Security & Compliance

Introduction

Security and privacy are critical to our business and are our top priorities. Data is hosted on HIPAA compliant Amazon Web Servers and is encrypted using advanced techniques that are designed and employed to meet the physical and technical safeguard guidelines as provided by the U.S. Department of Health & Human Services. Administrative safeguards are in place at Baton which, at a high level, include limiting personel who have access to servers containing data, only accessing data as required for business purposes, and logging all instances when data was accessed. More information about Baton's security and compliance can be found below.

  1. Policies
  2. HIPAA Checklists
  3. Security
  4. Backups

Policies

Security Practices and Policies

The biggest problem is that more and more of the hacks these days are "people" hacks rather than "technology" hacks, because the bad guys are tricking / misleading the people into giving out / revealing valid credentials which they can then use without setting off alarms, rather than breaking into the system directly.

Not only that, but it is often a multi-stage process where they get access to their email, then valid access to one or more other accounts, and then finally valid access to the system in which they are actually interested, or from which they can gain the most valuable information.

This can be done in a number of ways, including directly / manually, remotely through monitoring communications, or through sophisticated listening tools which can report back everything that the user types or sees.

All those are in contrast to more "traditional" methods, which are becoming less effective because of preventative measures such as those described below, such as guessing / brute forcing a password or manipulating poor or weak code in the web site or application to get passed the security.

Sensible and strong security practices should at least include the following:

Privacy Policy

  • Training on joining and annually
  • Acknowledgement of receipt and acceptance from each employee
  • Regularly check against employee list for unauthorized users or people who have left
  • HIPAA Checklists

    Data

    Servers

    Monitoring

    Backups

    AWS

    Anti-Virus

    Passwords

    Plans

    Security

    Cyber security has gone mainstream. Nick Helm proved this with his winning joke of the 2011 Edinburgh Fringe Festival.

    "I needed a password eight characters long so I picked Snow White and the Seven Dwarves."

    A good place to start is the Guide to Password Management published by The National Institute of Standards and Technology, or NIST.

    According to the NIST, password strength is derived from its length and complexity, which is determined by the unpredictability of its characters.

    Many passwords now require characters from more than one of the following four groups: uppercase, lowercase, numbers and symbols. This is a common example of a complexity policy. These requirements increase the number of possible characters from 26 to 95, which in turn increases the number of possible passwords. This increase is positively correlated to an increase in the time required to perform a brute force attack on the password.

    For example, a four-digit password could have any of 26 different values (a-z) for each of its four characters. This gives the pin 26^4, or 456,976 different combinations. If that same four-digit password can have any of 95 different values (Aa-Zz, 0-9, and symbols) the number of possible combinations increases to 95^4, or 81,450,625.

    As we proved above, increasing the character set on a four-letter password from 26 to 95 increases possible combinations almost 200 times. However, increasing the password length from 4 to 12, even while only using 26 characters increases combinations by almost 200 billion times.

    The NIST emphasizes, that an increase in complexity increases possible combinations somewhat, but an increase in password length increases possible combinations exponentially.

    Example:

    A password meeting the requirements of: a minimum of six characters and at least one: uppercase, lowercase, and number.

    D1sn3y : has 626 or 56,800,235,584 possible combinations

    A password meeting just the requirement of a minimum of 26 characters.

    snowwhiteandthesevendwarfs : has 2626 or 6.1561196e+36 possible combinations!

    In addition to increasing length and character variety strong passwords should avoid common patterns. Most people capitalize the first letter of the password and use numbers and symbols at the end. Other patterns are common substitutions such as the number "1" for the letter "I" or "0" for "O". Another mistake is to use a common title or phrase. Although these passwords may be long they are predictable. Keep in mind that just because a password meets minimum length and complexity requirements, does not mean it is strong. Attackers are aware of these common patterns and this makes it easier for them to break through using a brute force attack.

    If you have the option for storing passwords then you should maximize length and complexity. If you cannot store a password and must remember passwords (better than writing them down) then it is important to maintain a three-tiered approach to password security.

    Most Secure: Your most secure passwords should be used for applications and services such as email, credit cards, and banking.

    Medium secure: The second most secure passwords should be used for applications where you have some sensitive data but no financial, health or other data that could cause a major problem if it was compromised. Examples of medium security sites may be social media such as Facebook, Twitter, LinkedIn or shopping sites.

    Least secure: This is not to say you use a weak password, rather you accept that this is the one that could most easily be compromised by the source. Use this password on all generic sites such as forums and news sites, where you never store sensitive data.

    Keep in mind that you shouldn't use the same password for all three-security levels. It is also very important to treat your primary email password as the most secure level. Your email often offers backdoor access to many sites and services like password resets. So if a hacker gets in to your email they could reset the rest of your passwords thus gaining access.

    Backups