I’ve been getting a lot of questions from my contacts at all levels of healthcare organizations concerning the best way to protect clinical infrastructure environments without impacting patient care. It comes down to three things – a username, password and human behavior.
Admit it – how many of us use the same username and password for a number of applications and/or websites?
When looking at applications for our organizations do we consider the following as a plus to save our end users time and frustrations?
- Lightweight Directory Access Protocol (LDAP) integration
- LDAP and Single Sign-On (SSO) enabled
- SSO application enabled
In addition, do we allow the following to occur within our desktop infrastructure to please the need of select users’ workgroups?
- Autologin devices to the production network?
- Application to have unreasonable timeout?
- Devices to have extended timeouts?
- Devices NOT having locking screen savers?
- Devices accessing the production environment to be handed to patients?
- Privileged users to utilize one account?
- Not implanting dual factors for remote access authentication?
In review of the 88 instances of security breaches reported to the Department of Health and Human Services regarding unauthorized access to a production environment of healthcare organizations, the vast number of them could have been resolved by simple changes to our infrastructure and major changes to our end user human behavior.
Start with easy-to-implement changes within our IT departments:
- All privileged users need to have two accounts moving forward: separate administration functions on server \ end user devices and network infrastructure from basic user functions like email and web surfing.
- Enable dual factor authentication for all IT members of staff.
- Enforce complex passwords for all privileged accounts (15 alpha \ numeric passwords with two special characters)
- Utilize SCCM and other Microsoft tools to identify and uninstall any unauthorized applications.
- Change usernames from any commonly identifiable information (e.g. employee number with some letters at the beginning and end)
- Disable standard users from logging into servers with elevated privileges.
- Disable the LDAP Authentication with EHRs applications for all system administrators \ analyst and engineers.
- Enforce locking screen savers on all IT end user devices: max timeout of five minutes for privileged users, and 15 minutes for standard users.
- Enforce screen saver passwords.
- Enforce dual factor authentication for all logins – local and remote.
- Enforce Encryption on all devices.
- Enforce Group Policy Object (GPO) to disable the use of USB drives unless the device is white listed and it has been encrypted.
- Enforce corporate policy to restrict the use of personal devices within the organization, and ensure all that do are compliant with company’s Mobile Device Management (MDM) policy.
These are simple and easy things that can be implemented and doing so can assist and better the organization for advancement in areas like Systemwide SSO Solution and Electronic Prescription of Controlled Substances (EPCS).
These changes are things other sectors have been doing for years. We’re now the targets to get privileged information and need to protect ourselves the same way other industries have been doing for decades.
