Employee password security is a significant issue for healthcare providers. How can hospitals and other healthcare providers tackle password security concerns?
The healthcare industry sector is increasingly the target of cybercriminals. As more providers move internal systems online, leverage connected medical devices, and host medical records on patient portals; they become even more vulnerable as targets for cybercriminals.
Why are healthcare providers being targeted? The previous criminal focus on financial systems has expanded. The sensitive data housed within hospital and healthcare provider systems is a lucrative target for cybercriminals. It can be used for identity theft, fraudulent medical care, and be sold online. For these reasons, medical records and medical-related PII are aggressively sold on Dark Web marketplaces.
According to Clearwater CyberIntelligence Institute, user authentication is the most common cyber risk for hospitals and health systems. With over 80% of data breaches due to compromised passwords, user authentication and passwords are a legitimate concern.
Passwords are one of the most difficult areas to enforce effective security because they are selected by the user themself. And like most people, healthcare staff reuse passwords. According to Google, 65% of people reuse passwords across multiple, if not all, sites and systems. Even worse, many employees reuse passwords across their personal and work accounts.
All this puts the healthcare employer at risk. Even when employees meet password complexity requirements, password reuse across multiple sites creates a major vulnerability. Cybercriminals easily obtain breached or leaked credentials online and then use them against other online accounts or systems.
Weak and generally vulnerable passwords are also an issue. Clinical staff often follow the path of least resistance when it comes to passwords. This includes creating passwords that use the name of the hospital or common dictionary words with simple substitutions. And when they change a password, they make only slight changes from what they used previously.
Cybercriminals are aware of typical substitution and common variation patterns, so these are very risky behaviors. Again, the vulnerability is created by the well-intentioned staff. They just want to focus their attention on patients. Many employees use unsafe passwords and are entirely unaware of it. Unfortunately, this leaves systems administrators in a difficult position that is challenging to address.
Password security starts with preventing staff from using vulnerable passwords. Many hospitals and health service providers are adopting low-friction, automated password monitoring. This monitoring screens for weak, commonly-used, expected, and compromised passwords in Active Directory.
They check the password at the time it is created or reset to make sure it is safe. It checks passwords found in data breaches and cracking dictionaries that should not be allowed to be used by employees. Custom dictionaries allow healthcare providers to tailor these password blacklist to exclude the name of the hospital or similar words that should be restricted. These are all enhanced with fuzzy matching to handle common variations.
Services can then continue to monitor the password daily against a real-time compromised password database to ensure it doesn’t become unsafe while it is in use. When a previously safe password is found to be part of a new data breach, automated remediation can be used based on what is considered appropriate: notification, require the password to be changed immediately or shortly thereafter or disabling the account.
New passwords should also be checked to ensure they are not simple iterations of a root password (a password that gets changed by just a few characters.) The new password should always get checked against the old password and get blocked if it is too similar.
Many healthcare providers are adopting Multi-Factor Authentication (MFA) for their employees to help reduce the risk of unauthorized authentication. However, MFA means at least two factors to login. The 1st is a password; the 2nd may be a token, a card, or even a biometric scan. But if the 1st factor is not secure, the organization is still vulnerable and is also at risk of failing compliance requirements.
Most compliance requirements make it clear that each factor of authentication needs to be secured appropriately. For instance, NIST 800-63b requires “Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s)”
Hospitals and healthcare organizations need to be cautious with their password security practices and keep up with the latest guidelines (NIST, HIPPA, etc.) to keep the organization, patients, and staff safe. Weak password security increases the likelihood of a successful cyber attack.
To boost password security in hospitals and health services, organizations can follow the best practices for passwords and password policies outlined by HIPAA and HITRUST. Many state and university health services also have to adhere to the NIST Password Guidelines as well.Josh Horwitz, COO, Enzoic
Learn more about how your organization can monitor Active Directory for commonly-used, expected, or compromised passwords.