- Home
- » e-Newsletters
Fight off hackers by focusing on these risk areas
HIPAA Training Advisor, March 9, 2006
Fight off hackers by focusing on these risk areas
When it comes to information security, most potential risks are internal-specifically in terms of getting employees and others within your organization to follow your policies and procedures. But you can monitor and control what those people do and how they act, and take action against wrongdoers.
It's much more difficult to control those outside your organization. That's why you need to constantly monitor and correct your security weaknesses and try to anticipate hackers' next point of attack, says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, senior security consultant at Shavlik Technologies in Roseville, MN. "Time is on the hackers' side. They have all the time in the world to find weaknesses in your security."
The key is to find those weaknesses first. Consider the following risk areas:
- Lack of intrusion detection/prevention. Intrusion-detection software sends an alert when it notices a possible intrusion to the server or network. However, it also can be expensive, especially for small organizations, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. It typically requires someone to monitor and adjust the settings.
- Failure to patch vulnerabilities, update software. Organizations must periodically assess and update vulnerabilities, or holes, in applications or networks, Ensenbach says. "Hackers will look for these areas of vulnerability." This also includes updating antivirus software.
Malware, including viruses and Trojan horses, used to be used by hackers looking to make headlines, Crume says. But now, it can be used for profit, in the form of spam. "It is heavily used by businesses and is usually more of a pain than anything," Apgar says. But it can capture passwords and other sensitive information.
- Exceptions to internal policies. Organizations sometimes circumvent policies to accommodate people's needs, Ensenbach says. For example, someone may open a port in a firewall to allow a connection for an online meeting and then leave the port open. That's where the increased risk occurs, he says.
- Improper use of laptops and wireless devices. Physicians, temporary employees, and others sometimes try to avoid your firewall and end up bringing viruses into your organization through laptops and wireless devices, Crume says. To avoid this, create a secure environment by using antivirus software, scanning, appropriate signatures, power-on passwords, and firewalls. It may even mean limiting access. Consider providing Internet access, but not Intranet access to visitors, he says. "It's not all or nothing."
- Improper authentication. Hackers attack where you send and receive messages, Apgar says. "Authentication needs to happen before the messages leave the firewall." It's also crucial to change the default passwords or settings, Ensenbach says.
- Lack of encryption. "All security decisions go back to your risk analysis," says Crume. "What are the perceived risks and costs for mitigating those risks? Clearly, there's some data that doesn't need to be encrypted."
But you do need to protect sensitive information-and not just e-mail. Data sitting on your server are equally if not more important, he says. "It's a sitting duck."
- Failure to periodically evaluate network security. "You have to rattle the door handles," Ensenbach says. Find an expert-even a consultant-to periodically look at firewalls, configurations, audit logs, and other aspects of your organization's information security program on a regular basis.
Set parameters for audit logs-including the acceptable number of log-on attempts before the system prevents an individual from logging on-and check them as often as possible, Ensenbach says. "Daily is ideal."
Make sure you have a qualified professional doing the evaluating. You need someone with appropriate expertise to manage and evaluate security-someone with at least a couple years of experience, he says.
The best information security program includes intrusion detection or prevention, encryption, and proper authentication, Apgar says. "No solution is perfect, but it could be worth the small headaches for better security."
Periodically conduct penetration testing, review your organization's policies, and audit access. It could save you from a hacker.
Intrusion prevention goes one step further than detection because it actively disallows certain transmissions, says Jeff Crume, CISSP, executive information technology security architect for IBM Product Introduction + Exploration at IBM Corporation. "Vendors are saying that prevention doesn't require as much maintenance and fine-tuning [as detection]." But it's still new, so there isn't much of a difference yet, he says.
Editor's note: Adapted from "Fight off hackers by focusing on these risk areas," Briefings on HIPAA, February 2006.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- Capturing all necessary codes for IUD insertion and removal can be challenging
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched