The Importance of Hospital Data Security

Healthcare providers are no strangers to data security. When it comes to HIPAA, for example, they’ve long known how important it is to keep patient information safe and secure from prying eyes.

With so much hospital information now stored in digital form, primarily in databases, the need for strong hospital data security has never been greater. But what are the risks of database intrusions? And how can hospitals make sure their databases are as secure as possible?

Database Security Risks for Hospitals

Practically all the information hospitals collect, store and use exists in any number of databases. Everything from patient information (EHRs) to patient satisfaction systems, lab processing to employee records, financial results to billing and payment processing – most any application you find at a hospital runs on a database.

With that massing of data comes a certain amount of risk, much of it unexpected. Hackers have been diligent in their search for structural weaknesses they can exploit in databases. The Office of Civil Rights reports that, in 2015, more than 112 million patient records were compromised. Cybercriminals continue to try to gain access to healthcare records, which they see as a valuable commodity.

One of the more recent trends is the abundance of ransomware, which cybercriminals use to hold data hostage while demanding a ransom that must be paid before the data is released. Some hospitals feel they have no choice but to pay the ransom – such as the nearly $17,000 one Los Angeles hospital paid in 2016 to regain access to its computer systems – or else suffer the dire consequences of starting over from scratch.

As more and more hospitals look to the cloud as a way to share data and streamline internal processes among their employees, cybercriminals are hard at work searching for ways to break cloud security and steal patient records and other data. Utilizing mobile devices like smartphones, tablets and laptops can also create security issues.

How Can Hospitals Keep Databases Secure?

There are a number of best practices hospitals can follow to strengthen security around their database information. Here are a some of the most common:

  1. End-to-end Encryption. Data is most vulnerable not when it’s created or stored but when it’s transmitted between devices. It’s important to make sure sensitive data is encrypted when it’s sitting idly in storage or being used in an application. It’s even more important that it be encrypted when being transferred, such as between internal systems and the cloud or between a network server and a mobile device.                                                 
  1. User Security. It goes without saying that strong passwords are essential for protecting data like patient information. Passwords should include special characters and be changed frequently. Even better would be a combination of a strong password and PIN code – such as those generated by a security token – to gain access to an application housing sensitive data.
  1. System Backups. Backing up data is a necessary step for any security best practice. If data is lost or stolen, it can be restored. But backups should be made on a different network from the live data. Otherwise, cybercriminals can highjack both the live data and the backup data. The backups should also be encrypted to prevent unauthorized access.
  1. Cloud Security. The convenience of the cloud is indisputable, as mobile devices make it easier for doctors and other practitioners to access patient information wherever they are. But cloud systems also create a riskier environment, where hackers can more easily intercept and steal data. It’s vital for hospitals to employ a cloud provider that understands and actively monitors cloud security.
  1. Securing Input and Output Files. Cybercriminals can target not just your databases and backups, but the files that ordinarily flow into and out of your databases. If these input and output files – such as reports and work files – contain sensitive information, they should be classified and secured to prevent cybercriminals from obtaining their contents.
  1. DBA Service Providers. When considering healthcare security solutions, hospitals might consider contracting with a database administrator (DBA). A quality third-party vendor can provide hospital IT solutions that both optimize database efficiency and protect the hospital from cyber attacks.

Hospital data security should be viewed as part of an overall strategy for managing database information for the best benefit of the hospital. A knowledgeable and sophisticated DBA expert can help hospitals protect their data. A DBA expert can also help hospitals use this data for business intelligence (BI) purposes beyond the scope of each individual database application.

HIMSS, the Healthcare Information Management Systems Society, is continually helping healthcare providers evolve and stay secure through the use of information technology. RDX will be exhibiting at HIMSS18, taking place March 5-9, 2018, at the Sands Expo Center in Las Vegas. We hope to see you there.

 

Google Cloud Security Best Practices

Many businesses employ powerful cloud platforms such as Google Cloud to store company data – spreadsheets, documents, databases, images, applications, software and much more. But some businesses contemplating Google Cloud Platform wonder: Is Google Cloud safe? Is data stored in Google Cloud secure?

The answers to these questions appear to be “yes,” as long as companies take extra steps to make certain that data won’t be compromised. Below are some Google Cloud security best practices that business leaders should be aware of when working with their teams to ensure the security of company information.

Why Use Google Cloud?

As might be expected, Google has put a lot of resources into making Google Cloud a state-of-the-art storage platform. Unlike some upstart cloud providers, Google Cloud has evolved a reputation for quality data storage performance. Accessible anywhere in the world, Google Cloud claims to be “cost-effective and constantly improving.” It delivers all the high-performance infrastructure companies need for storage of their data.

Google Cloud also includes powerful tools for analyzing big data. Companies generate all kinds of data that can be useful in tracking business transactions, identifying customer or client trends, pinpointing inefficiencies in systems, and making informed decisions on the future of the business. Google Cloud’s customizable business intelligence (BI) analytics can propel businesses to greater success.

Keeping Google Cloud Secure

Along with Google Cloud’s respectable track record comes a commitment to security. Google works strenuously to ensure that data stored in Google Cloud is protected from intrusions. Although a public cloud platform has inherent security risks that a more expensive private cloud would not, Google nevertheless understands that the security of company data must be a major concern of any cloud platform.
While Google is doing its part in keeping data protected, security is a shared responsibility. Here are some Google Cloud security best practices companies should take into account:

Data Classification. Data has different degrees of sensitivity. Classifying data allows companies to categorize any data that should be restricted from wider distribution or otherwise confined to certain user groups. This is especially critical for data containing private information that could identify a specific individual, whether an employee or a customer.

Access Control. Companies are responsible for controlling access to data. It’s important to set user permissions at the project and application levels. This includes preventing end users from sharing critical information outside the corporate network or public cloud infrastructure.

Password Protection. Insisting that users have strong passwords is always a security best practice, especially when working in the cloud. Passwords should be as unpredictable and as random as possible. Two-factor authentication solutions (such as a password and token, password and emailed code, password and fingerprint) make it even harder for attackers to gain control of an account.

Data Encryption. Encrypting data is essential for creating a secure working environment. This is especially important when transferring data into or out of the cloud. Employing strong encryption, at all phases of data management, makes it more unlikely that data will be compromised.

Vulnerability Testing. It’s also important that data environments be routinely checked for vulnerability. Vulnerability assessment and penetration testing (VAPT) look for code flaws and application leaks that might make data insecure. If a vulnerability is found, it should be reported to Google via the Vulnerability Reward Program.

Security Sharing with Consultants. When hiring cloud platform consultants, companies should look for ones that takes security and privacy seriously. Any third-party vendor that handles business information should have the highest certification available when it comes to security processes.

At RDX, security is of paramount importance. Although we don’t store or process any data for our customers, we adhere to one of the most comprehensive security and privacy frameworks in the IT industry and have audited every security control possible within our organization. We reduce the risk of business disruption by leveraging RDX’s expertise and controls – which includes SSAE16, AICPA SOC 2 and PCI DSS compliance – ensuring the security, availability, integrity, confidentiality and privacy of data and transactions. You don’t become the #1 provider and pioneer of remote DBA services without paying close attention to data security.

What Is a Strong Password?

It goes without saying that the security of any company’s business information is of primary importance. Whether or not sensitive customer information is actually stolen, any breach in company data makes security appear weak, can scare away customers and may eventually lead to a company’s demise.

Most systems and applications dictate what the minimum security standards are; one system might simply require 8 alphanumeric characters while others may require longer ones with additional parameters, such as the inclusion both upper and lower-case letters and the forced exclusion of publicly available personal data, such as a user’s name.

Oftentimes, a person’s password strength will conform to the minimum standards required.

There are many security measures a company can take to protect the business against information attacks. One such measure lies within control of every individual user: password security. Regardless of whatever the minimum standards of a system are, individuals should strive to create the most secure passwords they can. Here’s some password advice from experts in the field.

What Most People Think Is a Strong Password (Really Isn’t)

Password security has been a business priority for a long time. Users are instructed to generate passwords that would be difficult to hack. But just how strong are those passwords?

Some experts believe it hardly matters. They argue that hacking software has become so sophisticated that it can decode pretty much any password users create. There have been instances, too, where businesses have required users to maintain complex passwords only to have hackers break in and steal a list of the company’s passwords that was never encrypted on the server.

These skeptical experts advise businesses to instead put more of their energies into locking down systems, strengthening firewalls, encrypting data, employing two-factor authentication and putting clear procedures in place that prevent hackers from getting in and information from getting out. While these are all best practices businesses should definitely follow, other experts continue to believe in the importance of password protection as a central way to safeguard business information.

Why Passwords Fail

What makes a weak password? Passwords fail for any number of reasons, but the most common one is that they’re too predictable. Anytime users include familiar words or phrases or identifiable numbers, the password has a good chance of being hacked. Using a street name and house number, for example, would be like putting the welcome mat out for hackers. Same with using surnames, maiden names, parents’ names, kids’ names, pet names or any number of other recognizable monikers.

It’s not that hackers know who users are and where they live, but the algorithms they employ to break into systems are very good at guessing. Hackers can process password attempts automatically and at lightning speeds. Without strong passwords, companies might as well just give away their information.

What Is a Strong Password?

For better password security, users should take into account all of the following:

1. A strong password should be at least 12-16 characters in length – the longer the better.

2. It should be a combination of upper- and lower-case letters, numbers and special characters.

3. It should include unrecognizable strings of letters (i.e., words not found in the dictionary). Foreign or nonsense words can be useful. It’s not enough to simply replace letters in common words with special characters. “$pring&$ummer,” for example, wouldn’t be very strong.

4. Mix it up as much as possible. The more random the better. The problem with random passwords is that they’re hard for users to remember. One solution is for users to create unusual acronyms only they would know. For example, take the phrase “My parents live at 445 N. Locust Street in Elizabethtown, Pennsylvania.” The password version of this might be: “Mpl@445N.LSinE,PA” – a strong password.

5. Avoid using the same password in many different places. Again, users have trouble remembering lots of different passwords and tend to rely on a few choice ones. Hackers know this and will try to exploit it. One solution is to use a password manager service. A password manager will create a strong password for each application and then store it in encrypted language. The user needs to remember only one password (hopefully a strong one) that tells the password manager to unlock or log into any application.

Business leaders should ensure that their company employs best practices in preventing data breaches. That includes procedures for designating strong passwords that stymie hackers.

At RDX, security is of paramount importance. Although we don’t store or process any data for our customers, we adhere to one of the most comprehensive security and privacy frameworks in the IT industry and have audited every security control possible within our organization. You don’t become the #1 provider and pioneer of remote DBA services without paying close attention to security issues, especially as they evolve in the future.

Databases continue to be exploited

Hacking is an entirely commonplace practice these days, even though it does seem to come as a surprise when it happens. Some film portrayals of hackers show grand data centers with flashing lights and typists furiously clicking away, obtaining entrance to secure government files. However, many hackers don’t need highly sophisticated software to gain access to any number of locations.

Continue reading Databases continue to be exploited

US continues struggle with database vulnerabilities

Regular readers of this blog are very familiar with the database vulnerability problems that IT professionals are facing around the world, seemingly on a daily basis. And though these individuals and their colleagues work tirelessly to find holes and create solutions, hackers still have many opportunities to find ways into secure databases and cause quite a panic.

Continue reading US continues struggle with database vulnerabilities

Feeling vulnerable: OPM database still has security holes

It can be difficult to get a security breach under control. Once the problem is at a manageable level, it’s important to check what other areas need servicing. Hopefully the incident was just caused by the single vulnerability, but chances are there will be more to follow. That seems to be the nature of technology, first one thing and then inevitably another comes along. This certainly appears to be the case for the United States’ databases, and specifically the ones in the Office of Personnel Management, as another vulnerability was found in the database.

Continue reading Feeling vulnerable: OPM database still has security holes

The data breach saga continues

 By the end of this year, 2015 may be known as “The year of all the data breaches.” It seems as though every week holds a new security flaw and news that more information has been compromised or exploited. The month of June saw announcements of many unfortunate breaches, though the attacks themselves took place before summer.

Continue reading The data breach saga continues