Is your Health IT Network NSA-secure?

January 6, 2007

The NSA’s unclassified 60 Minute Network Security Guide is a great way to check that your network security is up to par with the nation’s pre-eminent spy agency’s guidelines. Check it out and see if your network measures up — leave some comments here to tell us what you think about the guidance provided.

  • pidgas

    I’ve read most of it, and just want to comment on the password policy recommendations. Weak passwords can be a significant problem. That said, so can “strong” password policies. These policies requiring randomness and frequent changes cause users to forget their passwords. This generates increased need for password resetting and increased opportunity for social engineering attacks. Many providers rotate between hospitals, and each hospital SYSTEM has its own password scheme. This causes additional confusion and exacerbates the problem.

    It seems to me that users should be encouraged to make those long random passwords, but simultaneously encouraged to write them down and keep them with them in a safe place. Too often, users are warned against such a practice.

    Single factor password-based authentication is a problem, period. Two factor authentication is surely coming to a theater near you. In the mean time, we need a sense of proportionality. As long as the system contains logged in users well (i.e. they cannot generally “damage” the system), more harm can be done by locking out a provider needing time sensitive information in one critical situation than can be prevented over years preventing “unauthorized” access.

    That’s just my 2c worth on the issue. Thanks.

    Pid

  • http://shahid.shah.org Shahid N. Shah

    Great points, Pid. If you have some other health IT security suggestions that you’d like to put into a guest article for this blog I’m sure the readers here (and me!) would be grateful for your guidance.

Previous post:

Next post: