It seems that a week doesn’t go by where I don’t read about a new HIPAA violation or data breach. Often these breaches could be prevented by following some very basic security principles. Here are some simple security best practices that can help keep your data safe at home or work. (Please keep in mind, these tips are provided as advice only and are not intended as product endorsements or legal advice. All of these may not be applicable to your environment, and you need to evaluate your environment prior to implementing. Remember, vigilance is best when it comes to Internet security. Always seek guidance from an IT professional.)
A minimum of eight characters including upper/lower case letters, at least one number and a special character. Passwords should be set to renew every 90 days with limited reuse permitted.
Use modified phrases as opposed to single word passwords. Create password using silly/nonsense phrases or sentences that also include non-alpha characters (numbers, punctuation, etc.). These passwords are easy to remember and are very secure:
- 3 blind-folded mice.
- You have 11 toes?
Mozilla Firefox and Google Chrome should be used when possible. Both of these products update automatically and often disable plugins with security issues.
All of your business sites should use a hardware-based firewall at your network perimeter. Make sure you pay for security, software and firmware updates. Many of these devices can include licenses for antivirus and intrusion detection, and these should be purchased and updated as well if possible. Sonicwall makes good firewalls for small businesses.
All of the software we use every day is likely riddled with security issues. Vendors constantly release patches to fix these security flaws. Windows, Internet Explorer, Mozilla Firefox, Google Chrome, Adobe Flash, Adobe PDF reader, JAVA (which should be upgraded to the highest supported version) and Microsoft Office are all very commonly used programs that have constant issues.
Adobe Flash, Adobe PDF reader and JAVA are the most common vectors for Advanced Persistent Threat (APT) attacks. If used, these products should be updated constantly.
Updates should be set to automatic if possible. Windows updates should be checked for and installed at least weekly.
There is software that will check for updates automatically and install them for you. Secunia will work at the desktop level and check for new things like Adobe updates and updates to JAVA. Secunia will also check for Windows Updates.
Software on your computer or mobile device should be upgraded when possible. You should purchase or download newer versions of Mac OS, iOS, Android, Windows or Office when they are released. Software should be replaced when no longer supported. Currently Windows 7, Windows Server 2008 and Office 2010 are the oldest supported versions of Microsoft software.
If possible, you should use a centrally managed antivirus suite like avast or trendmicro. This should be set to automatically update daily if not hourly. You should also run scheduled scans at least weekly. Microsoft has a free software called Microsoft Security Essentials. (Note: Microsoft Security Essentials is built into Windows 8 and 10.)
Online Deception & Social Engineering
Social Engineering is using deception to convince individuals to disclose confidential data or perform some action. Why bother trying to beat your technical security when they can trick you into giving it to them directly?
Everyone has seen examples of this such as fake emails from your bank or PayPal or maybe a phone call from someone claiming they need your personal information.
Some ways you can protect yourself from social engineering are:
- Keep antivirus/anti-malware/spyware software up-to-date. Do not attempt to remove them.
- Do not open any attachments, click on any links or install software linked to any suspicious looking emails (even if they are from people you know) or from unknown senders. Never open attachments unless you are expecting them even if they are from someone you know.
- Never send requested personal information (passwords, social security numbers, bank numbers, etc.) in response to email requests. Legitimate organizations will never request this information through email.
- Never give sensitive information to unauthorized individuals over the phone.
Windows Firewall should be enabled on all computers and configured correctly. When you connect to a network, Windows will ask if this is a home, work or public network. Make sure to select the appropriate answer.
(Warning: Before implementing whole disk encryption, or any type of encryption, you need to fully evaluate the options and carefully plan the implementation. Ideally, this would be part of a larger disaster recovery plan. You need to make sure that you backup in a secure place any encryption passwords, codes and/or keys or you risk losing access to your data. If in doubt, seek guidance from an IT professional.) It is recommended to use whole disk encryption whenever possible, especially on mobile devices like laptops and phones (especially if any of these mobile devices have PHI). Windows 7 Ultimate, Windows 8 and now Windows 10 all allow you to encrypt files, folders and entire disk using bitlocker. iPhones and Android phones both allow you to encrypt the phones through settings and passwords. I recommend always password protecting your phone.
Hopefully, you will find some of these practices useful in keeping your data and personal information safe and secure. Luckily, the easiest of these practices to follow are the most useful in keeping your data safe. Make sure you are keeping your software up-to-date, try to use strong passwords that are easy to remember by using phrases or sentences and finally never click on attachments or links that you weren’t expecting!