The number of hacks and breaches that occur continues to rise exponentially. Though you may have security measures in place, hackers are finding new ways to infiltrate your system. So, what can you do to stay one step ahead of the hackers?
A 2015 Reader’s Digest article outlines “20 Things Cyber Crooks Don’t Want You to Know”. From this list of 20 things, we chose a few that are more specific to businesses and describe how they relate to HIPAA. Review these 5 tricks hackers use to access your PHI so you can avoid becoming an easy target.
Personalized phishing emails.
Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransomware on your computer. These emails used to be a lot more obvious. For example, an email from a Nigerian prince or an email saying you have have a distant wealthy relative who just died. These emails have become a lot more sophisticated and include information that matches your online activities. This leads you to believe the email is legitimate. If you are not careful, you could fall into the trap.
Phishing is the cause of many PHI breaches. In fact, in 2013, University of Washington Medicine experienced a breach that affected over 90,000 patients. This breach was due to malware installed through a phishing scam. It was recently reported that University of Washington Medicine paid a settlement of $750,000 in penalties for this breach of PHI. ¹
Avoid phishing scams by being cautious of each email you open. Avoid clicking links or downloading files from emails with which you are unfamiliar. Phishing emails often ask for your personal information in order to claim gifts or recover/verify an account you have. This is an alert to STOP. Do not enter any personal information (passwords, social security numbers, etc) if prompted.
“Typosquatting” is when hackers purchase domain names similar to names of real websites.² For example: a hacker may buy the domain name microsfot.com. The success of typosquatting depends on you incorrectly typing in the URL. Once you enter the site, hackers can install malware on your computer or they try to convince you to share personal information. Make sure you check the web address before visiting the website. Web pages that require you to enter personal information like Social Security Number or credit card info should have “https” in the address bar, and a lock. If the site does not have both of these items, this page is not secure and you should not enter your information.
Brute Force Attacks
Hackers use a method called “brute force attack” to crack your password. Brute force attack is a trial-and-error process that uses logic to try many different combinations of characters and guess your password. This is why easy passwords like “letmein” or “qwertyuiop” can easily be cracked. The longer and more complex the password, the harder it is for the software to guess your password. This malware can run in the background trying to determine your passwords while you are using the computer. It takes basically no effort on the part of the hacker. They just have to launch the program, which can be done remotely. Hackers are relentless.
It was revealed that the 2012 LinkedIn breach included millions of accounts that contained very easily cracked login credentials. At the top of the list was “123456” (appearing over 1 million times) followed by other equally simple passwords like “linkedin” and “password”.³ These passwords are easy targets for brute force attacks. A random assortment of characters is a lot harder to crack than a simple password or one that contains words in the dictionary. It is important to change passwords frequently in case your computer is a target.
Password management tools, such as LastPass, OnePass, or Dashline help you manage your passwords. Not only do they generate strong passwords for you, but they save each password in their encrypted database so you don’t have to remember them. You do need to remember the master password to the management site. This option is a lot safer than saving your passwords in your browser’s password management feature or on an electronic note on your desktop. Make sure you keep these programs up-to-date, and change your master password frequently.
One major security flaw is that people do not select a new administrator’s username and password when they install a router. Make sure to change both the username and administrator’s password to avoid easily being hacked. With a simple internet search of the router and model number, anyone can access the administrator password the router came with and then gain access to your network. Be sure that you are also keeping your router’s software updated as it helps to protect against vulnerabilities in the firewall.
It is also important to check that your router uses WPA2 encryption. WEP encryption can easily be exploited. Software to crack WEP encryption is widely available. It is best to go with the newer WPA2 which uses more secure AES algorithms.
Vulnerability of Public Wi-Fi Networks
It’s best not to log into a public network if you plan to use a credit card as public networks are often do not have protection. Many hackers target public Wi-Fi networks like those in coffee shops. They use man-in-the-middle attacks allowing hackers to put themselves between you and the information you want to access through the network. This means that when you request information like a webpage from the server, that information would first go to the hacker. The hacker can then take what they want from it, or alter it in some way, before then sending it on to you. This tactic is beneficial to hackers when you access your bank accounts. Many people think the only risk of taking home PHI is leaving a storage device behind in a public place or having your laptop or iPad stolen. However, doing work in a coffee shop through their public Wi-Fi can cause a breach. It is best to avoid emailing PHI or accessing any important accounts through public Wi-Fi.
Unfortunately, even if we take all the right security measures, we will never be invincible. However, taking the right steps like creating strong passwords, activating a firewall and following HIPAA security recommended policies and procedures can help protect your data and can lessen the chance of an embarrassing and expensive breach.