Single Sign On... Single Factor?

Fairfield Medical Center announced its adoption of a single sign on (SSO) solution... but no mention of anything more than management of passwords. While SSO is a great tool, and something that makes a lot of sense for most organizations, it still leaves Fairfield vulnerable if any of those passwords are compromised. HIPAA compliance is probably at the top of their list, so I hope they're considering how to implement multi-factor authentication of some sort, particularly for remote log-on to their systems. Otherwise, anyone can impersonate an authorized doctor or staff member simply by guessing/buying/stealing their password(s). Outfitting each staffer with a physical "key" of some sort ensures that their login is protected, and the integrity of the system can be maintained.

P2P Networks Expose Health Information

This article in Secure Computing Magazine discusses the risks posted by P2P network software, primarily file sharing systems like LimeWire. Medical data is leaking at an alarming rate via tools like this, because they are difficult to control and have a tendency to reach out and collect data from everything they touch. While this article focuses on healthcare data being exposed, it is just one kind of information that is leaking. Financial records, social security numbers, and other data is at risk as well. Perhaps most importantly, passwords and logon credentials are leaking, putting additional systems at risk and threatening a chain reaction. Obviously, banning the use of P2P sharing software would be a good step, and most likely necessary for HIPAA compliance (or Sarbanes-Oxley compliance for that matter) but it is equally important to implement "view-only" systems that prevent the download of sensitive data in the first place, and to protect vulnerable networks and corporate software systems with authentication that can stand up to the loss of passwords and login codes.

Massachusetts Extends Encryption Deadline

As reported here in Network World, Massachusetts has extended the deadline on its data encryption law until January 1, 2010. The law mandates encryption of sensitive data, particularly personal data such as a combination of a name along with a Social Security number, bank account number, or credit card number.

The law is a good start, but still includes too many loopholes in my opinion. For instance, rather than mandating 2-factor authentication, it calls for "a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices" (17.04 (1) (ii)). There's no incentive to actually implement unique identifier technologies in that language - instead, just set up a policy for some sort of password rotation and declare it to be "reasonably secure"...

Similarly, in 17.04 (3), the law requires that "To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly." I'm having a hard time thinking of many, if any, cases in which it is technically infeasible to apply encryption to records and files being transmitted across public and/or wireless networks. Why is the modifier necessary?

With the drumbeat of data breaches growing ever more constant, it seems that now is the time to get tough and demand -- not just suggest -- the use of best practices in encryption and authentication.

Data Breaches More Costly Than Ever

According to the latest study by the Ponemon Group, as reported in The Washington Post, the average cost of recovering from a data breach is up to $6.6 million. Even for small companies, an average cost of $202 per customer record adds up quickly to a crushing blow. Now more than ever, it's critical to protect yourself from data loss. That means encrypting data at rest on hard drives and USB Flash Drives, encrypting data in motion when remotely accessing information outside the office or sending data between people, and perhaps most importantly, focusing on strong authentication to ensure that the bad guys can't get in to your systems, even if they succeed in stealing a password or poking a hole in your outer defenses. A little bit of time, attention, and investment in security now will prevent your business from paying a potentially fatal price down the road.

FAA Hacked

Another high-profile case of data loss occurred last week, when the FAA was hacked. Apparently, files containing social security numbers and medical information for 45,000 current and former FAA employees were compromised.

The data breach drumbeat just keeps getting louder. Take steps now to protect yourself - encryption, 2-factor authentication, strong networking practices, etc.

Kaiser Permanente, too...

30,000 Kaiser employees are now at risk of identity theft, and the company is at risk of break-ins on any systems without 2-factor authentication, after a recent data breach in California... Just another example of how easy it is to have your password compromised, even through no fault of your own.

Monster.com Employee Passwords Compromised

As described in this article, Monster.com employee login credentials were recently stolen. Now that hackers have their passwords, Monster's systems are at risk until every last password is changed -- and those users who happen to use the same passwords all over the place are at even greater risk. The solution, of course, is 2-factor authentication. If your password is just 1/2 of the login equation, you're protected even if the password is compromised.

That's the foundation of the SafeTelework with Enterprise-in-a-Flash system, based on patented 2-factor authentication. Ours isn't the only way to do it, though we think it's the best. Even if you choose a different product, please be sure it has 2-factor authentication enforcement 100% of the time. Otherwise, you're just putting yourself at risk.