Tag Archives: data protection

How Two-Factor Authentication can Improve HIT Security

How Two-Factor Authentication is a Small-Scale Standard for Protecting Information

This year is no stranger to cyber-security attacks. One need only to refer to the Equifax data leak to recall security mishaps, or the ransomware culprit “WannaCry” that holds protected information “ransom” unless victims pay to have the compromised files released. These and other attacks hit several corporations utilizing infrastructure weaknesses and security ignorance, compromising information for voters, financial records, email records, and other sensitive information, bringing higher awareness to the online community about keeping all information as safe as possible. One area that is often overlooked is personal medical records, which can be just as valuable to cyber criminals as personal financial data. That’s where Two-Factor Authentication can come into play for healthcare IT professionals. It can ensure data is just as safe at the individual user level as it is protected on a massive, corporate scale.

Problems of Single Authentication

Authentication refers to one of various methods of accessing important information, whether it’s a remembered password, a physical authentication token, a common access card, a biometric scanner storing user-specific information, or other methods. The problem with some of these methods is they’re too weak—unsophisticated passwords can be guessed by brute force, passwords can be forgotten, or worse, passwords can be stolen and then used by unauthorized individuals. Access cards can get lost, stolen, or “ripped” by devices that pull the information off of them to be reused maliciously. Cheap biometric devices may incorrectly read a person’s face or fingerprint, locking out access or providing access to the wrong individual. Compound these problems in an environment with a lot of sensitive data, and suddenly single authentication becomes the problem rather than the proper security protocol.

How Two-Factor Authentication Addresses Problems

Instead of using complex passwords that can lock users out or flee bad memory, authentication can be approved by using accurate biometric scanners and RFID identifiers integrated onto the medical grade PCs and tablets that healthcare  professionals use on a daily basis. removing human entry altogether. By removing the human element—loss and forgetfulness—medical professionals can access patient information with minimized risk to violating HIPAA laws.  Imprivata’s intelligent Single Sign-On platform removes the need to remember complex passwords and erroneous entries—this is a security protocol standard that requires certified hardware in order to authenticate successfully. Also, using a highly accurate biometric scanner is a must-have since fingerprints cannot be lost or “stolen” much like cards can. Ensuring these systems are in place and functioning properly is key for maximum possible security on patient information.

Two-Factor Authentication is a Growing Standard for Medical Computers

Seen as Two-Factor Authentication is a growing tech trend in hospitals in some states, it’s already at the forefront of security protocols for medical professionals and hospitals to use on their medical computers. Ohio is the first state to require Two-Factor Authentication for HIPAA laws. However nearly half the hospitals in the United States are using Two-Factor protocols, meaning it is quickly becoming the standard, even if it isn’t mandated by law. Corporations are using high-quality authentication protocols that require certified hardware in order to authenticate properly, such as Imprivata’s sophisticated Single Sign-On platform and CrossMatch’s high-quality biometric scanners that are Imprivata-certified. These necessary certifications are the best market-available products to ensure security.

Two-“Fact”or Authentication Facts

The Office of the National Coordination for HIT recently reported that there was a 53-percent jump in hospitals over the course of four years that started utilizing Two-Factor Authentication for their HIT needs. Christus Health, an Imprivata user, reported over 2.3 million dollars was saved using Single Sign-On technology. Crossmatch’s DigitalPersona technology has been implemented in several HIT companies, touting ease-of-use across multiple IT infrastructures. Using these technologies together is making an impact in today’s HIT world.

Solutions for Two-Factor Authentication

The good news is that every medical computer that Cybernet manufactures is customizable for Two-Factor Authentication—biometrics, CAC integration, or RFID scanning can be added for security needs. Plus, Cybernet’s computers are approved for Imprivata Single Sign-On use, so the human element has been removed for password entry. Our biometric scanners come from CrossMatch, which are high-quality readers certified to work with Imprivata—you can rest assured that a biometric reading will be accurate and that it will authenticate users with Imprivata SSO. These security protocols in place minimize information leaks and keep out unwanted individuals from accessing what they shouldn’t have access to. Visit the Cybernet website to see how we can customize our hardware to meet your unique needs.

Medical Tablets: Complying with HIPAA

Healthcare providers increasingly use clinical applications such as EHR, clinical decision support systems, order entry systems, radiology, laboratory and other systems. Health IT makes the medical workforce more agile, mobile and productive. Mobile devices let physicians check patient records on the go, in any location. Nonetheless, the rise of mobile technology increases the risk of data breaches. HIPAA aims to protect ePHI while still allowing hospitals to adopt new technologies & improve their efficiency and care quality.

The Health Insurance Portability & Accountability Act (HIPAA), 1996, consists of HIPAA Privacy Rule & the HIPAA Security Rule. The former establishes national standards for the protection of individually identifiable health information; the latter – security standards for protecting individually identifiable health information held or transferred in electronic form. The Security Rule dwells on the technical and non-technical safeguards covered entities must implement to secure patients’ electronic protected health information (e-PHI).

Understanding HIPAA

The HIPAA Security Rule covers health plans, health care clearinghouses and health care providers that create, receive, store or transmit e-PHI, as well as their business associates. Read the Summary of the HIPAA Privacy Rule [PDF].

Under HIPAA, covered entities must:

  • Ensure confidentiality, integrity & availability of e-PHI.
  • Identify threats to e-PHI and protect against them.
  • Protect e-PHI against disclosures or impermissible uses.
  • Ensure HIPAA compliance by the workforce.

The HIPAA Security Rule requires covered entities to perform a risk assessment to determine reasonable security measures for a particular organization. Risk assessment includes evaluation of the likelihood of a data breach, implementation of appropriate security measures, documentation of security measures, & rationalization of their choice, and continuous protection of e-PHI.

Safeguards

On the administrative, physical and technical levels, HIPAA requires for the organizations to implement certain safeguards.

Administrative

  • Security management process – identify & analyze risks to e-PHI, implement security measures for protection.
  • Appointing a security official overseeing HIPAA compliance.
  • Information access management – limit uses and disclosures of e-PHI, granting access to data only when appropriate, to authorized personnel only.
  • Providing the medical staff with data protection training, ensuring policy compliance by the workforce.

Physical

  • Limit physical access to the facility for unauthorized individuals, yet ensure authorized access is allowed.
  • Implement device security procedures, specify proper use of devices and access to them, have policies regarding device transfer, disposal or re-use.

Technical

Health care providers must implement:

  • Access control to e-PHI for authorized personnel only.
  • Audit controls of hardware, software and data access and use procedures.
  • Integrity controls to ensure e-PHI is not destroyed or altered improperly.
  • Transmission security measures that guard against unauthorized access to e-PHI in transit.

Features of Medical Tablets That Ensure HIPAA Compliance

So, when we talk about the features of the medical tablets that ensure HIPAA compliance, we are primarily concerned with the Technical Safeguards of the HIPAA Security Rule provisions.

Encryption

The HIPAA Security Series Guidelines require covered entities to “consider the use of encryption” for e-PHI in transit. Encryption for data at rest is not mandatory, but its implementation depends on the risk assessment.

End to end encryption ensures the data in transit is protected against data breaches and man-in-the-middle attacks, according to HIPAA Journal. Technology based on the end to end encryption helps providers avoid HIPAA violations.

HIPAA-compliant medical tablets are Windows or Linux-based, which enables the support of full disk encryption for data at rest, & implementation of end to end encryption programs for data in transit. Furthermore, Windows medical tablets have USB 3.0 and USB 2.0 ports and can encrypt data on external storage devices just like your normal desktop computers would.

One of the glaring security holes in consumer grade mobile devices is text messaging and consumer chat apps medical staff use to communicate with patients and colleagues. e-PHI details sent in a text message is a direct violation of HIPAA Security Rule. Skype, WhatsApp or Hangouts lack necessary protections for a secure data transfer, despite claims of encryption. Medical professionals must implement secure communication programs, with the end to end encryption and preferably from trusted, zero-knowledge providers.

Data Access

HIPAA requires the implementation of technical policies and procedures that allow access to PHI to authorized staff only. Medical tablets have access control mechanisms that enable advanced user authentication. Moreover, they make it easy to use, because end users tend to bypass any technical procedures they deem as difficult, time-consuming, or hampering their productivity in any other way.

Multi-factor authentication in medical tablets is ensured with RFID Imprivata Single Sign-On, biometric scanner, Smart Card or CAC reader, and Kensington lock. Multi-layered access controls reduce the risk of unauthorized data access. Medical staff can safely leave the device in hospital’s public places, such as corridors or patient rooms, and rest assured the confidential data is locked.

Data Integrity

According to HIPAA, any e-PHI data stored on a mobile device (or transmitted with its help) must be protected against unlawful tampering or destruction. Mobile devices used to store or transmit e-PHI in healthcare must have features that allow them to be audited for access to e-PHI, including attempted access instances, and other activity that could potentially affect data security.

Medical tablets can be configured to enable remote device management to give the IT admins full control over the data stored and transmitted from it. IT admins can push system and software updates and patches remotely, or troubleshoot issues without having physical access to the device. They can set up the device so that the complete log of data access and failed login attempts be documented for revision. They can wipe the device remotely, should it be lost or stolen. They can monitor network activity and spot suspiciously large volumes in upload or download to, again, suspicious servers.

IT admins can block or disable certain OS features, whitelist and blacklist programs, to protect the confidentiality of e-PHI from the inadvertent exposure by the end users. For example, disabling automatic connection to any available Wi-Fi network protects devices from connecting to insecure public networks.

From ad-block browser extensions to firewalls and sandboxing, Windows supports the full list of security measures an IT admin can deploy on a device. With Windows 10, the security features have advanced even further.

Windows makes the use of password managers easy since most enterprise programs are developed for Win OS. Also, administrators can disable access to app store, so that users cannot download and install unauthorized applications, or games. Alternatively, blacklist every app but a list of authorized applications from accessing the Internet.

Medical tablets ensure admins have necessary means of scanning them for malware and other malicious code, install antivirus, perform regular and random scans. When an employee is left or fired, admins can safely terminate access to PHI.

10 Ways Small Businesses Can Secure Confidential Data

The Internet is a great tool for helping small businesses to expand. After all, it allows them to establish an online presence while attracting new customers and building a reputation in the process. While the Internet is a fine tool for promotional purposes, it also attracts hackers who may steal digital information and commit fraud. Unfortunately, these security breaches are not uncommon. Credit card information and passwords can be stolen, which can damage a business’ reputation and cause surmountable financial situation issues.

Here are 10 things you can do to protect your business from possible attacks so that all of your confidential data is kept safe and secure.

Protect Your Data as Well as You Can

This means keeping your computer clean, deleting unnecessary files every now and then, having the latest version of your antivirus installed, and using safe web browsers and operating systems. These are just a few preemptive measures you can take to increase digital safety within your company. In addition, it is advisable to run regular antivirus scans to identify any malware that may be already present.

Educate Your Staff

Your staff might not be familiar with the risk of a security attack. They might not be into technical or IT-related matters so it’s best to educate them so they are well prepared in case something goes wrong. This can be as simple as requiring that they use strong passwords and establishing certain rules of conduct that describe how they should protect customer information and other types of important data. Employees can also be trained to run regular antivirus scans to make sure the computers they use are kept free of malware.

Install Firewalls on Your Computers

Most operating systems have a firewall already built in. To increase the safety of your business’s data, make sure the firewall is always turned on. If you are suspicious about its ability to keep hackers away, you can also try installing more robust firewall software.

Back Up Your Business Data Regularly

Back up your data and store it on an external device or better still, in the cloud. This includes documents containing passwords, databases, spreadsheets with customer information, accounting-related documents, and financial files. Backing up your data within a single computer is not advisable since if an unauthorized person gains access to it, the data will not be protected. As such, it’s a good idea to store everything on an external hard drive or in the cloud.

Mind Your Mobile Device’s Security

If you store confidential information on your mobile device, install an application on your cell phone that will allow you to locate your device in the event it’s ever lost or stolen. These apps usually allow you to log into your account from a PC and lock the phone so it cannot be used until you locate the phone and manually unlock it yourself. You can can password-protect the device and encrypt the data, although it’s important to note that the absolute best security measure you can take is to not store sensitive data on your cell phone in the first place.

Keep Your Wi-Fi Network Secure

Chances are you can log onto the Internet via a Wi-Fi network. If that is the case, it is imperative that you keep it encrypted, hidden and secure. It’s advisable not to allow anyone but the people within your company to join your Wi-Fi network. For this purpose, you should password-protect it so that only people who possess knowledge of these passwords can join.

Keep Employee Accounts Separate

If you create a separate user account for every employee, you will make it exponentially harder for unauthorized individuals to use or access your business’s computers. Every employee should have a different username and password. Administrative privileges should only be granted to management of and trusted IT staff.

Keep Payment Card Data Protection in Mind

If you own a small business, chances are you work with payment processors or banks that allow for the electronic management of your finances. Only use validated and trustworthy tools that are secure so you can rest easy knowing that your financial information is safe. If you log into a payment system from a web browser, make sure to delete your browsing and cookie history after you log out. And under no circumstances should you ever store your username and password combinations.

Passwords and Authentication

Many IT experts recommend that employee passwords be changed quarterly, and for good reason. This ensures that if an employee is terminated or someone is careless and loses a password, your business is better safeguarded against potential security breaches. Multifactor authentication is equally handy since it ensures that every login is completely unique.

Limit Employee Access to Confidential Information

Each employee should only have access to the data needed to perform their job. There is no need for each employee to have access to all data systems. Doing so is a surefire way of ensuring that sensitive data doesn’t stay confidential for long.

Conclusion

The ugly truth is that the Internet is a dangerous place. Unfortunately, it’s a necessary evil in the business world. The best thing you can do to protect your business is to take pre-emptive measures to sure up your systems and train your employees on proper security protocols. While nothing is fail-proof, doing so will greatly reduce the likelihood of confidential data landing in the hands of the wrong person.

Cybernet offers All in One PCs and tablets for Healthcare, Business and Industrial environments that have built-in security safeguards.