Security For The Digital Doctor

Four rules for physicians who want to securely engage online without ruining their reputations – or careers.

By John W. Little, manager of physician relations, University of Texas MD Anderson Cancer Center

As physicians rush to embrace social media, their online visibility is rising and the factors that influence reputation are changing. With growing visibility comes growing risk and the real potential that a lifetime of work could be negatively impacted by a single misguided mouse click.

Imagine discovering that the social media accounts you use to promote your work or practice have been used to promote illegal internet pharmacies, or that your patients have received an email from your account directing them to purchase and take illegal drugs. Now imagine the potential negative impact that communication, seemingly from a trusted physician, could have on your patients or your social media audience. Imagine also the potential legal implications. When all is said and done your tarnished reputation may be the least of your concerns. Lives could be at stake.

This scenario may sound far-fetched, but it is not. These types of cyber attacks take place countless times per day. Unfortunately, executing them is trivial if a hacker is malicious and motivated. Luckily, the vast majority of these threats can be defeated with basic knowledge, awareness, and changes in behavior.

Develop Security Awareness
Most cyber attacks are not complex subversions planned by master hackers aiming for high-profile targets like governments, large corporations, or elected officials. Most attacks surface via automated scripts, viruses, modified URLs, or hijacked web pages designed to infect as many ordinary people as possible. These threats are pervasive and indiscriminate. They spread through social media messages, infected web sites, and email. They - not attacks directed at you personally - are your biggest threat.

Why is this important? It is important because it means that you, not your service providers or account hosts, are ultimately responsible for your security. Security does not begin (or end) with login IDs or passwords. It begins with you and your behavior. You will be the strongest or weakest link in your security model. If you have an online presence as a physician, it is absolutely critical to embrace this responsibility immediately. A small amount of work will go a long way towards preventing disaster.

1. Change Your Behavior
As you might have guessed, many security risks can be mitigated with an understanding of what constitutes risk and modifying your behavior to eliminate or minimize your exposure. The first, and most important step, is to become security aware. Most users simply do not think about risk and security.

Your security can be compromised in countless ways. But for the sake of this overview, your mouse is an excellent starting point. Learn to look at your mouse as the digital equivalent of a loaded gun. Like a gun, absentmindedly waving it about and clicking it will have very negative consequences. Recognize that each click of the mouse carries with it an associated risk profile. Every clicked link exposes you to some level of risk. For example, clicking on a link on your bank’s web site during a logged-in SSL encrypted session exposes you to very little risk. Clicking on a shortened (obscured) URL in a Twitter direct message, even from someone you know, is far riskier. Understanding and knowing why this is true requires very little technical knowledge but will substantially lower your risk.

Knowing how to spot infection points in online communication can be challenging for the uninitiated. The explosive growth of social media - an environment built on trust and sharing - has made this much more difficult. Social media platforms are incredibly attractive and easy targets for hackers because of this. However, a little common sense will serve you well.

To protect yourself, first learn to recognize communications crafted specifically to trigger an emotional click response. That Twitter or Facebook direct message from someone you follow that says “Look who’s saying horrible things about you” or “I can’t believe they posted these embarrassing photos of you online” followed by a shortened URL, is a tactic that has successfully compromised millions of accounts. Click on the link and your login credentials will soon be in the hands of someone who will use your account to infect others and likely promote dangerous health products or other illegal activity. In fact, you are getting that hostile message from someone you follow because they fell for the scam themselves. Now their account is being used to propagate the threat. Allowing your account to fall into the hands of malicious hackers exposes your patients and colleagues to potentially serious financial and health risks.

Of course, this same critical approach will serve you well in managing risks associated with email. Participating in virus-carrying chain letters and opening files from unknown or untrusted people are long known risky behaviors that are still exploited by hackers. Like social media infection points, these emails will often make a political or emotional appeal to encourage risky behavior. That slideshow of photos from a recent disaster that came with a donation link and encouragement to pass it on to your contacts is not to be trusted. No legitimate organization will encourage you to send its unsolicited email to your contacts. Ever. If you are a frequent forwarder of slideshows and political chain emails, you are exposing yourself and your contacts to risk. Not only should you stop doing this immediately but you should also give serious consideration to the fact that your computer may have already been compromised.

So a very short rule of thumb: If that message is just begging you to click on a URL , asking you to forward it to your contacts, or offering you a deal that’s just too good to be true, then learn to ignore it. You will spare yourself and your patients, colleagues, and other contacts potentially serious risk and you will help ensure that your computer does not become a launching point for illicit activity.

2. Implement Password Management
Outside of random mouse clicks, poor account management is probably the most significant risk that the average user faces. Most of are overwhelmed with system identities and passwords that span professional and personal accounts. This too has been a boon to hackers who are often able to compromise one account and then use the same login credentials on other popular sites (even banks) to exploit the owner from multiple directions. This is every user’s worst nightmare and can be incredibly damaging if it occurs. If you are using common passwords and, most importantly, if you are reusing passwords, then changes have to be made immediately.

Am I really telling you that you have to use complex, long, randomized, and unique passwords for every account you own? That tactic, especially to an overworked physician, may itself sound like a nightmare. However, it does not have to be. Software-based password managers can make securing and accessing your accounts easy. In fact, implementing the right application can actually free up some of your time and grey matter for more important things.

I personally use 1Password to manage over 70 accounts. With it I am able to generate large (up to 50 characters) randomized passwords and automate the login process for most sites that I visit. It offers browser plugins, a mobile version, and syncs across multiple platforms. Other popular programs offer these services as well. Many of them are free, or offer free versions, so I encourage users to read reviews of the more popular applications and give a few of them a try before fully implementing one solution. Security experts would caution that every security solution also comes with its own inherent risks and that is true. However, far more people are at risk from weak and reused passwords than through difficult and incredibly unlikely exploits of properly implemented quality password management software.

Additionally, many services (Google’s Gmail and Twitter are two very high-profile examples) are now implementing a two-factor authentication model. In most cases immediately after you complete the usual login routine, a PIN number will be texted to your phone or emailed to an address that you provide. Access will not be granted unless this PIN is entered. This means that even if a hacker obtains your password they would still need access to PIN authentication to have unauthorized access to your account. This is very unlikely scenario resulting in highly secure solution. Activating this on your account is one of the easiest and most effective ways to elevate your security. I encourage people to activate it at every opportunity.

3. Use Web Encryption
Encryption is the pinnacle of technical security solutions. When implemented well it can offer a level of security that even governments may find difficult to exploit. However, it is also
the most difficult to implement for many users due to its complexity. The good news is that easier to implement solutions are being introduced at a frantic pace.

Encryption is vast topic that I will only briefly touch on from the web transaction perspective. Almost everyone uses web encryption on a regular basis without giving it much thought. If you access your bank or buy something online you are almost certainly engaging in seamless encrypted communications via Secure Sockets Layer (SSL) encryption. This is the same technology that makes secure delivery of medical records via patient and physician web portals possible. The only noticeable difference to the average user is that SSL encrypted web destinations start with “https://” instead of the more common “http://”. There is much more to the underlying technology but the beauty of SSL is that is almost all that the average user needs to know. It just works.

What many users do not know is that SSL can be optionally used for many other types of transactions. You could start manually checking every account that you own to see if that option is offered but that could be quite tedious. An easier solution is to install the Electronic Frontier Foundation’s “HTTPS Everywhere” browser plugin which is available as a free download at https://www.eff.org/https-everywhere. This plugin will look for SSL encrypted connections by default as you surf the web. It is a painless way to reduce your risk level in a complex environment. In highlighting the sites that do not offer SSL it could also help you identify potential risk areas in your online ecosystem.

4. Invest In Your Security
Security, in its complete form, is a challenging and vastly complex topic that can cover issues ranging from human psychology to advanced mathematics. However, physicians can ensure a reasonable level of security with a little knowledge and a little work. Physicians, as trusted members of society, cannot afford to ignore this risk or depend on others to do the work. To do so exposes networks of vulnerable patients and professional colleagues to very real risks that could have disastrous consequences. Physicians who invest in their personal security are protecting not only their reputations but potentially the lives of those they serve. It is a worthwhile and far reaching investment.

John W. Little is Manager of Physician Relations for the University of Texas MD Anderson Cancer Center where he has helped design, build, and manage secure physician and patient focused portals, online directories, and social media channels. John has also managed secure global extranets for government clients and defense contractors.