By CURTIS PARTRIDGE
When someone describes the "dark web" it sounds like the stuff of a thriller novel or science fiction. Sadly, the dark web is all too real. It is the other "internet" for criminals and their activities. Access to the dark web is only available via a special browser and it is not indexed by search engines. Some of the things you can find on the dark web include credit card numbers, drugs, guns, counterfeit money, stolen subscription credentials such as Netflix, and software the helps you break into other people's computers.
Where this becomes a problem for a practice owner or manager is those stolen subscription credentials. Imagine your employee left the front door keys on a park bench. Not a large security problem unless there is also a card attached with your practice name and the alarm code. Those stolen subscription credentials are like those keys with that tag.
Many people have developed the habit of reusing the same login credentials across all their accounts. This could be their social media, Netflix, online banking, and your cloud-based EHR. Imagine all the places you use credentials and it easy to see why users re-use the same credentials. It is impossible to remember different credentials for every site and resource.
Online credentials have real value to criminals. According to a recent report by NBC News, online bank account passwords cost on average $160.15. A set of Uber credentials can be obtained for just $7. Usually an individual's personal identity can be purchased for about $1200.
When a criminal obtains stolen credentials, they can usually in a short amount of time figure out how to access the systems a practice uses via employee access. They can do this through some simple research or just guessing. There are only a few large providers of services such as email, etc. Once they access one system it allows them to burrow deeper into your practice systems by giving themselves permissions.
What can you do to stop this? The first thing is to find out if you or your employees have exposed credentials on the dark web. There are organizations that can run a dark web scan periodically to find out if you have been exposed. They will generate a periodic report that lists the affected credentials, and some can also provide the password that was exposed so you can confirm if it current.
The second group of steps you can take is to institute good password practices and tools. There are basic requirements for a secure user password:
- Random letters and numbers with no words
- At least one each number, lower-case letter, upper-case letter, and a special character such as * & $
- Minimum of 10 characters - the more the better
There are fortunately some good tools on the market to generate suitable passwords and manage your credentials. A tool we have tested and approve is LastPass. It is available in every major browser as well as mobile devices. The latest version of Apple's iOS can even incorporate LastPass to assist you with access to your passwords securely.
It is critical to teach employees to never share credentials with anyone. This includes co-workers and supervisors. Many credentials are leaked via social engineering in the form of a phone call or via email.
If you do need to change or update a co-worker's password, be sure to do so in person if possible. If you must do so via telephone, be sure to confirm the caller's identity. Be sure to never email a new password to a user.
Curtis Partridge has over 20 years of experience in information technology focused on small to medium businesses. He has been a corporate IT manager as well as a consultant. He is currently Senior Systems Engineer for Lotus Management Services consults with businesses to implement and manage technology solutions.