Strong passwords are an essential, frontline defense in protecting data and systems
In April 2018, the Center for Orthopaedic Specialists in California had to notify patients that some of their protected health information (PHI) may have been accessed by unauthorized individuals as the result of ransomware that had been installed on the practice’s network. The attack impacted nearly 85,000 current and former patients at the center’s three facilities.
When the practice’s information technology (IT) vendor discovered the breach two months earlier, it promptly took the network offline to prevent exfiltration of data, but some damage had already been done. The ransomware had been used to encrypt a wide range of files, many of which contained PHI such as names, Social Security numbers, dates of birth, and details on medical records. The Center for Orthopaedic Specialists is providing identify-theft protection and credit-monitoring services to all affected individuals through ID Experts, a leading provider of identity-protection and data-breach services, for 24 months.
Although the cause of the breach has not been discovered, most ransomware attacks are due to password mishaps. For example, in their Data Breach Investigations Report, Verizon found that “63 percent of confirmed data breaches involved leveraging weak, stolen, or default passwords.” Verizon also reported that although 83 percent of the breaches weren’t discovered for weeks, they happen quickly, with 93 percent occurring in minutes.
Many ransomware incidents, like the one described above, can be prevented through better user awareness. “User security awareness continues to be overlooked, as organizations fail to understand that they need to make their employees the first line of defense,” said Laurance Dine, Verizon Enterprise Solutions’ managing principal of investigative response.
Recently, I spoke with Michael J. Sacopulos, JD, president of the Medical Risk Institute and general counsel for Medical Justice Services, about his recommendations for safe password use. According to Mr. Sacopulos, orthopaedic practices have a number of relatively easy and inexpensive ways to strengthen security and ward off cyberattacks.
Dr. Marks: What is the most important thing practices can do to safeguard their network information?
Mr. Sacopulos: It all begins with stronger passwords. The most popular passwords in the United States are still “password” and “12345.” These weak passwords offer little security and are simply dangerous. Password-management programs like Lastpress automate the generation of complex passwords and store them, thus eliminating the concern of forgetting a password.
Dr. Marks: I walk into many offices and see yellow sticky notes on computer monitors. What are your thoughts on this?
Mr. Sacopulos: Although sticky notes are a great product, too often they are used to post passwords on monitor screens. We have all seen a staff member’s desk with his or her password in plain sight. Again, this is dangerous. Encourage staff to use a pass-phrase instead of a password. For example, “My1stPetWasFido” is much easier to remember and more secure than the password “Spot.” Easier-to-remember pass-phrases will help eliminate the need to post passwords on sticky notes.
Dr. Marks: What are your thoughts on password sharing?
Mr. Sacopulos: To put it succinctly, sharing is not caring. Not long ago, I was at a practice in Ohio that had a password problem. The entire office used one of two passwords: “doctor” or “nurse.” Although this is an extreme case, passwords are shared with some regularity in many practices. Beyond the cybersecurity concerns, this behavior has professional liability issues. Electronic medical record systems have audit trails that identify user actions by password, making it virtually impossible to identify the person who reviewed or input information if passwords are shared. Compliance issues are also implicated by password sharing. There is no way to properly determine patient privacy of charts if it is unclear which user gained access. The bottom line is don’t share passwords—ever. It is that simple. Any sharing of passwords should result in discipline and penalties.
Dr. Marks: Unfortunately, many practices have staff turnover. Are there precautions that need to be taken when an employee leaves?
Mr. Sacopulos: Every practice experiences some degree of staff turnover. This means passwords of former employees may be floating around. As part of the employee-departure process, his or her password needs to be deactivated. This should seem obvious, but it often gets overlooked or delayed.
Dr. Marks: I have many different password-protected accounts. What are your thoughts on using a secure password across all these accounts?
Mr. Sacopulos: That’s a great question. A survey conducted by LastPass and LogMeIn that included 2,000 individuals showed some troubling password trends. Although 91 percent of respondents said they understand the risks of using the same password across multiple accounts, 59 percent did so anyway. A staggering 53 percent confessed to not changing their passwords in the past 12 months, despite being aware of the risks and despite learning that their data were compromised due to a breach. That is correct—the majority of people did not change their passwords even after they knew they had been compromised. Sandor Palfy, chief technology officer of identity and access management at LogMeIn, stated, “I’d say the biggest surprise is that even though people are aware of the major cyberattacks and increases in costly data breaches, it’s still not translating to better password security practices.”
Dr. Marks: Do you have any final thoughts on the topic?
Mr. Sacopulos: According to the Healthcare Information and Management System Society’s 2018 cybersecurity survey, healthcare cybersecurity attacks have increased over the past 12 months. One of a practice’s frontline defenses is proper use of passwords. Password management has little impact on expenses but yields significant returns. Physicians owe it to their practices and their patients to implement appropriate password management.
Michael R. Marks, MD, MBA, is a member of the AAOS Medical Liability Committee, a member of the AAOS Patient Safety Committee, and a mentor in the AAOS Communications Skills Mentoring Program. He can be reached at firstname.lastname@example.org.
- 85,000 patients impacted by California ransomware attack. HIPAA Journal. Available at: https://www.hipaajournal.com/85000-patients-impacted-by-california-ransomware-attack/
- Verizon. Tales of dirty deeds and unscrupulous activities. Available at: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
- Grauer Y: Too many people are still using “password” as a password. Motherboard. Available at: https://motherboard.vice.com/en_us/article/paqd4m/too-many-people-are-still-using-password-as-a-password
- Vijayan J: Password reuse abounds, new survey shows. Dark Reading. Available at: https://www.darkreading.com/informationweek-home/password-reuse-abounds-new-survey-shows/d/d-id/1331689
- Healthcare Information and Management Systems Society. 2018 HIMSS Cybersecurity Survey. Available at: https://www.himss.org/2018-himss-cybersecurity-survey