Password Best Practices for Healthcare Organizations

Passwords have become such a ubiquitous component in healthcare that it may not seem relevant to include them in any updates to your cyber defense. Yet the opposite is the case, especially in light of studies that show how easy passwords are to misuse: lacking in strength against brute force attacks, being shared too readily among coworkers, or not being set to periodically expire. Here are ways your team can avoid these mistakes.

Choose Strong Passwords

According to Security Intelligence, an eight-character password can be cracked in eight hours — even if it includes upper- and lowercase letters, numbers, and special characters. But simply adding two more characters extends that protection by at least five years. That alone should be incentive enough for system administrators to update this requirement. Better yet, have users periodically change their passwords, as this effectively “resets the timer.”

Tip: Most employees already have a lot of passwords to keep track of both in and out of the office, so they tend to create the same ones across multiple devices and software. In order to discourage this, consider having them adopt a password manager service that saves and encrypts their passwords for convenience — as long as that service has strong, verifiable cybersecurity of its own.

Enforce Password Secrecy

Convincing users to adopt strong passwords may not be a problem, but getting them to keep theirs secret could be. One survey reported by NCBI found that just under three-quarters of participants admitted to having access to another team member’s login credentials. This has the potential not only for abuse within an organization, but data exposure to bad actors who could then compromise the entire network.

Curbing this kind of behavior is best done by adopting two-factor authentication. This often involves sending a temporary code by phone, email, or text to the user once they’ve typed in their original password, in order to confirm their identity. This code is only valid for a short period of time and is the only way to gain access to the user’s account.

Tip: Consider limiting the number of login attempts, as well as requiring biometrics (fingerprints, facial recognition) as a means of two-factor authentication.

Require Passwords to Expire

According to HealthITSecurity, one study found that two-thirds of surveyed healthcare organizations had at least 500 or more user accounts with passwords that were never set to expire. Many organizations also reported ghost users (accounts with no recent activity but with permissions still enabled) on their networks. If passwords don’t update, they can eventually be cracked, and ghost accounts add unmonitored vectors that are potential targets to exploit.

Instead, have users update their passwords every few months, and make sure to deactivate accounts that are no longer in service.

Tip: It may be tempting for staff to reuse old passwords when it comes time to update them, so it would be wise to disable this capability.

Protecting your organization’s data isn’t solely on the backs of your system administrators. All of your employees share in that responsibility. Therefore, it only makes sense that they do their part to maintain that data security, starting with the solutions outlined above.