• sylver_dragon
    link
    English
    424 days ago

    While I’m not a fan of checkbox security. Given that major parts of the healthcare industry don’t even seem to get over that bar, maybe it’s time to put something in place to give network defenders a lever to pull on to get the basics sorted.

    Not having MFA and encryption for data at rest should be treated as willful negligence when a company is breached.

    • @[email protected]
      link
      fedilink
      English
      114 days ago

      To be fair encryption at rest is one of those checkbox requirements that - in the absence of checks how it is implemented - is just implemented as a key next to the file that is encrypted.

      • sylver_dragon
        link
        English
        24 days ago

        Ya, I know that’s exactly what’s going to happen. But, you have to start somewhere. Just getting management used to the idea that data must be encrypted is a start. That will then push the software vendors in the space to make fundamental changes, which will hopefully improve things a bit.

        I actually have a pretty good example from my time in the US FedGov space. We were required (by our checkbox security) to enforce FIPS-140 compliance on all our systems. When working to setup a server for a new product, it just would not run with FIPS-140 in enforcement mode; so, I started digging into the product and found that they were still using the MD5 algorithm in their user password hashing process. Given how much the vendor really wanted our business (we were their “foot in the door” for more FedGov money), I sent an email to our customer service rep essentially saying “ya, MD5 as part of the password hashing is a deal breaker”. A couple weeks later a new version of the product dropped and surprise, surprise, MD5 was no longer part of the password hashing process.

        The reliance on checkboxes sucks; but, they can be a useful club to make improvements. A shift to real security takes time and a lot of effort. But, that journey starts with a first step.

        • @[email protected]
          link
          fedilink
          English
          23 days ago

          True, compliance can be helpful to pressure vendors into doing what they should have been doing in the first place.

  • edric
    link
    fedilink
    English
    264 days ago

    MFA should be baked into HIPAA standards.

    • @[email protected]
      link
      fedilink
      English
      113 days ago

      And banking. I don’t understand why banking and medicine seem to be the last ones to upgrade security, when they handle perhaps the most sensitive information.

  • Bob Robertson IX
    link
    fedilink
    English
    64 days ago

    The hospital system I use switched to mandatory MFA a few years ago. It isn’t perfect but I do appreciate it. They will text a OTC to your phone number, and there’s no option to set a computer as ‘trusted’.

    It amazes me that none of the banks I use even have MFA as an option when accessing your account online.

    • Saik0
      link
      fedilink
      English
      23 days ago

      They will text a OTC to your phone number

      This is worse than nothing.

      SMS/cellular based communications are a solved problem from a hacking perspective. https://youtube.com/watch?v=wVyu7NB7W6Y

      I say worse than nothing because it creates a false sense of security. Much like the TSA.

      TOTP (time based one time passwords, where you have an app or physical token) are so much better and should be the bare minimum. Security keys being what people should aspire to, yubikey or other reputable vendor.

      I’m on the fence with “passkeys” since they’re often vendor locked to your cell manufacturer which bothers me. I have some in my bitwarden, but find I have issues on my android for instance.

  • Optional
    link
    English
    54 days ago

    Ha!

    Oh man. Seriously, I had no idea everyone was this stupid. They all seemed so smart when i was a kid.