Butler County Health Department in Kansas, a Nightingale Notes agency for three years, was caught up in a county-wide ransomware attack.
The county’s data was held for an undisclosed ransom amount.
This brings up some questions about security:
- What does this mean for the health department’s patient records?
- Does this impact Nightingale Notes for Butler County or other Nightingale Notes agencies?
- How secure is my data when using Nightingale Notes ?
If you weren’t able to attend the IT Trends & Security for You Expert Webinar session recently, you can read the blog article and access the recording here.
The session gave very good, widely applicable security information and background.
Butler County’s current situation raises some questions worth addressing more specifically around Nightingale Notes.
Let’s look at some questions you may be asking yourself:
How safe is Nightingale Notes from hackers?
Nightingale Notes data is very safe.
Butler County still had full access to Nightingale Notes and its data throughout the attack.
Nightingale Notes utilizes sophisticated tools to prevent hacking.
Ransomware, like the hackers used in Butler County, relies on the user to complete an action on their local computer that allows the virus to work.
Clicking a link in an email, or opening a file attachment, or installing a program from a web site are actions that allow a virus to embed itself on the user’s computer and start infecting it.
Nightingale Notes data is very safe. Butler County still had full access to Nightingale Notes and the data throughout the attack. Nightingale Notes utilizes sophisticated tools to prevent hacking.
Nightingale Notes is not stored on an agency’s local computers or servers.
All user actions in Nightingale Notes are done on a server Champ Software manages on the East Coast.
Think of it this way; when you click on the search button to see your client list, you are essentially sending a request saying, “Show me the list of my clients” across an encrypted, secure connection to the server.
The server then acts on your behalf, running the code on the server on the East Coast, then sends you back the client list you were asking for.
The request you sent and the response back are all encrypted to protect that information while it’s being transferred.
None of the actions are done on your computer so there is no action for the virus to use to infect your PC.
The encryption used is 256-bit encryption.
What does that mean?
For a history on encryption, check out the Data on the Edge article but for now let’s look at what it means today.
When you send data or a request like, “Show my list of clients,” a key is created for that information and the information is scrambled.
If a person saw that message as it was being passed to the server (Nightingale Notes, in this case) it would look like a garbled mess.
The only way to decipher the request is to have the cheat sheet to make sense of the garbled data. That cheat sheet is called a key.
This diagram illustrates the process of sending encrypted information:
The sender and receiver both need keys in the message process.
The sender needs a public key to essentially open a box and put the information into it.
That public key won’t work to get things out of the box that were already in it.
The recipient needs a private key to open the box and get the information out but can’t use that key to add more things to the box.
To add more, the recipient would need another public key, put the data in the box, and become a sender.
Then the person on the other end would need a different private key to see the new information.
By using 256 bit SSL encryption there are 2256 possible combinations for figuring out what the message/data is.
That’s 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000 possibilities.
By using 256 bit SSL encryption there are 2256 possible combinations for figuring out what the message/data is. That’s 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000 possibilities.
By using Nightingale Notes you are protecting yourself from hackers who infect your computer or servers because they can’t get at the actions (code) or the data from your computer.
Nightingale Notes uses sophisticated encryption and since Nightingale Notes is hosted on Amazon Web Services you are getting a level of security that any local health department or county is not likely to provide.
The server that Nightingale Notes runs on, and the servers where your data is stored and backed up, are guarded by security staff using video surveillance and intrusion detection.
Authorized staff must pass two-factor authentication a minimum of two times to even access the floor of the building where the servers are stored.
Two-factor authentication means they need to know and enter a login and password AND do so from a device that is identified as belonging to them.
By using Nightingale Notes you are protecting yourself from hackers… you are getting a level of security that any local health department or county is not likely to provide.
What is my risk?
Your risk of being hacked is extremely low.
Think of it this way – If there was a door to get to your data, and Nightingale Notes is that door, there are several deadbolts locked on that door that will only open from the inside if you identify yourself.
There is a lock on outside of the door that only you have the key to.
You need that outside key to activate and unlock all the other deadbolts inside.
Therefore, it’s important to have a strong password and not share your password or username with anybody.
If you share your password and username, essentially you are giving a person the key to unlock all the deadbolts on the door.
If you think your username and password have been compromised you can have an administrator reset them for you.
What if my login credentials are stolen?
To help protect you, Nightingale Notes requires changing your password every 90 days and we log your IP address (a number that identifies the location of the computer you are using).
If you think somebody stole your login and password, change it immediately.
If you suspect that a person used your login to view or change data in Nightingale Notes, let our support team know right away and we can involve development to look at the IP address for all changes made with your login credentials to identify if it was you or somebody from another device making changes.
If the device you use to access Nightingale Notes is stolen, your patient data is still safe because Nightingale Notes does not save any data to the device.
The person stealing your device still needs your login and password to access patient records.
Lesson: Be sure to protect your login information and change it as soon as you suspect it may have been compromised.
Still have questions?
- If you have any questions about security with Nightingale Notes, please reach out to us at any time. Security is important to us and to all the Public Health professionals we work with.
- Karen Martin will discuss security at her Omaha System workshops in Kansas.
- Also, be sure to check out this overview of our recent Expert Webinar: IT Trends & Security for You. You can access the webinar recording at the end of the article.
Leave A Comment