The healthcare industry is increasingly targeted by cybercriminals. As digital transformation accelerates and more providers move their internal systems to the cloud, deploy IoT medical devices and host medical records online, they become even more vulnerable.
Over the past four years, nearly 1,500 healthcare companies have been hit with ransomware attacks, and the threat is unlikely to go away. Healthcare data is just too valuable a commodity on the black market for cybercriminals to pass up. In 2019, health organizations continued to get hit with data breaches and ransomware attacks, costing the sector an estimated $4 billion.
The data housed within hospital and healthcare provider systems can be used for identity theft and fraudulent medical care, which is why medical records and medical-related PII are in high demand on dark web marketplaces and are being sold for a steep fee. Hospitals are the main target, with 74% percent of organizations affected by ransomware attacks being hospitals or clinics. The overall cost of these attacks over the last four years is estimated at $157 million; however, the price goes beyond monetary value, also posing a danger to patients under the medical provider’s care.
Outdated Systems and Software
Despite the threat, hospitals often miss the mark when it comes to securing their IT infrastructures. “You have hospitals and doctor offices that are often forced to run outdated and old software that makes them at risk for these ransomware attacks,” noted Allan Liska, an intelligence analyst at Recorded Future, in an interview with Insurance Journal.
Hospitals also neglect to invest in IT infrastructures. The use of outdated software and operating systems in the NHS exposed the health service to a risk of an attack, according to research from Check Point.
Internet of things (IoT) devices are often the weakest link in an IT network. The Check Point research noted that in the case of NHS, Philips HDI 4000 ultrasound machine was running Windows 2000, a vulnerable platform with known security gaps that no longer receives updates.
Problems With Passwords in Healthcare Security
But in addition to the above, passwords remain the weakest link of the cybersecurity puzzle.
User authentication is the most common attack vector in hospitals, according to Clearwater CyberIntelligence Institute. A staggering 80% of data breaches are a result of compromised passwords, making user authentication and passwords a primary concern.
Organizations often respond to this threat by enforcing stricter password policies such as preventing commonly used, easily guessed or compromised passwords and forcing periodical password renewal. Unfortunately, these measures often backfire. Here is why strengthening password policies is not an effective response:
Problem #1: Password reuse is rampant
Like most people, healthcare staff reuse passwords. Even worse, many employees reuse passwords across systems, exposing healthcare data to a significant risk of compromise.
Password reuse means that even when employees meet password complexity requirements, stolen passwords from unrelated services used by staff outside of the work can be obtained online easily and then used against healthcare provider’s internal accounts or systems.
Problem #2: Weak and vulnerable passwords
Weak and generally vulnerable passwords are still an issue. The clinical staff is often short on time and resources, and therefore often follow the path of least resistance when creating or updating their passwords.
This includes creating passwords that use common dictionary words or the name of the hospital or their department. When users are forced to change their password, they often make only a slight change from what they used previously so that it will be easy to remember.
Here is the catch: Cybercriminals are perfectly aware of this. They test breached passwords with typical substitution and common variation patterns until they find a match. And with literally billions of login/password combinations leaked in 2019, the odds that there is someone in your hospital who has exposed your organization to risk of compromise is extremely high.
Problem #3: Failure to enforce policies
Almost all—90%—of organizations reported having password or token management policies and procedures. The problem? The lack of technical implementation to render the tool useful.
As a result, users resort to risky behavior including generic password use, writing down passwords in common areas and insecure sharing of credentials over external networks, to name a few.
Problem #4: Failure to adapt security to clinical workflows
Vulnerabilities are often unintentionally created by staff who are just trying to do their jobs. After all, medical professionals want to focus their attention on patients, not memorizing passwords. Unfortunately, this leaves security professionals in a difficult position that is challenging to address.
The problem is, common solutions many companies implement to counteract the threat end up being counterproductive. Harsh password strength requirements, complicated single sign-on systems, locking accounts after too many failed login attempts and hardcoded passwords are often perceived as impediments to work, rather than something that helps to keep patients secure.
All of the above simply doesn’t work in hectic working conditions where delays can cost lives. As a result, cybersecurity efforts in healthcare settings increasingly confront workarounds and evasions by staff.
Taking the Human Factor Into Account
Cybersecurity and permission management problems are often created with abstract users in mind, not human beings. As a result, cybersecurity experts do not sufficiently consider the actual clinical workflow when deploying their password policies. That is why workarounds to cybersecurity are the norm rather than the exception, Dartmouth researchers discovered.
The key to boosting employee password security for healthcare providers and hospitals is in making cybersecurity measures work seamlessly with the clinical workflow, not being an impediment to it.