Russian Password Hack – Why Security Matters

meerkat-275967_640Takeaways:  If you use the same user name and password for anything that has access to PHI and some other mundane website or service (even a small one) change it today.  In fact, make sure you change all your PHI passwords to something different.  If one is hacked, the others still have fighting chance.

Security is no longer something you can avoid, you have to lock the doors and take the keys with you.

The news is out that a group of Russian Hackers have accumulated 1.2 billion credentials and over 500 million email addresses.  A story like this shows why security matters for everyone and especially for those trying to Protect Health Information under HIPAA. It is clear that the tools and effort behind cyber-crime is easily beating those trying to prevent it.

There are so many people we encounter who push back while we are trying to implement HIPAA security requirements. They argue that it slows them down or that it really isn’t necessary because they don’t have anything anybody wants.  The details behind this story will continue to emerge but certain things about those statements are clearly wrong based on what we already know.

It would be so much easier if I never locked my house or my car so I didn’t have to always be looking for my keys. My Grandparents lived that way their whole lives but not one of their many offspring will be able to say that themselves.  There are very few places in the US where you can still live that way.  There is a reason for it.  As more people move into the neighborhood you can’t get to know all of them.  More people around raises the likelihood of criminal elements.  On the web the whole world lives nearby.  One estimated number of users on the web is rapidly approaching the 3 billion mark and there are a lot of sketchy neighbors on that block!

Security may slow you down but usually that is because you have gone from virtually no security at all to some security being required.  The industry is pushing for cloud and application vendors to provide additional levels of authentication besides a simple user name and password.  It is slowly happening.  Why?  Because people are so careless with their user names and passwords that they are becoming as useless as the meerkat picture is to this article.  🙂 The average user has not been forced to use proper security requirements because it was inconvenient, took too much time to manage, to avoid claims of slowing them down, etc.  The result is where we are today that your credentials can likely be purchased for a pittance on the black market.  If you use the same user and password for almost everything you do then everything you access and think you control on the web is really just a few dollars, yen, euro, or bit coins from being taken over whether you know it or not.

As for no one cares about little ol’ me argument.  The current information says this mass collection appears to have been built by attacking large sites as well as small sites.  Infecting a massive number of computers to do the criminal’s bidding as a botnet also allowed them more reach.  You may think your information is useless but the power of your computer can be used to attack sites and steal from people without your even knowing it.  Basically, the way these criminals operate your computer allows them to steal huge volumes of information faster than a hot knife through butter.

Just as my Grandparents started to learn about locking up and keeping up with keys it is time for those in the Internet neighborhood to do the same.

Filed under: HIPAA Tagged: Business Associates, HIPAA, Security, Security Rule