Most people are familiar with the idea of passwords, and the importance of using strong ones. However, what many don’t know is that there’s no such thing as an uncrackable password.
With proper resources and time, an attacker can crack any password by means of brute force (trying every permutation in a given table). With this in mind, multifactor authentication calls for items such as something you know (password), something you have (authentication key), or something you are (fingerprint). Many services such as Google and LastPass offer the use of multifactor authentication for day-to-day use, but HIPAA explicitly requires it. Without both the password and the correct key (generated randomly on-demand), access will not be granted.
On June 17th, attackers targeted a well-known cloud service known as Code Spaces with a Distributed Denial of Service (DDoS) attack. According to the company’s website, this is a fairly common occurrence (indeed, it is common for many popular websites), but this one was different since the attacker also had gained access to the Amazon Elastic Cloud 2 (EC2) web services control panel.
EC2 is the virtualization console offered by Amazon Web Services (AWS) to control server usage for their virtualized servers. The attacker left a message in the control panel demanding a ransom. When the demands were not met, and the users were attempting to change the login credentials, the attacker deleted all of the company’s data and backups as a retaliation effort.
Since Code Spaces only hosted data in this single cloud provider, this was a critical hit to their company’s infrastructure. This single event was too costly to repair and single-handedly ended the company. Code Spaces focused from that point forward on helping users recover their data before folding the company completely.
So what went wrong with Code Spaces? In short, many things: Specifically, one user was given unfettered access to the company’s data, and this user’s account was not secure. Security professionals have proposed that the login credentials were gleaned from a simple phishing email.
Additionally, even if this user were to set their password to “password” and username to firstname.lastname@example.org, the company still would not have been in such a predicament if multifactor authentication had been enabled and in-use.
Why wouldn’t users implement such an easy fix to lock down their security? Simply, security is often compromised at the risk of convenience. Users don’t like having to have their phone to log into their daily tasks when it seems to them that their data is secure with password protection.
Some have proposed that Amazon and Microsoft, a cloud competitor, are not pushing multi-factor authentication to their customers because adding cost or complexity is correlated with driving down sales. The philosophy is if it’s harder to gain access, then many users won’t utilize their services.
Part of the reason that the HIPAA Security Rule requires multifactor authentication is that it is both simple to implement and increases the security of a system exponentially. It is simple to enable on all of the major cloud hosting environments and would have been enough to prevent Code Spaces’ demise.
When looking for HIPAA Compliant hosting, be sure to double-check that the environment is equipped with multifactor authentication to easily cover this requirement of the Security Rule and ensure the safety and protection of the information.