Getting Password Security Right in the Healthcare Sector

Updated on February 8, 2024

The World Economic Forum has warned that cyberattacks against healthcare providers are increasing, raising the alarm bells for organizations operating within this sector. The healthcare industry has been a prime target for years – even the American Hospital Association has stated it “saw an even greater number of incidents” in recent times. To compound matters, in the U.S., it is estimated that the average cost of a healthcare breach is $10.93 million, with these figures rising by over 53% over the past three years. 

Digital transformation has swept through the working world, including the healthcare sector.  However, this raises the risk of phishing, data breaches or stolen credentials as the digital footprint expands. Furthermore, these businesses often are reliant on third-party providers – if these aren’t following security best practices, they too increase the potential for supply chain attacks.

Should a healthcare provider suffer a security incident, given the valuable and sensitive information held or stored, the implications could be devastating for not only the patients, who are receiving care, but also the organization financially and from a data privacy standpoint. 

One of the highest profile healthcare cyberattacks internationally was WannaCry in 2017, which crippled the UK’s National Health Service (NHS), costing it £92 million in damages. In the U.S., one of the largest attacks took place in 2015, against healthcare provider Anthem after cybercriminals accessed its corporate database through phishing and stole an estimated 79 million records, which included sensitive patient and employee data. It cost Anthem $115 million to resolve the damages caused. 

Healthcare institutions have a responsibility to their patients and employees to ensure any neglect is avoided. Providing cybersecurity is part of that duty of protection and care.

Protecting healthcare data can be difficult

It is well documented that healthcare providers are reluctant to invest or adopt new technologies and systems. This is often because there are limited budgets available, there are too many medical professionals employed to make a drastic shift, or the length of time it would take to make a change is too long due to the legacy processes in place. For context, it is thought there are over 14 million healthcare workers in the U.S. With so many people that have access to such information, it can be incredibly difficult to have visibility into who has access and where the data resides. As such, this adds to the already strenuous and pressurized environments that these individuals work in.

Unfortunately, cybercriminals know of these failings and often won’t need creative methods to infiltrate systems. For example, one of the first areas they will target is weak credentials and passwords used by employees. Research has shown that 74% of data breaches were linked to human error or oversight such as password reuse, which is common practice among healthcare workers. 

Poor password security practice

In a lot of cases, passwords become easy to attack and exploit for one simple reason: users make them easy to guess. These are known as weak passwords and are typically short in nature, easily guessable, reused across many accounts and follow common patterns and themes that relate to the individual or the place where they work. For instance, when you analyze the most common base terms used within breached passwords, you find ‘password’, ‘admin’ and ‘welcome’ amongst the top five. Despite continuous warnings from the security industry, these common terms are widely used to secure accounts in both the professional and personal setting.

The dire situation has reached a stage whereby regulations and laws are now requiring organizations to implement policies that mandate passwords to be of a certain length and complexity.

A prime example of this can be witnessed in the healthcare sector in the U.S. All organizations within this industry must adhere to the U.S. law HIPAA, which mandates national standards to protect sensitive patient health information from disclosure without patient knowledge or consent. In seeking compliance to HIPAA, many healthcare operators leverage the HITRUST framework which helps organizations achieve their security and privacy goals. As such, those that wish to be compliant must have a minimum of eight characters for a password, or 15 characters for accounts with the most privileged access. The password must also contain one number and/or special character and at least one letter in upper and lower cases for privileged accounts. 

However, even with these requirements and recommendations, research has revealed that 83% of compromised passwords would meet the password complexity and length requirements of compliance standards. 

It is for this reason businesses in the healthcare sector should screen all passwords used against a list of commonly used, breached, and leaked passwords. This would greatly reduce the risk of weak passwords being used and help raise the overall baseline of security for the organization.

How can we progress with passwords?

As we know, passwords aren’t going anywhere. They will still be with us for some time, so while they are, we must ensure they are not breached, don’t follow predictable patterns, and are easy to remember while remaining long and complex.

Of course, introducing end-user training to improve security best habits will help to prevent password reuse and other risky practices but there are more steps healthcare organizations can take to protect their systems. These include the following: 

  • First, implement third-party password security software to strengthen your Active Directory accounts. Active Directory is the universal authentication solution for Windows domain networks but sadly, the default password policy settings are not robust enough to counter modern cybercriminals. 
  • Second, seek out security solutions that can block the use of compromised passwords and commonly used terms with custom dictionaries.
  • Third, deploy multi-factor authentication wherever possible alongside a strong password policy for a layered security approach.

Passwords remain a crucial aspect of security. Consistently overseeing and refreshing passwords used in any organization, cross-referencing them with compromised credentials, proves to be an efficient method for reinforcing a robust defense, enhancing data security, and safeguarding patient well-being.

Darren James
Darren James
Senior Product Manager at Specops Software

Darren James is a senior product manager at Specops Software, a global cybersecurity company.