According to the Health Insurance Portability and Accountability Act (HIPAA) Journal, between 2009-2022, there have been more than 5,150 healthcare data breaches of 500 or more recorded, impacting more than 382 million medical records. Why is this happening, and what can organizations do to improve employee password security?
Weak and Compromised Passwords
Compromised passwords are one of the most concerning risks for hospitals and health services. Over 80% of data breaches are due to compromised passwords in some capacity.
Passwords are one of the most difficult areas to enforce effective security because they are selected by the user. According to Google, 52% of people openly admit to reusing passwords across multiple, if not all, accounts and sites. And like most people, healthcare staff reuse passwords. Even if an employee has a very complex password, reusing it on multiple sites can create a major vulnerability.
Weak passwords are also a major issue. Clinical staff often follow the path of least resistance when it comes to passwords. They often opt for passwords that are simple to type in and easy to remember. This includes creating passwords that use the name of the hospital or common dictionary words with simple substitutions. Unfortunately, cybercriminals are aware of typical substitution patterns, so these are very risky habits.
Password Sharing
Password sharing is also a significant issue in hospitals and healthcare settings. According to a study by Healthcare IT News, 73.6% of surveyed hospital staff had obtained the password of another medical staff member.
There are numerous reasons why healthcare staff will share credentials. The most cited reason is that every minute counts in critical care. However, like weak passwords and password reuse, sharing passwords decreases the efficacy of passwords, creating vulnerabilities.
Researchers have noticed that password sharing is one of the most common HIPAA violations. While technology-neutral in its stance, under the HIPAA Security Rules, there is a section relating to access controls. It states that procedures must ‘verify that a person or entity seeking access to electronically protected health information is the one claimed’ and ‘assign a unique name and/or number for identifying and tracking user identity’. When employees, interns, and staff of any type share credentials, they are not complying, and user identity cannot be accurately tracked.
HIPAA and HITRUST
To boost password security in hospitals and health services, organizations can follow the best practices of information security professionals. In the US, HIPAA regulation and HITRUST security frameworks help shape reliable security and password policies in healthcare. Many university and state health services also have to adhere to the NIST Password Guidelines.
While HIPAA guidelines are kept general to be interpreted with some flexibility between organizations, HITRUST CSF recommendations are specific and practical. The HITRUST Common Security Framework (CSF) is a useful place to start, as they incorporate requirements from both HIPAA and NIST.
A Safe Layer
Network administrators can help communicate the need for security by openly discussing the problems that healthcare workers struggle with—time and the need for urgent care being a top priority. In time-sensitive environments, multifactor authentication (MFA) and layers of logins can be a barrier.
Therefore, it’s important to secure the first, and most-used, authentication layer: passwords. In short, IT administrators need to emphasize the importance of strong, unique passwords, and provide infrastructure to keep the password layer secure.
Password security starts with preventing staff from using common passwords and dictionary words. Common passwords, like ‘Password1234,’ should not be allowed to be used by employees, and employees should not be allowed to use iterations of a root password (a password that gets changed by just a few characters). Additionally, the new password that the employee chooses should always get checked against the old password and get blocked if it is too similar. Context-specific passwords should be blocked as well.
3. Detection & Reaction
Many hospitals and health service providers are opting for lower-friction password security solutions such as monitoring for compromised passwords in Active Directory. Most solutions check the password at the time it is created or reset to make sure it is safe. This type of check screens against passwords found in data breaches and cracking dictionaries, while custom dictionaries can allow healthcare providers to tailor these password blacklists to exclude the name of the hospital or similar words that should be restricted. Services can then continue to monitor the password daily against a real-time compromised password database to ensure it doesn’t become unsafe while it is in use. This is a central service, as protection is needed round-the-clock.
When a previously safe password is found to be part of a subsequent data breach, automated remediation can be used based on what is considered appropriate: notifying the user or the system administrator, requiring the password to be changed immediately or shortly thereafter, or disabling the account. This is an easy way to keep healthcare staff accounts safe without adding a lot of complexity to user authentication.
The balance of security versus quick authentication is challenging for healthcare facilities because, in urgent medical situations, the last thing a clinician needs is to be locked out of a system instead of taking care of a patient. Because of this, low-friction password monitoring is quickly becoming a security standard in healthcare.
Ensuring that the password layer is secure by instituting ongoing monitoring and comparing new and in-use passwords against a constantly updated blacklist is one of the most effective ways to enforce strong cybersecurity. In this case, it will help organizations focus on better data security and, potentially, improved patient outcomes.
Read the e-book, “Employee Password Security for Hospitals and Healthcare Providers” for more details.