" vpn Archives - LuxSci

Posts Tagged ‘vpn’

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

Remote Work & Its Cybersecurity Implications

Tuesday, June 4th, 2019

Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.

Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.

It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.

What Kind of Data Does the Employee Need to Access?

Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.

Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.

Low-risk Employees

If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).

For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.

The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets.  It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.

If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.

Employees that Access Company Resources, Sensitive Data or ePHI

If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.

Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.

This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.

Access Control

Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.

Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.

Secure Employee Devices

Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.

VPN Access

VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.

Monitor Your Remote Workers

As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.

Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.

Encrypt Everything

Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.

Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.

What is really protected by SSL and TLS?

Saturday, April 8th, 2017

This question came in via Ask Erik:

Hi Erik,

I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session.  I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons.  In any case my questions is quite simple.

My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted.  I understand that I can’t control what happens with other e-mail servers.  What I am trying to understand is what does it mean to be encrypted?  When an e-mail leaves my computer how much of the message is encrypted?   Are the e-mail headers encrypted including the sender and recipient e-mail addresses.  I would assume so but nobody talks about the details.  What metadata trail does a user leave when using SSL/TLS.  Is it is as simple as the destination and sending IP address with everything else encrypted?  Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail.  At the end of the day I am trying to understand how much protection SSL really provides.

SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work?  However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear.  Lets address them one by one.

SSL and TLS Security

Read the rest of this post »

Do you need a VPN for Secure Email in a Wireless Hotspot?

Tuesday, January 28th, 2014

LuxSci has been approached by many people asking for VPN (Virtual Private Network) services.  When we ask them why, they indicate that they use wireless hotspots (like at Starbucks and other public places) that are insecure and untrusted and they want to be sure that their email is secure and encrypted there.*

Note that even if the hotspot is password protected and “secure”, that does not mean that it is “trusted”.  The hot stop administrators or other users of that hotspot could still try to intercept your Internet traffic.  So, just because it is a “secure” hotspot with the little lock next to it and a password that you must enter, do not assume you are safe at all.

Read the rest of this post »