EyeWorld is the official news magazine of the American Society of Cataract & Refractive Surgery.
Issue link: https://digital.eyeworld.org/i/511377
67 OPHTHALMOLOGY BUSINESS May 2015 by Brendan Gallagher Digital infection control: Keeping your data and networks clean potential source for password viola- tions. Many times these logins have elevated permissions to perform tasks above that of a "normal" user. A breach of one of these passwords exposes your data and network to unnecessary risk. It's the defaults fault! Many small businesses purchase network equipment from big box re- tailers. This is not an inherently bad practice, unless—as is all too often the case—these devices are set up and implemented without chang- ing the default password. A default password on a wireless device can be particularly dangerous because it could allow someone from across the world to access your internal network without ever stepping into the practice. Most consumer devic- es broadcast what type of device they are; the default username and password are only a quick Google search away for someone who wants to access your internal network. To reduce risk, implement a policy that mandates identifying and changing default passwords for all devices on your network. Unsociable networking Who isn't well connected these days? You, your staff, and your pa- tients all utilize social media of some type and web technology to enter- tain, educate, communicate, and inform, but you court disaster by allowing anyone to connect via your data network where protected health information and/or financial info - mation resides. Hitchhiking on an otherwise innocent visit to Facebook or a Gmail account is one of the most common ways malware finds its way into an information system. Eliminating personal web activity (including smartphones with Wi-Fi) will not be popular with your staff but can substantially reduce the risk of a malware attack. As a practical matter, it can be difficult to enfo ce an "unsocial" policy, so it may be easier to acquire a separate Internet connection for general access to popular sites such as YouTube, Facebook, Gmail, and Pandora. The second connection break and enter, but the typical hacker is also lazy. If you provide effective training, and establish and follow recommended infection control protocols to protect your system, you could avoid being the "low-hanging fruit" that hackers target. There are several ways that you can move your data out of easy reach. Halt! Who goes there? Be skeptical when a website or email requests identifying information, directs you to change login infor- mation, or makes an incredible offer (if it's so "incredible," there's a good chance that it's not "credible"). Examine it carefully. Is the domain name just a few letters different from a well-known site? Were you expecting this communication? An unexpected, unsolicited email from the Better Business Bureau, FedEx, or UPS that asks for personal or login information and/or has an attach- ment is probably not legitimate. Be wary of any attachment sent by anyone other than a trusted source. What's the password? While basic in concept, a good username and password system can prove difficult to manage in practice. Everyone has more passwords than they can count. Keeping track of log- ins for operating systems, practice management, and electronic health records that change every few days can be a real challenge, but yellow sticky notes attached to the mon- itor or hidden under the keyboard is not a password management system. There are ways to gener- ate good passwords that are easy to remember—using multiple bits and pieces of information that are mixed together in unusual ways, for example. You can combine a special character, the last initial of your first name capitalized, the first 4 letters of your last name lower case, and the last 4 numbers of your zip code. Bob Smith living in New York would be !Bsmit0030. Establish a formula that includes these or similar elements, then add a letter of the alphabet when you are required to change your password at regular intervals. While this system is not perfect, it's an easy to learn and remember for- mula that will generate much stron - ger passwords than a weak password (see "Leaky passwords"). Vendors and other business associates represent another I n the operating room and other medical facilities, providing proper training, establishing and following recommended infection control protocols protect patients from avoidable harm and protect the professionals involved in terms of reputation and consequent legal issues. In the digi- tal realm, failure to provide training, protocols, and procedures to protect the security of patient information and other data vital to the health of your practice has the potential to damage your reputation, and can result in financial loss and legal action. The recent attack on Anthem—a massive breach of highly sensitive data—affected an estimated 80 mil- lion customers and employees and caused quite a stir in the healthcare and security communities. The culprit appears to be a compromised system administrator login, which demonstrates that anyone, even a seasoned IT professional, can be blindsided. This being the case, is it even possible for the typical every- day user to protect critical informa- tion from infection? Hackers are clever when it comes to innovating new ways to continued on page 68