" password manager Archives - LuxSci

Posts Tagged ‘password manager’

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

4 Security Tips for Cybersecurity Awareness Month

Wednesday, October 26th, 2022

October is Cybersecurity Awareness Month, and it’s worth taking a minute to reflect on your security stance and what you can do better to protect sensitive data and accounts.

cybersecurity awareness month tips

The Current State of Cybersecurity in 2022

Cybersecurity incidents and data breaches continue to increase across all industries. A 2022 report noted a 42% increase in cyberattacks for the first half of 2022 compared to the same period in 2021.

The healthcare sector also continues to be a target. The same report noted a 69% increase in cyberattacks targeting the healthcare sector. The Office of Civil Rights also noted that breaches affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

Even more concerning, 74% of the breaches reported to OCR in 2021 involved hacking or IT incidents. In the healthcare sector, hacking represents the greatest threat to the privacy and security of PHI. Organizations must take the threat seriously and take concrete steps to protect their systems.

4 Essential Steps for Better Cybersecurity

So what can you do to avoid falling victim to a cyberattack? The Cybersecurity & Infrastructure Security Agency (CISA) recommends these four essential steps that all employees can take to protect their accounts.

Watch Out for Phishing Scams

Think before you click! Educate employees on common phishing tactics, create policies to help reduce risk, and invest in tools that flag suspicious emails. Phishing tactics are successful because they prey on common human impulses to manipulate individuals into taking quick actions.

Teaching employees what to look out for and putting in place email filtering systems to flag suspicious senders and links can drastically reduce your risk and the probability of your organization falling victim to a hacking incident.

Update Software

Many people find software updates annoying and snooze them for as long as possible. However, many software updates include security patches for recently identified vulnerabilities. By not updating to the latest version, it leaves your organization vulnerable to attacks.   

Use Strong Passwords

It’s an obvious tip to many security professionals, but many people still use weak passwords that are easy to guess. Today it is easier than ever to crack simple passwords using dictionary attacks or finding credentials on the dark web.

Employees should use unique passwords for each account. In addition, passwords should be:

  • Randomly generated
  • Use a combination of letters, numbers, and characters
  • At least ten characters
  • Stored securely in a password manager
  • Not shared with other employees

Enable Multifactor Authentication

As we mentioned above, cracking passwords is getting easier, especially if employees are not using strong, complex credentials. Enabling multifactor authentication adds another layer of security to account logins. Multifactor authentication requires users to present two or more credentials to log in to their accounts. The first factor required is a typical username and password. The second factor is usually a code contained within a text, email, or push notification. The user must enter this numerical code to confirm that they are logging into the account. Even if your username or password is compromised, a hacker will not be able to access the account without that second factor. It’s wise to require the use of multifactor authentication, especially for accounts that contain sensitive data. 

Conclusion

Of course, these tips only scratch the surface of a successful security and compliance program. To get started, complete a risk assessment to identify gaps and areas to improve. LuxSci is here to help improve your email security.

LuxSci Tips and Tricks: WebAides Password Manager

Thursday, October 20th, 2022

We are starting a new blog series to help you understand some of the more advanced LuxSci features. First, did you know that LuxSci has a password manager tool? We designed this tool to make it easy to securely share passwords across your organization.

What is a Password Manager?

Password managers are software applications designed to store passwords securely. They require the use of one primary password to access an encrypted vault where passwords for other accounts are stored. There are many different password managers out there, with varying features and levels of security.

LuxSci’s WebAides Password Manager

WebAides Password Manager allows LuxSci users to create and securely store lists of passwords. It was designed to suit the needs of businesses and IT administrators.

With just a single primary password to remember, it’s easier to protect and store unique, complex passwords. This offers both security and convenience. WebAides Password Manager uses PGP encryption to safely store passwords for individual users or groups. This setup means that LuxSci employees cannot access the password data of our customers.

The tool is flexible, allowing administrators to control access to shared passwords. If someone is not a group member, they cannot decrypt the password. Administrators can easily add or remove users from groups to tightly control access to sensitive accounts.

Why Use WebAides Password Manager

The granular level of access control makes it extremely easy to share passwords among designated individuals from a central, secure location. Administrators can create multiple password folders to tightly control access to sensitive credentials. For example, when an employee is promoted, they may need to access different accounts. The administrator can add the employee as a member of a management password group and provide them with the primary password to access those account logins.

The tool also includes an export feature for business continuity and disaster recovery. Administrators can decrypt and backup the entire password web archive for offline storage. An offline backup of company passwords protects the organization in case of a catastrophe that brings standard systems down.

LuxSci’s WebAides Password Manager also includes a notes section for each entry. This is a great place to securely document account numbers, previously used passwords, and the security question and answers used to reset passwords or verify identity.

These features are useful for organizations with complex security and compliance needs.

How to Set Up WebAides Password Manager

Detailed instructions can be found in our Help documentation. To access your WebAides Password Manager, log in to your WebMail account and look under Apps -> Passwords. Before creating a new entry, you’ll need to generate a PGP certificate to encrypt the password. This can be done by going to the Account Settings –> Security -> Security Certificates settings.

Our support team is also available and ready to help. Contact us today to learn more.

Want to Keep Your Passwords Safe & Your Accounts Protected? Here’s How

Thursday, June 28th, 2018

Passwords are the bane of modern existence. Most of us have dozens or hundreds of accounts with passwords to keep track of. Many people are probably also using the same easy passwords for each of these accounts. Don’t be ashamed if that’s you because many people do it. Just be prepared to listen.

If you use the same, simple passwords for all of your accounts, you are making yourself much more vulnerable to an attack. This means that threat actors can work their way into your personal or business accounts and wreak havoc on your life and your company. If you want to minimize the chances of this happening, then you need to know how passwords can be stolen and the best ways to protect them.

How Do Attackers Get People’s Passwords?

To understand the best ways to protect your passwords, you need to know how attackers acquire them in the first place. Their methods can be simple, such as looking at the Post-It notes on someone’s monitor, or they may work in a place where they have access to customer passwords (such as the operators you talk to when you call up your bank). If these individuals abuse their positions and save customer passwords, they can try to use them on other accounts owned by the same customer, which is why you should have separate passwords for each account.

Read the rest of this post »

Master Password Encryption in FireFox and Thunderbird

Friday, February 27th, 2009

firefox-logoIf you are allowing Mozilla FireFox or Thunderbird to remember passwords to web sites and/or email accounts in their Password Manager tool, you should know that these passwords are all stored in a plain text file (base64 encoded) on your computer’s disk drive.  This file is accessible to anyone with administrative access to your computer.  If you have any concerns about the possibility of other people accessing your computer and this gaining easy access to copies of the passwords that you are using, you really need to employ the “Master Password” feature of these programs.

Read the rest of this post »