By Michael Greene, CEO, Enzoic.
With the healthcare sector a top target of hackers, cybersecurity and privacy are of paramount concern—so much so that HIMSS20 has dedicated an entire track to the topic. According to its description, “Every organization must respect and maintain the privacy and security of patient information, no matter how small or large and no matter where they are located.”
While cybersecurity is clearly a primary area of focus, the frequency of attacks on healthcare institutions is on the rise—the HIPAA Journal found that the equivalent of 50% of the U.S. population has been affected by data breaches over the past decade. While there are several reasons healthcare institutions continue to fall prey to attacks, one of the most common ones may surprise you: employee password reuse and password sharing.
Risk Rises with Password Reuse
Most healthcare workers know better than to reuse passwords across multiple sites and applications. Still, this security best practice is often overlooked in the name of convenience and the urgency associated with providing high-quality care. However, password reuse puts the entire organization at risk when an unrelated third party is breached, as cybercriminals can easily obtain breached or leaked credentials via the Dark Web and use them against other online accounts or systems.
With breaches occurring on a daily basis, hackers can select from an unlimited supply of newly compromised passwords. If even just a handful of your employees reuse passwords across applications and accounts, it won’t be long before hackers leverage this password faux-pas for their own advantage. And if your organization is anything like the average company, it’s likely that password reuse is also pervasive. According to Google, at least 65% of people use the same password for multiple, if not all, sites and systems.
Password Sharing Increases Vulnerabilities
When every second counts in administering critical care, the last thing hospital staff have time for is issues with login. For this reason, many healthcare workers will share credentials, with 74% of respondents in one study admitting they had obtained a colleague’s password. The researchers state, “Apart from…large-scale mistakes and malicious acts… one of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another.”
It’s easy to understand why healthcare workers would default to this practice, but it’s equally easy to visualize how password sharing substantially increases security vulnerabilities.
With threats inherent in everything from:
- How the password is initially shared (i.e. is it stored in multiple email accounts?)
- What else individual staff members may use it for (e. is it being reused for other work and/or personal accounts?)
- What is the staff turnover (e. what happens if a disgruntled former employee can still access company systems?)
It’s evident that hospitals cannot afford the risks associated with password sharing.
Protecting Passwords without Impeding Efficiency
The good news is that healthcare institutions can combat the above and other key password risks without implementing policies that impede employee efficiency and, most critically, the delivery of care. The first step is recognizing that employee password behavior is unlikely to change on its own. Staff will continue to select relatively weak passwords and maybe even reuse passwords for different accounts; no matter how much time you invest in educating them otherwise.
By screening passwords at their creation against passwords found in data breaches and cracking dictionaries, healthcare organizations can ensure that no previously compromised credentials are in use for corporate accounts. Companies can also customize their credential screening to prevent the use of common passwords like Password1234 or context-specific passwords that include the hospital or account name.
Of course, it’s always possible that a previously safe password could become compromised down the road, so it’s essential that hospitals monitor credentials daily against a real-time database to ensure that sensitive data stays protected.
Unlike multi-factor authentication (MFA), mandatory password resets, or other traditional approaches, password screening can effectively address the issue of password sharing without additional user friction. Because friction is introduced into the experience only if a password is found to be unsafe, login is a much less time-intensive process and employees are less likely to seek a workaround.
With cybersecurity poised to remain a prime area of investment for healthcare organizations, it’s crucial that hospitals not overlook the basics, which includes securing passwords. Adding additional security around passwords that also addresses the need for quick authentication is a critical step in preventing sensitive accounts and data from falling into the wrong hands.
With over 80% of data breaches attributed to compromised passwords, hospitals must recognize the threat inadvertently posed by their employees and implement solutions to minimize this risk. Otherwise, even the largest cybersecurity budget will fall short of expectations, and organizations will continue to be a step behind their attackers.