Are The User ID And Password Practices Secure In Your Practice?

Many resources we use in medicine, such as our office or hospital electronic medical record (EMR), requires a user ID and a password to log in. Even if one changes passwords regularly, did you know that this still leaves one vulnerable to cyber hacking? If one uses the same username and email account for all points of access, the risk of incident becomes higher.  Those who try to gain our information can reuse the same account name based on an email address to compromise multiple online accounts.

The email address(es) we use may be of more significance than the passwords we keep changing.  According to my IT specialist, if one develops a system of using different email addresses for logging on to different types of activities, then a breach in one type of activity (such as online shopping or banking) cannot necessarily be of impact against another. These ‘threat actors’ will have no email address or account username as a reference point to start from unless they can link all your email addresses back to your identity.

In discussions with my relative who works for a national defense contractor, I learned that large, high-security businesses may have multiple email accounts designated for access to applications based on risk and privileged sessions. I have around four or more email accounts for all the different activities I access on the internet.

The first email address I have is for any type of sensitive account; like banking or financial applications. It is a unique address used for logon authentication only; this will help determine if correspondence is legitimate or phishing, since no other accounts associate with this email address. I have a separate email for business and personal accounts, this way if there is a breach in one, both will not be compromised.

The second email address is for personal correspondence. This email address is never used for anything outside of sending or receiving email, including as the logon (authentication) for any account on the internet. Any rogue email received by this address makes it easy to identify as spam.

The third account is for junk email from online retailers. What I mean by junk email here is signing up for coupons and alerts from different websites that might frequently send sales offers or non-malicious spam promotions. I do not use this account for any other activities and I do not use this email address for paying on a website. I consider an e-commerce site that I purchase from a sensitive account since it has or it will have my credit card number. I use a separate email for online payments and consider shopping as a guest to prevent the website from storing my credentials, credit card number and address. It may be a hassle and take additional time to fill in the information again with every purchase, but it could prove more secure.

The fourth email address is for correspondence associated with work or interactions with state, local or federal government. This is a dedicated email also for hospital credentialing or other government entities so that they can correspond regarding my personal health care, taxes, utility bills or other official information. I do not share this email address outside of these specific cases, and any received emails that deviate from its intended usage is definitely spam.

While so many email accounts may seem extreme, I believe it does reduce the risk of exposure should a single email account be hacked. Our current email applications can easily support multiple email addresses to separate correspondence.

If you are active on social media or other applications like dating websites, you may choose to create even more email accounts to perform an even higher separation of roles. I do have another email account to access our practice’s social media accounts.

Lastly, if a web site allows you to create a unique username for logging on instead of using an email address, I would rather do this as it gives an additional layer of concealment. Also make sure you keep all account usernames separate and unique when possible, and monitor emails based on the account name to help protect against phishing attacks and identity attacks.   Of course, we all know that the passwords for each account should be unique, complex and never reused or recycled.

There are apps that help generate passwords every time you log in such as:¹

1. Dashlane

2. LastPass

3. NordPass

4. KeePass

5. Strong Password Generator

Some of these apps are free and others charge a few dollars a month. I have used Dashlane, the free version and in my opinion, it worked well for what I needed.

Eight or nine months ago I bought new computers for my home and office. Interestingly, my IT professional mentioned he now primarily works for the FBI looking for hackers and helping recover data. He hid my WiFi so people walking in our complex can’t find it and warned me to never give out the WiFi access code or have a guest login. He added that, “if you can’t see it you can’t hack it.” Following my personal policy of different emails for different purposes, and since we use mostly web-based software at the practice, I decided that staff email is for correspondence with reps and hospital staff, but never to log into vendor sites. We have a separate email address to visit vendors.

Why have I put so much thought into this? In February 2020, Barbara Corcoran, founder of real estate brokerage firm Corcoran Group and judge on ABC’s “Shark Tank,” was nearly scammed out of $400,000.²  The scammers emailed Corcoran’s bookkeeper pretending to be her assistant. The message contained an invoice supposedly authorized by her assistant to pay for an investment property in Europe that needed renovations.

Barbara Corcoran’s bookkeeper paid the scam invoice but ultimately got the money back. I am not thrilled that many vendors send bills by email, since as we saw with Ms. Corcoran, this can be a source of phishing. I either request vendors send me bills through regular “snail” mail or I have a separate email for bills from known vendors. Ideally, I prefer to set up bill pay directly through the bank for known, recurring invoices.     

Barbara Corcoran’s conundrum inspired my thinking on this topic, and we can all likely learn something for our practices from her trials, hopefully before encountering any issues of our own.

Dr. Aung is Chief of the Podiatry Section of the Tenet Health System/St. Joseph’s Hospital in Tucson, Ariz. She is a member of the APMA Coding Committee, the APMA MACRA/MIPS Task Force and is on the Exam Committee of the American Board of Wound Management. Dr. Aung is also on the Editorial Review Board for Wound Management and Prevention. Her website is www.healthy-feet.com.

Reference

1. Blechynden D. Best password generators in 2021. Available at: https://www.techradar.com/best/password-generator . Published June 4, 2021. Accessed September 29, 2021.

2. A ‘simple’ email scam almost cost Barbara Corcoran $400,000 – here’s how to avoid falling for the same thing. CNBC website. Available at: https://www.cnbc.com/2020/05/06/how-barbara-corcoran-almost-lost-400000-dollars-to-an-email-scam.html . Published May 6, 2020. Accessed September 29, 2021.