" mfa Archives - LuxSci

Posts Tagged ‘mfa’

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

4 Security Tips for Cybersecurity Awareness Month

Wednesday, October 26th, 2022

October is Cybersecurity Awareness Month, and it’s worth taking a minute to reflect on your security stance and what you can do better to protect sensitive data and accounts.

cybersecurity awareness month tips

The Current State of Cybersecurity in 2022

Cybersecurity incidents and data breaches continue to increase across all industries. A 2022 report noted a 42% increase in cyberattacks for the first half of 2022 compared to the same period in 2021.

The healthcare sector also continues to be a target. The same report noted a 69% increase in cyberattacks targeting the healthcare sector. The Office of Civil Rights also noted that breaches affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

Even more concerning, 74% of the breaches reported to OCR in 2021 involved hacking or IT incidents. In the healthcare sector, hacking represents the greatest threat to the privacy and security of PHI. Organizations must take the threat seriously and take concrete steps to protect their systems.

4 Essential Steps for Better Cybersecurity

So what can you do to avoid falling victim to a cyberattack? The Cybersecurity & Infrastructure Security Agency (CISA) recommends these four essential steps that all employees can take to protect their accounts.

Watch Out for Phishing Scams

Think before you click! Educate employees on common phishing tactics, create policies to help reduce risk, and invest in tools that flag suspicious emails. Phishing tactics are successful because they prey on common human impulses to manipulate individuals into taking quick actions.

Teaching employees what to look out for and putting in place email filtering systems to flag suspicious senders and links can drastically reduce your risk and the probability of your organization falling victim to a hacking incident.

Update Software

Many people find software updates annoying and snooze them for as long as possible. However, many software updates include security patches for recently identified vulnerabilities. By not updating to the latest version, it leaves your organization vulnerable to attacks.   

Use Strong Passwords

It’s an obvious tip to many security professionals, but many people still use weak passwords that are easy to guess. Today it is easier than ever to crack simple passwords using dictionary attacks or finding credentials on the dark web.

Employees should use unique passwords for each account. In addition, passwords should be:

  • Randomly generated
  • Use a combination of letters, numbers, and characters
  • At least ten characters
  • Stored securely in a password manager
  • Not shared with other employees

Enable Multifactor Authentication

As we mentioned above, cracking passwords is getting easier, especially if employees are not using strong, complex credentials. Enabling multifactor authentication adds another layer of security to account logins. Multifactor authentication requires users to present two or more credentials to log in to their accounts. The first factor required is a typical username and password. The second factor is usually a code contained within a text, email, or push notification. The user must enter this numerical code to confirm that they are logging into the account. Even if your username or password is compromised, a hacker will not be able to access the account without that second factor. It’s wise to require the use of multifactor authentication, especially for accounts that contain sensitive data. 

Conclusion

Of course, these tips only scratch the surface of a successful security and compliance program. To get started, complete a risk assessment to identify gaps and areas to improve. LuxSci is here to help improve your email security.

Improve Account Security by Enabling Multifactor Authentication

Tuesday, May 17th, 2022

This month, the Cybersecurity and Infrastructure Security Agency (CISA) launched an initiative called MFA May to encourage individuals and businesses to enable multifactor authentication for their accounts. This article defines multifactor authentication and explains why organizations should implement it to improve the security of their accounts.

multifactor authentication

 

What is Multifactor Authentication?

Multifactor authentication requires users to present two or more credentials to log in to their accounts. Multifactor authentication is sometimes called two-factor authentication for this reason. The first factor required is a typical username and password. The second factor is usually a code contained within a text, email, or push notification. The user must enter this numerical code to confirm that they are logging into the account. Sometimes an authenticator application is used to generate the code. Instead of a numerical code, the second factor could be a biometric marker like a thumbprint scan.

By requiring a second piece of information to log in to an account, multifactor authentication increases the security of accounts. Even if a hacker gets ahold of your password, they will be unable to log in to an account without the second piece of authentication.

How Multifactor Authentication can Stop Cybercriminals

As you can tell, multifactor authentication is an effective tool for limiting account access. A study by Microsoft found that users who enable multifactor authentication for their accounts will block 99 percent of automated attacks.

It is easier than ever before for hackers to acquire users’ passwords. Data breaches compromise millions of account credentials each year, which can be purchased on the dark web for pennies. Hackers can also use dictionary attacks to guess simple passwords using computer technology. Lastly, users may unwittingly hand over their credentials to a malicious actor during a phishing attack.

However, administrators can stop these attacks by enabling multifactor authentication. Even if a hacker knows your password, they will be unable to access your account without that second piece of information.

How to Enable Multifactor Authentication

Many vendors now offer multifactor authentication. We recommend enabling it as often as possible, especially for sensitive accounts like email, financial accounts, and medical records.

LuxSci has offered options for multifactor authentication to our users for over a decade. Users have the flexibility to choose the second option for authentication. They can choose to send a token to an alternate email address or enable a third-party app like DuoSecurity or Google authenticator to validate their identities. Please contact our support team to learn more about enabling multifactor authentication on your LuxSci account.

Conclusion: Why Use Multifactor Authentication

Cyber threats are increasing across all industries. Although HIPAA does not yet require users to implement multifactor authentication, security experts strongly recommend it. Enabling multifactor authentication is an inexpensive and effective way to improve your security posture. Although users may object to the extra step, enforcing multifactor authentication as an administrator is a smart move.

5 New Year’s Resolutions to Improve Your Cybersecurity

Tuesday, January 4th, 2022

Happy New Year! Start the year off by making a New Year’s resolution to improve your cybersecurity. Here is LuxSci’s list of what your organization needs to do to prepare for the new year.

cybersecurity new year’s resolution

Read the rest of this post »