Passwords are the most commonly used method of securing access to electronic assets, but their security is only as good as the person creating and using the password. Passwords such as 1234, password or admin are all too common and easily guessed. In addition, once a password (complex or not) is compromised — either by sharing or by stealing — it provides absolutely no security.
Healthcare has unique characteristics that make managing password security even more challenging. What’s more, the risks of user account compromise continue to grow, especially as social engineering and phishing attacks yield consistent results for attackers. Implementing methods for reducing users’ ability to circumvent security while still enabling fast, efficient care is the challenge. We may never get to perfect, but we certainly can do better.
Fact: Healthcare professionals often share login credentials
A study published in 2017 in Healthcare Informatics Research focused on credential sharing in healthcare settings found that 100 percent of 45 medical residents surveyed had previously used the login credentials of another professional with their permission. What’s more, about half of all nurses admitted to sharing their credentials.
Shocking as this may be to IT and information security professionals, password sharing in healthcare is rampant. Why? There are a number of reasons, but the one most often cited is that time is of the essence in critical care and having to log in under a separate user account can take precious time away from patients. In addition, healthcare providers say they don’t always have sufficient access under their own user IDs to perform necessary functions.
The objective is to increase security (reducing or eliminating account sharing) while improving needed access in a fast, effective manner. Policies alone will not change behavior, but implementing multifactor authentication in combination with providing faster access (single sign-on based on proximity or a radio-frequency ID badge, for example) may help to resolve this.
Fallacy: Passwords are secure if they are complex or frequently changed
More than 80 percent of all data breaches use weak or stolen passwords. Clearly, passwords are no longer the reliable security mechanism they used to be. Those that are shared or stolen (through phishing, social engineering or brute-force attack) are at the root of the vast majority of breaches. As attackers grow more sophisticated, passwords are no longer enough to protect systems.
Most people in clinical settings don’t want to put too much effort into dealing with passwords, so they follow the path of least resistance — they create the simplest password they can possibly get away with. Enforcing complexity requirements such as length, use of special characters and uniqueness versus prior passwords can help, but users tend to also write their passwords down. And, as previously mentioned, healthcare professionals are also willingly and actively sharing credentials.
Fact: Multifactor authentication is the most secure method available today
Multifactor authentication combines two or more independent variables: something you know, something you have and something you are. Often, that’s a password or passphrase (something you know) and a smartphone or USB key (something you have), plus a biometric such as an iris scan or a fingerprint swipe (something you are). Most banks have implemented multifactor authentication to enable online access to financial accounts, and many other industries are beginning to follow suit.
In 2017, the National Institute of Standards and Technology released updated guidelines on passwords. NIST outlines guidance for securing digital identities and defines three assurance levels. Level 1 is the lowest level and should be selected only if there is minimal or no impact from a compromised account. Level 2 is the middle tier, and Level 3 is the top tier. This is for the most sensitive data and should require the use of an encrypted application providing a one-time passcode on a smartphone or fob that securely communicates with the server granting access. This demotes the password to being a gateway through which additional authentication is triggered. If a password is compromised, the additional factor is unlikely to also be compromised, and the account remains secure.
Fallacy: All multifactor authentication methods are equal
In most organizations, two-factor authentication is used because it sufficiently reduces the possibility of spoofing, hacking and interception.
A commonly used method is sending a code via SMS text messaging to a registered device. While text messages can be intercepted, it’s relatively rare and therefore moderately secure. The NIST Level 3 approach is to use a secure, installed app on a device that maintains communication between the server and the device through an encrypted channel. Many apps on the market do exactly this.
Biometrics are now commonly used to open smartphones with a fingerprint or log in to a computer with facial recognition. While these are popular with consumers, they are more challenging in healthcare. End users often wear masks and goggles (making facial recognition impossible) or gloves (inhibiting fingerprint swiping). In addition, they often don’t have their hands free to respond to a text message or push notification on their phones.
Biometrics also have another inherent risk: They can’t be changed. The danger of iris scans or fingerprints being stolen is an evolving possibility. Some privacy advocates are concerned about requiring the use of biometrics. Regardless, their use continues to expand as ethical concerns are discussed.