Avoiding Sony’s Situation

There are two things you need to know about the Sony hacking scandal – and how it potentially relates to your practice’s online security.

1. What happened to Sony could happen to any firm.

In most hacking cases – and most likely in Sony’s case – it turns out that weak passwords give hackers access to huge volumes of unprotected data.

It’s not a stretch to guess that most corporations and businesses use easy to guess passwords. In the hacking world, weak passwords are the easiest way to break into a network.

Exacerbating the problem is what’s called “plaintext” password security. That’s when there’s a document full of passwords against which logon attempts are checked. This system works great – until someone gets access and can see all of the passwords.

For instance, if someone uses “PASSWORD” as the password for access to their network, a hacker can access an entire company’s list of passwords – for everything from banking information to trade secrets to email accounts.

In modern computer security, a plaintext password system is the vehicle equivalent of locking the doors, but leaving the windows open, the keys in the ignition and the tank full of gas.

2. It probably wasn’t North Korea.

Though the FBI points the finger at North Korea, most crimes of this scale are perpetrated by insiders. That’s the case whether it’s theft, graft or fraud. It’s almost always an insider, and some technical clues point towards insiders in this case.

That’s neither here nor there, but for small businesses, like a dentist office, getting hacked by a foreign country is so far down on the list of concerns as to be not worth even thinking about.

It’s far more likely that you will be stolen from or hacked by your employees.

The implications for a medical practice: keep your patient information secure by using secure passwords – and keep track of who and when each member of your practice has access to this information by giving each employee a different login – and insisting on a secure password for them too.

Just as you lock up your office and have a lock on the filing cabinets that hold paper records, you have to use strong locks (passwords) in your paperless file systems.

There are plenty of online tools to generate strong, random passwords – but a general rule for creating a strong password is that it shouldn’t contain any words, names, phone numbers, addresses or other personal information or common sequences.