Bolstering Remote Access SecurityExpert Outlines Steps to Prevent Unauthorized Data Access
The recent string of hacker attacks in the healthcare sector, such as those on Anthem Inc. and Premera Blue Cross, is a reminder of the need for organizations to re-assess whether they're following critical best practices to secure remote access to protected health information, says security expert Gary Glover.
"It's amazing that most of the compromises we're seeing [involved inappropriate] remote access that could've easily been prevented with strong passwords," Glover says in an interview with Information Security Media Group.Healthcare organizations also should consider implementing more sophisticated authentication, including the use of biometrics and tokens, he stresses. "The highest level of security for remote access is ... multi-factor authentication," says Glover, director of security assessment at consulting firm SecurityMetrics.
But use of advanced authentication is still relatively rare in healthcare, according to the recently released 2015 Healthcare Information Security Today survey of security and privacy leaders. The survey shows that the most common form of authentication, by far, is user name and password, for both on-site and remote access to electronic health record systems.
Beyond the use of more sophisticated forms of authentication, organizations should ramp up workforce training and awareness to help prevent breaches that are a result of phishing attacks, Glover says.
"Social engineering attacks are very common and very successful in most cases where people are posing as HR [representatives] or the IT department, saying 'there's a problem with your password, please let me know what it is and I'll help you reset it'," he says.
In the interview, he discusses:
- Common remote access applications and why they're vulnerable;
- How recent hacker attacks in healthcare and other sectors might have been prevented;
- How he was recently able to demonstrate gaining unauthorized access to physician practice data while in the waiting room of his own doctor's office.
Glover is the director of security assessment at SecurityMetrics and holds a number of professional certifications, including QSA (Qualified Security Assessor), PA-QSA (Payment Application Qualified Security Assessor), CISSP (Certified Information Systems Security Professional), and CISA (Certified Information Systems Auditor). He has worked in the IT security industry as a QSA for more than 10 years. Before that, Glover was a software engineer at Novell, McDonnell Douglas and several startups.