Medical professionals are working in high-stress environments where human lives are at stake on a daily basis. High-paced and often unpredictable working conditions mean that data security is often the last thing on the mind of medical personnel. And that is the way it should be. Doctors, nurses, and administrative staff should be 100% focused on the main task at hand – helping their patients and saving lives.
But since medical data is extremely valuable to threat actors, and healthcare providers are at higher risk of cyber attacks than most businesses, healthcare providers have to respond to this threat somehow. Many do this by bolstering their password security. This strategy often backfires, and it’s important to understand why.
Healthcare providers are a lucrative target
The healthcare industry is increasingly targeted by cybercriminals. As digital transformation accelerates and more providers move their internal systems to the cloud, deploy IoT medical devices, and host medical records online, they become even more vulnerable.
Over the past four years, nearly 1,500 healthcare companies have been hit with ransomware attacks, and the threat is unlikely to go away. Healthcare data is just too valuable a commodity on the black markets for cybercriminals to pass up. In 2019, health organizations continued to get hit with data breaches and ransomware attacks, costing the sector an estimated $4 billion.
The data housed within hospital and healthcare provider systems can be used for identity theft and fraudulent medical care. That is why medical records and medical-related PII are in high demand on Dark Web marketplaces and are being sold for a steep fee.
Hospitals are the main target, with 74% percent of organizations affected by ransomware attacks being hospitals or clinics. The overall cost of these attacks over the last four years is estimated at $157 million.
But the price of cyberattacks in healthcare is extremely high not only in monetary value but also due to the dangers it poses to patients under the medical provider’s care.
Unlike other industries, here, lives are literally at stake.
Outdated systems and software
Hospitals are often missing the mark when it comes to securing their IT infrastructures. Many times they are forced to run old or outdated software that puts them at a very high risk of cyber attacks, particularly ransomware.
Hospitals and clinics also tend to neglect investments in IT infrastructures, prioritizing newer clinical equipment over modernized IT. A woeful example is the use of outdated software and operating systems in the NHS which has exposed the service at high risk for an attack, research has found.
Internet of Things (IoT) devices are often the weakest link in an IT network. In the case of NHS, Philips HDI 4000 ultrasound machine was running Windows 2000, a vulnerable platform with known security gaps that no longer receives updates.
Problems with passwords in healthcare security
But regardless of the above, passwords remain the weakest link of the cybersecurity puzzle.
User authentication is the most common attack vector in hospitals, according to Clearwater CyberIntelligence Institute. A staggering 80% of data breaches are a result of compromised passwords, making user authentication, and passwords a primary concern.
Organizations respond to this threat by enforcing stricter password policies such as preventing commonly used, easily guessed, or compromised passwords and force periodical password renewal. Unfortunately, these measures often backfire. Here is why strengthening password policies is not an effective response:
Problem #1: Password reuse is rampant
Like most people, healthcare staff reuse passwords. Even worse, many employees reuse passwords across systems and use, exposing healthcare data to a significant risk of compromise.
Password reuse means that even when employees meet password complexity requirements, stolen passwords from unrelated services used by staff outside of the work can be easily obtained online and then used against healthcare provider’s internal accounts or systems.
Problem #2: Weak and vulnerable passwords
Weak and generally vulnerable passwords are still an issue. The clinical staff is often short on time and spare mental resources, and therefore will often follow the path of least resistance when creating or updating their passwords.
This includes creating passwords that use common dictionary words, or the name of the hospital or their department. When users are forced to change their password, they often make only a slight change from what they used previously so that it will be easy to remember.
Here is the catch: cybercriminals are perfectly aware of that. They test breached passwords with typical substitution and common variation patterns until they find a match. And with literally billions of login/password combinations leaked in 2019, the odds that there is someone in your hospital who has exposed your organization to risk of compromise is extremely high.
Problem #3: Failure to enforce policies
90% of organizations reported having password or token management policies and procedures. The problem? The lack of technical implementation to render the tool useful.
As a result, users resort to risky behavior like generic password use, writing down passwords in common areas, sharing their credentials, using external networks, etc.
Problem #4: Failure to adapt security to clinical workflows
“A significant gap exists between cybersecurity as taught by textbooks and experts and cybersecurity as practiced by actual end-users.”
Vulnerabilities are often unintentionally created by staff who are just trying to do their jobs. After all, medical professionals want to focus their attention on patients, not memorizing passwords.
Unfortunately, this leaves security professionals in a difficult position that is challenging to address.
The problem is – common solutions many companies implement to counteract the threat, end up being counterproductive. Harsh password strength requirements, complicated single sign-on systems, locking accounts after too many failed login attempts, hardcoded passwords are often perceived as impediments to work, rather than something that helps to keep patients secure.
Unfortunately, all too often, these tools impede clinicians’ work. All of the above simply doesn’t work in hectic working conditions where delays can cost lives. As a result, cybersecurity efforts in healthcare settings increasingly confront workarounds and evasions by staff who are just trying to do their work.
Taking the human factor into account
Cybersecurity and permission management problems are often created with abstract users in mind – not actual human beings in real environments. As a result, cybersecurity experts do not sufficiently consider the actual clinical workflow when deploying their tools and policies in hospitals and clinics. That is why, as Dartmouth research shows, workarounds to cybersecurity are the norm rather than the exception.
The key to boosting cybersecurity for healthcare providers and hospitals can only come when we make cybersecurity measures work seamlessly with the clinical workflow, not being an impediment to it. It is time to invest more in healthcare IT systems, and do that with cybersecurity in mind from the get-go. That means, among other measures, deploying passwordless authentication solutions for all personnel dealing with sensitive data or equipment.
