Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
Employee Password Security for Healthcare Providershttps://www.enzoic.com/password-security-healthcare-providers/(opens in a new tab)

Employee Password Security for Healthcare Providers

Employee password security is a significant issue for healthcare providers. How can hospitals and other healthcare providers tackle password security concerns?

The healthcare industry sector is increasingly the target of cybercriminals. As more providers move internal systems online, leverage connected medical devices, and host medical records on patient portals; they become even more vulnerable as targets for cybercriminals.

Healthcare Providers Increasingly Targeted

Why are healthcare providers being targeted? The previous criminal focus on financial systems has expanded. The sensitive data housed within hospital and healthcare provider systems is a lucrative target for cybercriminals. It can be used for identity theft, fraudulent medical care, and be sold online. For these reasons, medical records and medical-related PII are aggressively sold on Dark Web marketplaces.

83% of surveyed healthcare organizations said they have seen an increase in cyberattacks in the last 12 months.
2019 Carbon Black Industry Survey

Compromised Passwords Represent A Major Vulnerability

According to Clearwater CyberIntelligence Institute, user authentication is the most common cyber risk for hospitals and health systems. With over 80% of data breaches due to compromised passwords, user authentication and passwords are a legitimate concern.

Passwords are one of the most difficult areas to enforce effective security because they are selected by the user themself. And like most people, healthcare staff reuse passwords. According to Google, 65% of people reuse passwords across multiple, if not all, sites and systems. Even worse, many employees reuse passwords across their personal and work accounts.

All this puts the healthcare employer at risk. Even when employees meet password complexity requirements, password reuse across multiple sites creates a major vulnerability. Cybercriminals easily obtain breached or leaked credentials online and then use them against other online accounts or systems.

Risky Password Behaviors in Clinical Settings

Weak and generally vulnerable passwords are also an issue. Clinical staff often follow the path of least resistance when it comes to passwords. This includes creating passwords that use the name of the hospital or common dictionary words with simple substitutions. And when they change a password, they make only slight changes from what they used previously.

Cybercriminals are aware of typical substitution and common variation patterns, so these are very risky behaviors. Again, the vulnerability is created by the well-intentioned staff. They just want to focus their attention on patients. Many employees use unsafe passwords and are entirely unaware of it. Unfortunately, this leaves systems administrators in a difficult position that is challenging to address.

Boosting Employee Password Security for Healthcare Providers and Hospitals

Preventing commonly-used, expected, or compromised passwords

Password security starts with preventing staff from using vulnerable passwords. Many hospitals and health service providers are adopting low-friction, automated password monitoring. This monitoring screens for weak, commonly-used, expected, and compromised passwords in Active Directory.

They check the password at the time it is created or reset to make sure it is safe. It checks passwords found in data breaches and cracking dictionaries that should not be allowed to be used by employees. Custom dictionaries allow healthcare providers to tailor these password blacklist to exclude the name of the hospital or similar words that should be restricted. These are all enhanced with fuzzy matching to handle common variations.

Services can then continue to monitor the password daily against a real-time compromised password database to ensure it doesn’t become unsafe while it is in use. When a previously safe password is found to be part of a new data breach, automated remediation can be used based on what is considered appropriate: notification, require the password to be changed immediately or shortly thereafter or disabling the account.

New passwords should also be checked to ensure they are not simple iterations of a root password (a password that gets changed by just a few characters.) The new password should always get checked against the old password and get blocked if it is too similar.

Ensuring All Factors of Authentication Are Secure

Many healthcare providers are adopting Multi-Factor Authentication (MFA) for their employees to help reduce the risk of unauthorized authentication. However, MFA means at least two factors to login. The 1st is a password; the 2nd may be a token, a card, or even a biometric scan. But if the 1st factor is not secure, the organization is still vulnerable and is also at risk of failing compliance requirements.

Most compliance requirements make it clear that each factor of authentication needs to be secured appropriately. For instance, NIST 800-63b requires “Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s)”

Closing

Hospitals and healthcare organizations need to be cautious with their password security practices and keep up with the latest guidelines (NIST, HIPPA, etc.) to keep the organization, patients, and staff safe. Weak password security increases the likelihood of a successful cyber attack.

Josh Horwitz, COO, Enzoic
Josh Horwitz, COO, Enzoic

To boost password security in hospitals and health services, organizations can follow the best practices for passwords and password policies outlined by HIPAA and HITRUST. Many state and university health services also have to adhere to the NIST Password Guidelines as well.

Josh Horwitz, COO, Enzoic

Learn more about how your organization can monitor Active Directory for commonly-used, expected, or compromised passwords.

Healthcare ProvidersHospitalsPassword Security

Search

Browse blog categories

  • Account Takeover (19)
  • Active Directory (31)
  • all posts (79)
  • Continuous Password Protection (14)
  • COVID-19 (3)
  • Cracking Dictionaries (2)
  • Credential Screening (15)
  • Cybersecurity (28)
  • Data Breaches (9)
  • EdTech (1)
  • Enzoic Customer (2)
  • Enzoic News (7)
  • Enzoic Recognition and Awards (5)
  • Financial Services Cybersecurity (2)
  • Gaming Cybersecurity (1)
  • GDPR (1)
  • Healthcare Compliance (7)
  • Insider Threats (6)
  • Law Firm Cybersecurity (2)
  • Loyalty and Reward Programs Security (1)
  • NIST 800-63 (19)
  • Password Hygiene (4)
  • Password Tips (30)
  • Regulation and Compliance (3)
  • SMB Cybersecurity (2)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • A Chronic Illness: Why the Healthcare Industry Needs an Update
  • Pride and Passwords: Top Hacking Methods & How to Prevent Them
  • Cybersecurity and What’s Not Working from Home
  • From Paper to Passwords: Digitizing the Voting Process
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2020 | Privacy Policy | Acceptable Use

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website