Several celebrities had their privacy compromised this week when nude photos they had uploaded to Apple’s iCloud were stolen by hackers and shared on the Internet. On Tuesday, Apple said that the theft of the photos was due to “very targeted attacks” on the celebrities’ individual iCloud accounts and did not result from a widespread breach or malfunction of its systems.
The targeted attack that led to the leak of hundreds of intimate photos of celebrities including Jennifer Lawrence, Kate Upton, and Rihanna likely involved hacking the passwords and/or the guessing answers to security questions to reset the passwords.
Here are lessons that healthcare organizations can glean from this situation. Key takeaways include:
- If using single factor authentication with passwords only, use best practices. Enforce complex passwords that consist of: (1) a minimum of 8 characters that are a combination of uppercase and lowercase letters and digits, (2) passwords that do not contain a word that can be found in the dictionary, and (3) passwords that do not use something easy to guess like a birth date or anniversary; lock accounts after 5 or more incorrect password attempts; avoid the practice of using “security questions” as an authentication method for password resets — these are essentially permanent, unchangeable passwords that can often be discovered via web browsing and/or public record requests.
- Strongly consider a move to dual factor authentication, which is dramatically more secure. Had these young ladies used the dual factor authentication available (for free) with Apple’s iCloud service, they likely would not be in this embarrassing situation. Dual factor authentication combines a password either with something the user has (e.g. a smartcard) or something the user is (e.g. using biometrics such as fingerprint scans, facial recognition, retina scans). A low-cost option is the cell phone text messages (which iCloud uses) that provides a one-time security code. Two-factor authentication is not new but implementation is less expensive than ever. Clinician productivity can be improved with some dual factor authentication systems such as the password/proximity card combination. These systems can be implemented so that the clinician enters the password once daily. The proximity sensor at the workstation automatically reads the card worn by the clinician providing the 2nd factor. The system will automatically log-off when the clinician walks away, and automatically logs in when the clinician approaches a different workstation, say, in the next exam room. This type of system can provide a high return on investment with clinician productivity improvements while at the same time improving security.
- Malicious actors are capitalizing on the sensation and curiosity resulting from these naked photos. These criminals set up malicious websites which distribute these photos or simply claim to have them and promote the sites to the search engines such as Google. When a curious user browses to the site, in addition to the visual treat they are also infected with malware, possibly through a “drive by download”. Instruct your users to use their workstations for work, not for looking at naked ladies. If your organization doesn’t already have one, implement a Computer Usage Policy to instruct your employees regarding appropriate computer usage and safe web-browsing practices. Clearly-outlined policies, combined with Security Awareness Training for your staff, can help decrease the likelihood of malware infection. An educated user will know that looking for titilating material such as this is dangerous. Whitelisting and/or blacklisting websites, to block access to sites that offer this type of content, is yet another tool to protect against malware infection.
- This incident clearly identifies some of the risks of cloud security. While cloud technology can often provide tremendous benefit to your business, these technologies also pose some pretty serious risks. Prior to adoption of any cloud services, conduct an appropriate security evaluation. Carefully vet the security measures of the cloud provider. Request a 3rd party penetration test and/or vulnerability analysis. Ask about 3rd party audits such as the SSAE16 which validates the security procedures. And, once a vendor has been selected implement strong access control procedures, robust password policies and ongoing employee security awareness training. Strongly consider dual factor authentication. Get professional help for your evaluation and implementation if you don’t have the skills in-house.
- Don’t take nude photos of yourself.
