One of the simplest cybersecurity measures is using a strong password. But what is a password?
In one of the more significant medical data breaches of 2020, Magellan Health, a Fortune 500 insurance company, reported a ransomware attack and data breach affecting 1,013,556 individuals. Criminals obtained login credentials and passwords through a phishing email allowing access to personal information such as names, addresses, employee ID numbers and SS numbers.
Healthcare data breaches have increased every year over the past decade, with 2020 being the worst to date. Over the years, the OCR has emphasized that one cause of healthcare data breaches has been weakened healthcare authentication measures that involve both management and employees. Studies of medical data breaches conclude that employees are the weakest link in cybersecurity. The OCR has also noted the associated widespread use of the same or similar passwords or passphrases by healthcare personnel to access information on public or private networks, internet portals, computers, medical devices and software applications. Data breaches, including medical data breaches, often involve access to systems by obtaining active credentials, i.e., active passwords, through social engineering such as phishing. Once criminals have access to the system, they can steal information or implant ransomware or other malware to corrupt the data.
Authentication is the process of assuring that an entity (person or system) is who the entity claims to be. Methods of authentication include single-factor, two-factor or multi-factor authentication using something you know (password), something you have (token) or something you are (fingerprint, retina, facial scan, etc.) and behavior biometrics (voice prints). But of all authentication methods, passwords are still the most widely used.
It is estimated that individuals currently use between 85 and 100 passwords depending on their type of work, which is enough to cause password fatigue and fall into the dangerous practice of using the same password across multiple accounts and sites. Due to user selections and bad practices, passwords are the authentication method most vulnerable to hacking attempts. Cybercriminals use three main methods for compromising passwords:
- Human guessing using social media and other information
- Cracking with computer algorithms
- Gaining access by social engineering, e.g., being given entry by phishing
As in the example case, studies have shown that compromised passwords are responsible for over 80% of hacking-related breaches. Password management is a HIPAA privacy and security requirement under the Security Rule Administrative Safeguards as an addressable specification. There is no mandate to use passwords, but when it is a reasonable and appropriate safeguard for a covered entity, the covered entity must “implement procedures for creating, changing, and safeguarding passwords.” If passwords are used, it is necessary to have policies and procedures for password management, guidelines for creating passwords and schedules for changing them periodically.
Password security starts with the physical creation of the password. Everyone is aware of the advice to have at least eight characters, use upper and lower case letters and use special characters. An example would be “234&81$##aB.” Using computer algorithms, this password could be cracked in about 16 hours. The National Institute of Standards and Technology (NIST) now recommends the removal of all such complexity requirements.
The length of a password matters much more than the complexity of the password. As users try to construct complex passwords, they also tend to use the same or similar passwords across multiple platforms and change the complexity by only one or two characters, making hacking easier. A better method uses a less complex but longer password such as “mydogwantsfoodnow,” which has no special characters. It is easier to remember and would require an estimated 800,000 years to crack. But, incorporating special characters, capitalization and numbers can be easy, too. Consider this variation: “My-dog-wants-food-at-7AM!”
However, in doing the construction, the names of a spouse, pet, city of residence, birthplace or any other personally identifiable information should not be used. This type of information could be deduced from social media accounts or other sources. Also, try words that don’t appear in a dictionary, since criminals can use software that checks against all dictionary words. Office policy should instruct employees never to share passwords or any login credentials. Follow the Security Rule requirements for password management.
Risk Mitigation Strategies
The role of authentication and passwords is a prominent part of medical cybersecurity. Every practice should ensure that policies address these vital areas as part of the efforts to avoid data breaches:
- Have a password policy and enforce it.
- Use long passwords rather than shorter complex passwords.
- Use an authentication system that allows for password audits to identify password reuse across employees or use of common words or common words with simple character replacements.
- When weak passwords are found, make corrections before problems occur, improving cybersecurity.
- Avoid using passwords alone and consider using at least two-factor authentication (2FA), e.g., using a password and SMS code.
- Consider use of a password manager, which would change the need to remember multiple passwords to remember only a password for entrance to the system and a password for the manager.
- Establish limitations of login attempts, which will reduce attackers attempting access by logging in repeatedly until they find the correct password (brute-force attack).
- Eliminate the practice of assisting users in remembering passwords by offering a hint or requiring an answer to a personal question since such information may be available on social media and subject to social engineering.
- Balance the need to change passwords with the frequency, since, with more password changes, users tend to change the passwords in predictable patterns, e.g., changing one or two characters or adding a single character to the end of the last password.
- Do required training for all employees in password use and protection, which is vital to good cybersecurity and avoiding data breaches.
- Check your password strength at howsecureismypassword.net at no cost.
Cyber Liability Coverage and Additional Resources
LAMMICO includes $10,000 of MEDEFENSE® Plus/Cyber Liability coverage in most provider policies at no additional charge to the insured. We also offer the option to purchase higher limits of protection through our subsidiary agency, Elatas Risk Partners, subject to underwriting which will include questions that hone in on two factor authentication and backup processes and procedures. Please contact Carly Thames, Elatas Account Executive, at email@example.com or 225.906.2062 for information on purchasing higher limits of Cyber Liability insurance.
In partnership with our cyber risk experts, Tokio Marine HCC – Cyber & Professional Lines Group, LAMMICO offers our insureds complimentary access to TMHCC CyberNET®, the most advanced cyber risk management solutions inclusive of incident response plans, compliance and training materials as well as information addressing latest trends in data breaches and cybercrime, including those concerns surrounding COVID-19.
Registered lammico.com Members are encouraged to log in and access the CyberNET® portal.
For more information about minimizing cybersecurity threats, please contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.