Phishing works by tricking a user into giving the hacker their password and/or username. Generally, usernames aren't protected info so a link in an email with some concerning text often does the trick. The link leads to a fake sign in page where the user inputs their credentials. If the hacker targets the right people in an organization, that one mistake can expose a lot of information. Say they targeted one of the lead developers. That developer probably has access to some security critical databases or codebases. Once the hacker gets in the door with a legit username/password combo, they can stay hidden in the system for quite a while to find the data they are looking for.
The Kaiser breach was caused by phishing. HCA has not released why the breach happened. LabCorp had two recent-ish breaches. The first was caused by faulty security in a third party payment service and the second was caused by bad website design that lead to part of the website not requiring login to fetch patient files. These could have been prevented by security training, disclosure requirements (so we would know why HCA was breached), and better software development practices.
I think there's a decent argument to be made that smaller firms are potentially better for patient security. You have less people to security train, fewer hacker targets, less data to expose. Large firms are honey pots because they have so many records and so many phishing targets.
On the topic of passwords, having one secure password isn't enough. If it gets exposed (and chances are it will) then all of your accounts are vulnerable. Two-factor authentication and unique password for every account are your best bet.
Tilley
-----Original Message-----
From: Code for Libraries <[log in to unmask]> On Behalf Of charles meyer
Sent: Friday, February 14, 2025 6:15 PM
To: [log in to unmask]
Subject: Re: [CODE4LIB] [External] [CODE4LIB] Patient Portals
But for all the HIPAA guidelines, we know of major health care breaches (e.g. Kaiser, HCA, Lab Corp, etc.) so the strict guidelines didn't protect the patients' data with those companies.
If huge corps can't protect data it doesn't seem to bode well for smaller companies or practices.
I wondered if anyone on this list was knowledgeable about how exactly these security breaches were effected?
How did a phishing expedition expose hundreds of thousands of other patient's health info with those security breaches?
My concern with the pw generators are that some are storing a person's info on their site. Not all but a few are. Imagine, if you will, that millions store several pws to health care accounts, investment cos, etc. With lesser guidelines than HIPAA?
Which leads me to a related question (although not the OP if I can please be given some latitude?) - what creative ways are you aware of in creating more effective passwords to help people?
I've read creating a phrase or borrowing dialogue from your favorite movie
- "You Can't Handle the Truth" but with no spaces in between has been recommended.
But, is that more effective than a pw generator?
Other techniques you've used?
BTW, WM in my prior post was referencing Wealth Management. Family offices, brokerages, banks rep'ing $100 million in investable assets (more than your traditional accredited investor) where security and cindentiallty are as important to them as ROI (return on investment).
Thank you,
Charles.
Charlotte County Public Library
Date: Thu, 13 Feb 2025 14:41:22 +0000
From: Xavier Tilley <[log in to unmask]>
Subject: Re: [External] [CODE4LIB] Patient Portals
All of these healthcare software providers have to follow guidelines for making HIPAA compliant software. There are strict guidelines for how to handle data access, data backups, login security, etc.
Password generators are really simple to code. They just generate a random string that contains certain types of characters to make the password harder to brute force. Banks do not have to follow HIPAA guidelines. Their software needs to be secure, but the rules for guarding your financial data are a bit less regulated.
Practically all of the data breaches in the past few years have been caused by people getting tricked by phishing emails. That has nothing to do with the security of the portal because someone just handed their keys over.
Hospitals pay so much when infected with ransomware, not because patient data has leaked and they want to protect you, but because so much of the hospital is computerized now that they can't really provide care to patients if they are locked out of the network. A lot of hospitals can't even dispense Tylenol without logging into a computer to access the drug drawer. So, if they don't pay, people die.
I'm not familiar with this WM you referenced.
Tilley
|
