September-October 2020

For Hackers, It’s as Simple as 1, 2, 3, 4
By Elizabeth S. Goar
For The Record
Vol. 32 No. 5 P. 28

Passwords remain the favorite form of authentication—and the top avenue of attack for breaches.

According to a survey of 200 IT and security managers conducted by EMA, 42% of respondents indicated their organization had been breached due to compromised passwords. “Poor password hygiene” was also a major cause of breach, with 31% reporting breaches due to credentials being shared with an unauthorized peer.

And while the EMA survey, sponsored by MobileIron and released in March 2020, wasn’t specific to health care, its findings shouldn’t really be a surprise given the rampant nature of data breaches within health care coupled with the relatively low amount—just 6% of overall budgets—spent on cybersecurity.

“Password management is a never-ending stressor for almost every organization. While the world of cybersecurity continues to advance in every other way, old-fashioned passwords remain the most common method of authentication and are often the weakest link in an organization’s security posture,” says Ryan J. Rodrigue, CISA, CISSP, principal with Wolf & Company’s IT assurance services.

Proper Policies to Bypass Pitfalls
“By many estimates, more than 80% of breaches involved cracked or stolen passwords. So my first password policy recommendation would be ‘don’t use passwords.’ Almost any other form of authentication—especially multifactor authentication—separate or in combination with passwords, provides vastly better security,” Rodrigue says.

And while Rodrigue admits that eliminating passwords is unrealistic, there are policies health care organizations can set to make their use far safer. For example, requiring longer passwords is crucial as “password length overshadows the value of almost every other construction requirement. If you’re talking about the raw probability space of a password, length is the exponent, so every additional character makes the password exponentially stronger,” Rodrigue says.

He also recommends doing the unexpected with password requirements, such as a symbol in the middle of a word, purposeful misspellings, and weaving numerals into words. It is still possible to use patterns, which are easier for end users to remember, but it should be something unique.

“Password cracking is almost never done, at least successfully, through raw, brute force attacks against the probability space. Instead, the cracking utilities follow expected patterns learned from users’ real-life password construction behavior,” Rodrigue says, pointing to patterns or masks such as capital letters followed by lowercase, adding exclamation points to fit complexity requirements, or even substituting a dollar sign for an S or zero for an O. “Crackers check all these patterns nearly instantaneously.”

Tom Skoog, principal at Blue & Co. and head of its IT risk and advisory practice area, notes that Verizon’s 2019 Data Breach Investigations Report reported compromised passwords as the second most common way hackers gain access to systems. Therefore, “passwords, as they are most commonly used today, are one of the weakest security measures in the cybersecurity world,” Skoog says.

Compromise typically takes one of three forms: Someone is duped into giving out their password, a password is determined via a key-logging utility that has been installed via a phishing e-mail, or a password file is obtained from a server and weak passwords are easily decrypted.

To counter these attacks, Skoog recommends that organizations implement multifactor authentication and a password manager tool.

Two-factor authentication involves something you know and something you have. In other words, a password and, typically, a code that is sent via text message or an application such as an RSA token or Microsoft Authenticator. This method significantly minimizes the risk of compromise because hackers don’t have access to the physical device that provides the second factor required to authenticate the users.

“It reduces the risk of easily guessed passwords and passwords obtained through a social engineering attack [such as] phishing,” Skoog says.

Password managers, on the other hand, solve multiple password security issues, according to Skoog. Among these are enabling a single master password that provides access to the “vault” from which all other passwords can be accessed. Furthermore, passwords are complex and encrypted, eliminating the chance that they will be created based on personal information. Finally, they enable access to passwords across all devices—as long as the master password is known.

“The financial investment is minimal. And, in some cases, it’s zero dollars,” Skoog says. “Many of the most popular password management systems, such as Dashlane, offer basic plans for free” but charge a nominal fee for advanced safety features.

Lesley Berkeyheiser, CCSFP, a senior reviewer for the Electronic Healthcare Network Accreditation Commission and a HITRUST practitioner, also advocates for multifactor authentication. Passwords, she says, are too vulnerable to breaches and hacker attacks to let them stand alone. For that reason, it’s important to preserve data integrity by combining password usage with multifactor authentication.

However, the best outcomes for privacy and security compliance are achieved only when the balance is found between the use of technology and the people who follow policies to comply with those specific technologies. That being the case, Berkeyheiser recommends constructing passwords in accordance with industry recommended guidelines, such as those published by the National Institute of Standards Technology.

Comprehensive training is also imperative and should be included in any password policy.

“People are busy, they forget easily, they don’t want to have to spend time resetting their passwords because they couldn’t remember them,” Berkeyheiser says. “They should be trained on initial onboarding and then on an ongoing basis to compose passwords that are easy to remember but not based on personal information such as family names, places, etc. They should be encouraged to compose passwords that are unique—not easily guessable—and contain both uppercase and lowercase characters and include numbers, digits, and punctuation/special characters as well, but not to include single words in any language, slang, dialect, or jargon.

“Most importantly,” she adds, “the workforce should be taught that passwords are very important, and they should be kept confidential and not shared. The password is the key to their own individual actions as it relates to the use of data, and the integrity of it is a core requirement of their job function.”

Compliance Is Key
Like anything else related to technology, the effectiveness of whatever password policy that is put in place is reliant on full adoption by end users. Berkeyheiser shares that one of the most effective ways to encourage employees to adopt and maintain the ongoing policy or organizational goals around passwords is frequent reminders. In addition to training, she recommends using posters, banners, and other visual opportunities. She also suggests conducting routine check-ups to identify any actions that could put passwords at risk.

“In the old days, passwords could be found on yellow stickies under mouse pads easily enough. While the password found on a yellow sticky is rare today, an occasional written list of passwords can be identified, or one skilled in social engineering can convince a person to tell their password, especially if they are frustrated with the technology and think they will be helped if they provide it,” Berkeyheiser says. “Organizations that conduct physical walk-through check-ups to ensure workstations are free from unattended PHI [protected health information] as well as important information such as passwords serve to remind workforce that someone is watching. Sometimes competition between departments … is enough incentive for an organization to reach compliant behavior.”

Rodrigue is a proponent of training but urges organizations to go a step further by bringing in security consultants to conduct exercises to try to crack an organization’s entire password file. Doing so helps identify users with weak or predictable passwords so they can devise stronger ones.

“You’ll also have metrics to support your arguments about password weakness. Just like phishing tests drive home the point of security awareness training, password cracking tests prove to users that weak passwords are exploitable,” Rodrigue says.

Rose T. Dunn, MBA, RHIA, CPA, FACHE, FHFMA, chief operating officer with First Class Solutions, suggests encouraging the use of complex passwords, but do so in a way that makes them memorable through personalization—especially if staff are required to change those passwords every 60 to 90 days. For example, create a pattern with your initials, birthday, and the quarter number at the beginning of the password. For example, 1QF10M02L@2020.

“It gets a little lengthy but it’s easier to remember and when you change the next quarter, often you can get by with just changing 1 to 2 or moving the 1Q to the end, thus making it F10M02L@20202Q,” Dunn says.

When educating staff, “provide any stories about someone being hacked on their personal account and losing their savings because they used ‘Admin’ for their bank account password,” Dunn says. “They need to protect themselves as well as the patients at their organization. They need to also educate their parents and older siblings who are using computers about the need for a solid password as well as other precautions, such as hovering over suspicious e-mail addresses, what are suspicious e-mails, and that you’ll never ask them for money or their banking number via e-mail.”

Rebecca Meyer, MBA, CHPC, who has served as privacy director at several health care organizations, notes that changing passwords frequently is critical to keeping information secure. The more sensitive the information, the more often passwords should be changed.

Doing so, however, can create adoption problems.

“While configuring settings on the domain level is truly the only way to ensure adherence to password policies, there are certainly times when this is not possible. Passphrases can make it much easier to create and memorize a complex password,” Meyer says, adding that education is another important key to policy adoption. “A quick internet search for the term ‘health care breach’ brings up alarming results. A reminder of the importance of the information being protected and the consequences of a breach is a sure way to get everyone on the same page and increase compliance.”

Finally, Berkeyheiser recommends coupling training and education with technology that requires passwords to meet the organization’s guidelines. Systems can be configured to force the length and character composition and can be set to not allow the password to be displayed when entered or included in automated log-on processes. Required encryption can also be put in place to assure protection during transmission and storage.

“Default system accounts should always be changed, workforce should be taught, and the systems configured to require passwords to be changed at the hint of potential compromise at first logon after a temporary password has been issued and to require immediate selection of a new password upon account recovery,” she says.

— Elizabeth S. Goar is a freelance writer based in Wisconsin.