With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
With the healthcare sector a top target of hackers, cybersecurity and privacy are of paramount concern—so much so that HIMSS20 has dedicated an entire track to the topic. According to its description, “Every organization must respect and maintain the privacy and security of patient information, no matter how small or large and no matter where they are located.”
While cybersecurity is clearly a primary area of focus, the frequency of attacks on healthcare institutions is on the rise—the HIPAA Journal found that the equivalent of 50% of the U.S. population has been affected by data breaches over the past decade. While there are several reasons healthcare institutions continue to fall prey to attacks, one of the most common ones may surprise you: employee password reuse and password sharing.
Risk Rises with Password Reuse
Most healthcare workers know better than to reuse passwords across multiple sites and applications. Still, this security best practice is often overlooked in the name of convenience and the urgency associated with providing high-quality care. However, password reuse puts the entire organization at risk when an unrelated third party is breached, as cybercriminals can easily obtain breached or leaked credentials via the Dark Web and use them against other online accounts or systems.
With breaches occurring on a daily basis, hackers can select from an unlimited supply of newly compromised passwords. If even just a handful of your employees reuse passwords across applications and accounts, it won’t be long before hackers leverage this password faux-pas for their own advantage. And if your organization is anything like the average company, it’s likely that password reuse is also pervasive. According to Google, at least 65% of people use the same password for multiple, if not all, sites and systems.
Password Sharing Increases Vulnerabilities
When every second counts in administering critical care, the last thing hospital staff have time for is issues with login. For this reason, many healthcare workers will share credentials, with 74% of respondents in one study admitting they had obtained a colleague’s password. The researchers state, “Apart from…large-scale mistakes and malicious acts… one of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another.”
It’s easy to understand why healthcare workers would default to this practice, but it’s equally easy to visualize how password sharing substantially increases security vulnerabilities.
With threats inherent in everything from:
How the password is initially shared (i.e. is it stored in multiple email accounts?)
What else individual staff members may use it for (e. is it being reused for other work and/or personal accounts?)
What is the staff turnover (e. what happens if a disgruntled former employee can still access company systems?)
It’s evident that hospitals cannot afford the risks associated with password sharing.
Guest post by Dean Wiech, managing director, Tools4ever.
Passwords are everywhere. Despite the endless headlines about their death and sure destruction in countless publications across the globe, passwords are and will continue to be used in nearly every business setting for the foreseeable future. Whether you’re a physician making the rounds in a hospital, a mechanic at a service garage, a CIO for a major software firm, a bank teller logging into several applications to assist customers or an employee at a manufacturer, chances are better than average that you access these systems with a user name and password.
Organizations of all sizes use credentials for their employees to ensure security of the information in their systems, and to protect against unwanted access to the data in the systems. As with any solution used, once in play there’s bound to be some issues incurred with these passwords. Regardless of how many passwords employees need to remember and how often they need assistance to reset them, passwords remain crucial ingredient to a network’s security protocols.
Passwords: Where We Have Come
The first passwords were created in the 1960s for MIT’s Compatible Time-Sharing System. Passwords were first used because several users needed to access the system as unique entities. Each user created a password, which were then stored on the computer system. However, program leaders soon learned that this method of storage did not work after one user who wanted more time on the computer simply printed out the passwords from the machine and logged in as a different user than himself – since each user was only granted so much time per week under their identity. Thus, program leaders discovered that program needed more secure methods for password usage and storage. This also was likely the first recorded data breach anywhere in the world.
The next phase led to encrypted passwords so that no one could easily go in to steal all of the users’ credentials, as was the case at MIT. Passwords began protecting secure information rather than just taking on a gatekeeper role. As they spread into business and workplaces worldwide, passwords became encryption devices that could not easily be hacked or pilfered.
Finally, millions of organizations began to rely on computers, obviously, for all of their business needs and users needed to enter credentials for each system they needed to access. To easily remember all of these passwords, users began to either user very simple passwords or the same password for each system. Again this became an issue since hackers utilized tools to easily compromise the password and gain access to the systems.
Where We Are Today
Welcome to today. As we know, organizations are overwhelmed by the issue of password breaches. Solution? To mitigate this problem, organizations often require employees to use complex passwords, each unique to the different systems they are using. To say the least, this process has evolved into a difficult mental exercise. According to a recent Tools4ever survey, end users access up to an average of 12 different systems and applications to perform their jobs. Humans are usually only capable of remembering about six complex passwords at the most. The rest get written down or filed on some random Excel sheet on the computer’s desktop. So what are they doing to remember all of their credentials?
Of course this defeats the purpose of the use of complex passwords for security, and often leads to frustration of users who take their anger out on the help desk, which is usually overwhelmed by such problems already. Think customer service is considered quality in these organizations? Usually not when these types of processes are in place.
The problems don’t end there. Employee productivity is cut when they must deal with these types of password maintenance issues. For example, every day in a typical healthcare setting, 91 minutes are wasted because of inefficient systems and workflows. On average, healthcare providers login to workstations and applications 70 times per day and spend an average of only 46 percent of their time on direct patient care.
Think of the great things your teams could do if they didn’t have to worry about logging in and out of workstations as they care for patients. While the data accessed may differ from department to department and facility to facility, what remains the same is the fact that, if multiple passwords and login credentials are in-play, there is a high probability that productivity is being negatively impacted. Providing direct access to systems and tools when and where it’s needed is key.
Password issues can also have a huge effect on your employee’s productivity. Think about how long it takes to resolve an issue when an employee is locked out of their account and needs to get a password reset? They need to contact the helpdesk, start a ticket, request that the helpdesk team resets the password, log in then get back to the work they need to accomplish. All of this is time that is taken away from the project they are working on, or the patient they are supposed to be helping. On the technical side, depending on the size of the organization, password management can require a full-time position at a large organization, since one of the top calls to the helpdesk is for password resets.
Another problem with passwords: all the steps, or “clicks,” and authentication processes some employees need to take just to access their applications. When time is critical, such as in hospitals, or when customer service is a priority, every minute counts and passwords can become a deterrent. If nothing else, they can be a time waster, as the 91 lost minutes suggests.
When these issues start to effect productivity of your employees is when it becomes an issue. So as the password and authentication process has evolved and become increasingly complex, how can organizations easily resolve the issues that have come about?
Guest post by Dean Wiech, managing director, Tools4ever.
No matter the industry, each time a purchase is made, business leaders always want to know what they are getting in return for their financial investment. Questions frequently asked include: “How is this going to help me?” and “What is my return on investment?” Another phrase, often uttered by “Mr. Wonderful” Kevin O’Leary from the popular show Shark Tank is, “What am I getting for my investment?”
By examining the answers to these questions, business managers and organizational leaders must ensure that their budget is being adhered to and that purchases by the organization are considered, or proven, not to be a “waste” of money.” Often, return on investment (ROI) is a combination of both “hard” and “soft” costs and savings, which can often be difficult to determine. The “hard” cost is easy to define: What am I spending now versus what will I be spending on a different product, solution or system, or by doing nothing? Alternately, how is this solution going to allow me to save money in the long run? In this scenario – “hard” costs and savings — there is a definitive dollar figure that is able to be applied to implementing a solution.
“Soft” savings are a bit more of a complex issue; they are more difficult to determine and to document. For example, time and labor saved, or stress saved by employees completing a task that takes 10 minutes versus 35 minutes are soft savings. Soft savings also might be seen in improvements in customer service or in the customer experience. It is difficult to put a dollar amount on these scenarios and improvements, but they do impact a business, its success and its financial performance.
Time is money, of course, but in the case of healthcare perhaps it’s more fitting to say that “time is life.” This savings equates to valuable potential life-saving time, as we well know, and, in turn, improves patient care. As healthcare organizations seek ways to allow clinicians the ability to focus more on patients rather than on information technology, there are some solutions available — many that that are often overlooked that allow them to reach their goals. Some of these technology solutions provide a direct correlation between a physician’s ability to enter an information system, retrieve or enter information and get back to focusing on patient care. Essentially, with these types of solutions, like access and identity management, physicians can get back to work more quickly and their interaction with the technology is reduced.
In any industry passwords can be a hassle to manage, but perhaps this is no more true than healthcare. Password strategies are put in place to keep data secure, including patient’s information, but they often cause headaches for clinicians. And since every minute matters in the clinical setting, any process that takes longer than necessary can become a major problem when patient outcomes hang in the balance.
Since providers often need to access their own systems, as well as patient data and treatment history quickly, to assist patients, something as simple as getting locked out of systems or forgetting credentials to accounts is time consumer and tedious to overcome. Contacting the helpdesk and waiting to get passwords reset wastes what little time caregivers have to with patients. Simplifying password resets can give critical time back to caregivers and support staff in the care setting.
Easier said than done, of course. Many healthcare organizations resist implementing any type of password solution because they don’t want to bombard clinicians with yet another new technology. One of the major reasons being that they assume the implementation and training time are lengthy and because they’re currently bogged down by a variety of other pressing issues, such as meaningful use and preparing for the transition to ICD-10 in October 2015.
Also, because healthcare organizations must abide by strict rules and regulations, implementing password solutions can sometimes be an issue. In addition, healthcare’s leaders need to ensure that any new technologies implemented follow these regulations.
An Easy Solution to Password Reset Issues
Several leading healthcare organizations have opted to use self-service password reset solutions to easily solve their password reset issues. Just as banking websites allow consumers to reset their passwords, end users can easily reset their passwords after correctly answering security questions that they previously provided answers to. Clinicians simply click the “forgot my password” button and can easily reset their password from anywhere at any time. This allows clinicians to proactively solve the problem without have to contact another department for help.