Mr Jerome Chiew

Too many passwords and constantly being asked to create new ones? Is the transfer of patient data secure if you login to the server? You are entrusted with patient information – is the trust well founded?

The Office of the Information Commissioner’s three quarterly reports on notifiable data breaches (since legislation February 2018) show over 40% of the health sector breaches were due to malicious or criminal attacks, of which most were cyber incidents or theft of data. Majority of cyber incidents were result of compromised credentials from phishing attacks.

Health information a likely target

Passwords can be the strongest or weakest links in securing access to systems. Most of us are familiar with mandated password rotation policy and complexity requirements (at least 1 letter, 1 number, upper case, lower case, symbol and minimum number of characters). These policies could actually weaken security and access control. How? Users may have a variation of a password they use regularly, then add a number to the end of the password. Each time they are required to change the password, the number at the end increases or the password is reversed.

Because of such predictable behaviour, attackers can narrow the possibilities down very rapidly using various methods. For example, they can gain access to your email account – they compromise a popular web forum, then quickly run through password variations of the logins harvested from the web forum.

Remote Desktop security

Most practices have Remote Desktop access to allow clinicians (e.g. those servicing aged care facilities) to access patient data kept in surgery or office servers. However, if direct pathways like this are only secured by the user’s password, this may be insecure.

What can increase security without imposing further restrictions on users?

Firstly, ensure your website has regular patches applied, especially when using a Content Management System like WordPress or its plugins that require frequent updating (as Windows does), all to plug newly discovered vulnerabilities.

The Australian Signals Directorate’s guidelines indicate password complexity is not mandatory for passwords over 14 characters (e.g. a personally meaningful passphrase such as “IusedtoLive@56DownerAv”). Additionally, deprecate the password rotation policy and instead put auditing in place to monitor for suspicion of compromise.

Multifactor (two factor or 2FA) authentication is recommended. This includes Remote Desktop access to enhance security and beef up credential-handling. This requires at least two forms of authentication, something the user knows and something they have.

‘Something you know’ can be a password, passphrase or PIN. ‘Something you have’ could be a fingerprint, USB token or mobile phone. Both forms of identity verification must be presented for authentication (and Remote Desktop access granted). Any inconvenience is overcome if enough (suitably mobile) “factors” are available to choose from.

For mobile devices, especially laptops, 2FA is not good enough. The laptop must also be fully encrypted (e.g. using Windows Bitlocker; iPhones have their onboard storage encrypted and some android phones do). Otherwise, anyone can simply remove the stolen drive from the laptop and plug it into another PC and view the contents without any authentication. The same goes with unencrypted phones, tablets, etc.

Microsoft has been advocating for better security using their Windows Hello technology and Azure Multi Factor Authentication service. Windows Hello combines unique biometrics involving the user’s body part such as fingerprint readers and 3D webcams for facial recognition, with a PIN or password to allow users to login to systems.

Azure Multi Factor Authentication service takes this further with more authentication factors such as SMS, mobile authenticator app and even the physical presence of the mobile phone itself through bluetooth proximity sensing.