Is your client data as safe as it should be?

There may be people out there who think your practice has information with value. Alternatively, they might not be after your data; they may have taken a dislike to your practice – or you.

But no matter the reason, the underlying issues are the same; there is value in personal information, especially as online services offer easy ways to collect and process data.

With the increasing expectation that appropriate steps will be taken to look after personal information, data protection is something that cannot be ignored, even in a small practice environment.

Check your website is set up correctly

Computers are dumb – they do what they are told. A hacker looking to steal personal held data can simply ask a database for information – for example, “tell me all the information you have about recent clients paying by credit card”. The database will automatically oblige unless it is set up correctly.

Hackers will look to give this instruction via places on a website used to collect and receive information such as forms including “contact us”, or via a search box. This works because these forms will often link to a database (or a part of the website hidden behind the scenes) that stores personal information. A hack here means personal information could be accessed and copied without authorisation or knowledge.

This type of threat is known as structured query language injection. The Information Commissioner’s Office (ICO) notes this method “has been a common theme across the many computer-related data breaches” it has investigated. Unsurprisingly, the ICO states preventing, detecting and addressing this threat should “be a high priority… in comparison to other vulnerabilities”.

The solution is to identify who is responsible for maintaining the source code – the program behind the website – and have suitable changes implemented. One accepted method is to use the secure tools provided by the application programming interface – part of the software in use. These will make sure information entered on a website is never treated as a set of instructions.

Default usernames, passwords and settings should be changed

If a hacker knows, or can guess, the type of system, software or service used to store personal information, he or she will try using the default settings and credentials (which can often be found with a simple search of the internet) in the hope they’ve not been changed.

To defeat this, practices should ensure the default usernames, passwords and settings have been changed on content management systems, any database that holds, for example, client or staff data and computer operating systems – both Windows and Mac.

Hold passwords securely

Gaining access to the usernames and passwords of staff is valuable to hackers because it enables them to impersonate an authorised user. There is a chance the user will have used the same credentials for other systems, meaning the hacker could gain unauthorised access to more than one system, or the one password may suggest a pattern, enabling the hacker to guess other passwords.

A hacker looking to steal personal held data can simply ask a database for information – for example, “tell me all the information you have about recent clients paying by credit card”.

The ICO highlights a number of tools and recommendations that can be used, including:

• not storing passwords literally as they appear – that is, in plain text
• not reminding users of their passwords in plain text
• using hashing – a process of converting a password into a hashed value (only the hashed value is stored, so if a hacker somehow obtains the hashes, they cannot directly work out what the passwords are)
• using salting, which adds a string of random data unique to each user. This increases the length and complexity of the password

Clearly, password security is a topic to discuss with the practice’s website developer.

Ensure passwords are difficult to crack

Should a hacker get hold of all, some or just one of the passwords, the time it takes him or her to successfully guess (crack) the password needs to be made as long as possible. This will give the practice a chance to either detect the breach, or be told and then do something about it (reset passwords) before the password can be abused.

The ICO recommends strong passwords are used and suggests creating a long word or phrase by using a wide range of characters, including upper and lowercase letters, numbers, punctuation marks and other symbols. Another tip is to avoid the use of dictionary words; simple substitutions (such as “p4$$w0rd”) and patterns from the physical keyboard layout (such as “qwert” or “1qaz2wsx”). Strong passwords can be generated at http://passwordsgenerator.net

Keep software up to date

Threats keep changing and software providers try to keep up by issuing updates (patches) to their software. Hackers can run automated scans across a range of online services searching for unpatched, outdated or otherwise vulnerable software, which they will then attack.

Practices, no matter how small, need to adopt practical procedures to ensure software is being kept up to date. This can include:

• updating during suitable maintenance periods
• co-ordinating with other updates
• grouping multiple systems together that have similar requirements and, therefore, a similar update policy
• using automatic updates (if available, and if they do not impact on business critical systems where testing might be needed first)

No practice can rest on its laurels or assume it will never be attacked.