phone with a short message that you need to relay back to the service. While better than nothing, this method has fallen out of favor recently due to the fact that your phone number isn’t fully under your control. Mobile carriers can issue additional SIM cards to any account. If someone can convince your phone company to issue a SIM card for your account to them, they can intercept these messages. This type of attack is called SIM jacking or SIM swapping, and has been on the rise over the past 5 years. While this method is better than nothing, we can do better.
Time Based One Time Passwords (TOTP)
This is the underlying protocol that powers apps like Google Authenticator or Authy. This method generates numerical codes based on a shared secret and the current time. This works fairly well in practice, but still has potential issues. This method doesn’t prevent phishing (fraudulently obtaining private information by mimicking the identity of a trusted party) attacks entirely but forces them to happen in real time. It also relies on having synchronized clocks on both computers which is more difficult than you might imagine. If someone is able to steal the shared key you’re using they will be able to generate the same codes you can without you knowing. While still flawed, you should prefer this method over those previously mentioned.
Universal Second Factor (U2F) Security Keys
The newest entrant in this category is quickly becoming the gold standard. These are small security keys that you plug into your computer’s USB port or communicate via NFC. You press a button on the key when prompted and the system is able to verify the key belongs to your account. This type of authentication prevents phishing entirely since it verifies the application you are connecting to. You can typically add or revoke as many keys as you would like, and there is additional protection built into the protocol that can inform application owners if someone duplicates your key and has logged in successfully. You can reuse the same key across multiple different services without hassle. Keys typically retail in the range of ($20 — $50) but the price is well worth the investment. The only downside is lack of support in all major browsers. (missing in Internet Explorer, Edge, and Safari)
We support an unlimited number of U2F security keys per account, and recommend that you purchase two for each staff member. Keep one on your keychain and store the other in a secure place that only you have access to. The vendor we recommend using is Yubico.
Electronic Device Management
“If you want to turn a mistake into a disaster, add a computer.”
We never want to be reliant on any single device to run our practice. Hardware breaks, things get stolen, people leave items in cabs, trains, planes, and hotels. We should ideally be able to throw all of our current equipment into the ocean and be up and running again in a matter of minutes. Things can and will go wrong, we need to be prepared for the worst case scenario at all times.
Maintain a list of all the different devices you are using to interact with PHI, including computers, tablets, phones, and external storage devices. Make sure that you’ve turned on automatic software updates for all of your them. I know it’s annoying to update your software, especially when it requires a restart of your computer. Make a habit of getting it done by the end of your day. Enable full disk encryption on all of your devices, you can find tutorials here for Macs and here for windows. Only purchase new equipment from trusted vendors. For external storage devices, purchase devices that are FIPS 140–2 level 2 compliant or higher. When the device has reached its end of life, shred it using an industrial shredder.
You need to have a data recovery plan in place. Keep at least two backups for all of your devices. One should be in the cloud and the other should be on-site. This needs to be automated or else it just won’t happen. You can find tutorials here for Apple’s time machine and windows . I would recommend using Arq for your cloud backup. We use a different product internally, but it is not accessible to the average computer user. We can help you with your setup if you would like. The most important part of the recovery plan is ensuring that you can actually restore from your backups. You need to test this regularly, if you don’t it is safe to assume that your backups do not function and your data will be lost. It is easy to get careless thinking that your backup system is in place so you don’t need to worry. Losing any data is a nightmare, take the time to get this right.
Do not plug in or insert any untrusted media (USB flash drives, CDs, DVDs, disks) into company computers. This is an extremely common attack vector for malware and should be avoided at all costs. Politely decline offers from patients who bring in media, instead request a hard copy or establish provenance of the documents and attempt to get them directly from the primary source. Many companies fill any open USB ports with epoxy to prevent unauthorized devices plugging in. Never plug an unknown device into your computer. Never plug your device into an unknown port. You can buy a “USB data blocker” if you need to charge your device in hotels, or other unknown locations.
Don’t open any email attachments from strangers.
Consider using a Chromebook as your daily driver if you are only using the web. They are cheap and built with practical security in mind. Prices typically range from ~$150–500.
Use Chrome or Firefox as your browser and install the following extensions. Https Everywhere and Ublock Origin. You can also install your password manager’s browser extension. Avoid installing any other extensions to your browser.
If you are using Firefox as of (11/28/2018) you will need to update an internal browser setting to support U2F keys. If you type in “about:config” into your url bar. You will get a warning page indicating this might void your warranty. Click “I accept the risk”. Search for “security.webauth.u2f” and double click the matching row. The “Value” field in the table should now be “true”. You should now be able to use your security keys.
When it comes to smart phones iOS is materially more secure than Android. If you are going to purchase a new phone we would suggest buying any model of the iPhone. If you insist on using Android, we suggest buying the Google Pixel 3.
Do not leave any of your devices unattended. Your devices should automatically lock after a short duration of inactivity. Have a dedicated laptop and phone for travel abroad, and don’t use them anywhere else.
Cryptography / Encryption
HIPAA regulations require you to keep your data encrypted while at rest and in transit. Unless you have a deep background in cryptography it can be exceptionally difficult to assess the quality of someone’s implementation. It is hard to build cryptographically secure systems. Even experienced engineers make mistakes that can expose data to a motivated hacker. I’m going to echo many of the comments I made in the password management section of this document. You are going to want to stick to well established, publicly vetted encryption schemes. This is not an area to innovate, we want to keep things as boring and simple as possible to have a chance at getting things right.
You want to ensure that you are using systems that use authenticated encryption with additional data (AEAD). This type of encryption provides assurances on the confidentiality, integrity, and authenticity of the data being encrypted.
Knowing where the boundaries of your knowledge are will keep you safer. Keep a healthy dose of pessimism when reading any security claims a product makes. A picture of a lock on a website just signifies that a designer understands what a lock is for. Look for companies that clearly explain how they are storing your data, and describe what mechanisms they use in detail.
For example here is how Scalpel handles your data while in transit and at rest.
In transit we use TLS v1.2 with cipher suites that support perfect forward secrecy. We add the HTTP Strict Transport Security (HSTS) header so that you can only make requests via a secure connection. We’ve added a strict Content Security Policy (CSP) along with other headers to protect against a series of common vulnerabilities. We encrypt and decrypt all PHI on our application servers using AES 256 bit encryption in Galois/Counter Mode (GCM). We store all of our encryption keys separately from our databases using FIPS 140–2 validated hardware security modules. We have enabled full disk encryption for all of our data stores. We have a BAA in place with a leading cloud computing provider and they have implemented strong physical and technical safeguards to prevent any unauthorized physical access to the machines hosting our data. All actions taken by employees are logged and stored indefinitely and we only enable the fewest access rights necessary for them to carry out their duties. We constantly review our systems for compliance, and do our best to keep up with changing best practices.
If you have any additional questions about our operations please feel free to reach out.
Follow the advice above and you will be adequately protected against most of the common digital attack vectors. While I have focused this talk on technology, I haven’t gone into much detail on social engineering tactics. You may want to do more research on spear phishing, tailgating, and pretexting.
Always verify who you are talking to and never divulge personal information to unknown people. Limit access to sensitive information to only those who need it, and even then limit their abilities to only the those they need to do their jobs. Learn from the mistakes of others. I’m a big fan of checklists and would recommend that you review this one provided by the IHS before opening your practice. Review your procedures with employees on a regular schedule, take copious notes, and always remain on alert.
Thomas Cioppettini is the co-founder of Scalpel Software Inc. Scalpel is a new practice management software company that is currently in private beta. If you are looking for a better way to write patient notes, schedule office visits, or handle your billing we may have a solution that works for you. You can sign up for notifications about the project by entering your email at https://www.scalpel.com, or reach out with any questions to him directly on twitter @tomciopp.