By Andy Syrewicze

Passwords are a cybersecurity foundation that every organization is familiar with, providing a secure layer of protection that keeps company information safe. But at the same time, passwords are somewhat of a liability, as many users fail to create complex, secure passwords to help prevent hackers from gaining access. As a result, many companies are finding themselves victims to threat actors due to a lack of proper password management.

Major Healthcare Data Breach

On May 1, Change Healthcare, a UnitedHealth subsidiary, experienced a new data breach. Hackers accessed the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone’s password, entering through a portal that did not have multi-factor authentication enabled. This particular cyberattack came from a Russian-based ransomware gang ALPHV or BlackCat and the group themselves claimed responsibility for the attack, alleging that they took more than six terabytes of data, including “sensitive” medical records. The attacks triggered a disruption of payments and claims processing around the country, stressing doctors’ offices and healthcare systems by interfering with their ability to file claims and receive payment. 

Further Reading: Why Hearing Healthcare Needs More Cybersecurity Protections

The attack hamstrung the U.S. prescription market for two plus weeks as well. With this attack, compromising networks and services, healthcare providers were not just unable to manage customer payments and insurance claims. The attack then made it difficult for pharmacies to calculate what costs were covered by insurance companies, payment processors, providers, and patients experienced long delays in filling prescriptions for medicines, many of which were lifesaving.

Protecting Patient Information

Without proper password management, any organization can become a victim to threat actors in this way. In the healthcare industry, it is especially important that patient information remain confidential and not run the risk of being compromised. The healthcare infrastructure is extremely vulnerable to cyberattacks, as there is so much valuable information, including medical records, home addresses, telephone numbers, email addresses, and so on. Organizations therefore need to install the right tools and apply appropriate measures to audit and manage access to this data. 

Employee behavior can also contribute to the compromise of sensitive information if proper training is not being provided. It is not only important for medical professionals to protect themselves and their organization from threat actors, but they also have a duty of care to protect patient data, because their information can become compromised without any fault of their own. 

Here are password management steps that hearing care professionals can take to ensure that their passwords are properly safe and secure:

Top Tips for Password Security 

Secure IT admin access. 

Although this may be obvious, ensure that IT admin access is secure. Establishing an audit trail, and requiring other IT admins to enable just-in-time (JIT) access to a given set of credentials, adds another level of security for administrative system access.

Mandate multi-factor authentication (MFA).

It is a must to ensure that MFA is implemented as an extra layer of security. Some threat actors are likely to move on rather than trying to get around MFA. There will always be persistent actors that will still find ways around MFA via social engineering or reverse-proxy style attacks. Despite that, MFA remains one of the best measures to protect accounts.

Provide password management training.

This will show employees why they must not use identical, similar or even serialized passwords, which they may normally do to save time and hassle, but which ultimately leave the organization vulnerable to attack. While these generic passwords are easy to remember, they also potentially allow threat actors access to protected health information (PHI) should they be hacked. 

Encourage the avoidance of password rotation. 

Unnecessary routine password changes prompt employees to begin to utilize a serialized password method rather than thinking of a solid, well-protected password when they have to do this on a regular basis. In fact, new guidance from NIST now suggests not rotating passwords unless evidence of breach is present. 

Ensure employees are using different passwords across accounts.

Having unique passwords for different accounts prevents users from being caught off guard in Credential Stuffing attacks. These attacks prey on the use of identical passwords across different accounts.

Encourage strong password strength. 

This includes avoiding simple or short passwords. For sensitive accounts, it is recommended that a random long password, such as a phrase, be utilized to reach a longer character limit. Generally, a password of over 20 random characters and containing mixed elements will provide enough protection against today’s threat actors. 

Add password managers to shared accounts or files. 

Password managers should be required any time there is shared password access or when managed password changes are needed. This also provides an audit trail of password access if needed.

Use passkeys. 

This type of identity authentication uses public key cryptography, is password-less, and can be stored on a smartphone, a hardware key, password manager, etc. Using a passkey creates a public and private key. The service the end-user registers a passkey with retains the public key. The user’s device holds the private key, which, again, is ONLY accessible on their specific device—so even if the service in question is breached, there are no passwords for threat actors to access should a breach occur.

Avoid third-party logins with work accounts. 

Using third-party logins (such as logging in with Google, Facebook… etc.) as a login for work-related purposes puts that information at risk. The creation of a new account using Facebook or Google can potentially expose the data to greater risk of being accessed by third parties. These accounts fall outside the purview of enterprise IT teams and are not subject to needed security controls. When an account like this is subject to an attack, that opens the risk of protected data being leaked.

Monitor password access and use.

It’s important to have a birds’ eye view of IT security across the board, seeing how many devices have password access, and how often they are being used. In the case of a threat actor breach or employee malpractice, teams will be prepared to act quickly to mitigate further risk.

An Ounce of Prevention

These steps will ensure that proper password management is being implemented and taken seriously. Threat actors are becoming more sophisticated as technology continues to advance, so it is imperative that companies consistently enforce proper cybersecurity measures. Sensitive information is at risk, and its protection starts with password management. If threat actors can break through a simple password, there’s no telling what else they can access or compromise.

Andy Syrewicze is a 20+ year IT pro specializing in M365, cloud technologies, security, and infrastructure. By day, he’s a security evangelist for Hornetsecurity, leading technical content. By night, he shares his IT knowledge online or over a cold beer. He holds the Microsoft MVP award in cloud and datacenter management.

Featured image: Dreamstime