The second in our Cybersecurity Series, this article discusses various ways in which healthcare organisations can adhere to password security best practices.
Written by Kit Barker, Chief Information Security Officer at Agilio Software.
Passwords play a crucial role in the defence of sensitive information, personal data, and protecting our systems from unauthorised access. In today’s increasingly connected digital landscape, cyber threats are more sophisticated and persistent than ever before. For any organisation, adhering to password security best practices is of paramount importance. And while the best practice is largely the same for healthcare and non-healthcare organisations, due to the possibility of handling sensitive patient data and compliance with stringent regulatory requirements, following best practice is often more important for healthcare organisations.
By understanding and implementing robust password security measures, healthcare organisations can significantly reduce the risk of data breaches and cyber-attacks, ensuring a safer environment for all parties involved. What is password security best practice?
What is password security best practice?
Unfortunately, there is no single definitive definition of password best practice. Many organisations or standards have differing requirements, but these principles would make it into most definitions of best practice.
Educate and train users
Your users are often your first line of defence and so it’s vital that you provide training on password best practices, the risks associated with weak passwords, and how to recognise and report potential security threats. Alongside robust training and awareness campaigns, your users should understand the importance of, and feel comfortable informing management of potential breaches in security.
Create strong passwords
Password complexity rules vary and there is no simple definition of a strong password.
However, all passwords should:
- Be unique – never use the same password for multiple accounts, even if the password is a strong one. This protects you in the advent of a data breach in a service you use and protects from a malicious actor using one known password to access another system or service.
- Not be a common word or phrase, even with substitutions, such as “H4ppy b1rthday”. This protects against simple guessing and brute-force attacks.
- Not be a common word or phrase with a number or symbol at the end, for example “Password1” or “Let me in!”. This also protects against simple guessing and brute-force attacks.
- Favour length over complexity rules but all passwords should be at least 8 characters long. In general terms, a long password is harder to crack than a short one with a mix of case, numbers, and symbols. Again, this protects against brute-force attacks.
Use multi-factor authentication wherever possible
Multi-factor authentication (MFA, also called 2FA) adds a strong layer of security beyond a strong password. As well as a valid password, MFA requires users to provide a one-time code from an authentication device such as their phone. This means that even if the password is breached, accounts can be safe. MFA should be used wherever it is available.
Use a password manager
Humans are often inherently lazy, and the busyness of work can make typing in or creating long and complex passwords a barrier to best practice. A password manager is a browser-based tool that removes these issues. They provide a secure method for storing your passwords, can create strong, unique passwords, and auto-fill them when you visit known sites. Most browsers have built-in password managers, but if you want to monitor compliance in an organisation, an enterprise password manager such as Dashlane, Bitwarden, or 1Password may be useful.
Limit password sharing
Best practice is that each user has a unique login to each system. Before sharing credentials, see if it’s possible to create a unique account per user. If it isn’t, use a password manager to share details securely.
Monitor for breaches in third-party applications
Another benefit of password managers is that most will alert you to any accounts you have that have been breached. This allows you to quickly update your details and keep your accounts safe. You can also use services such as Have I Been Pwned (https://haveibeenpwned.com/)
In addition to the principles above, healthcare organisations should also:
- Gather metrics on compliance with best practice password management to ensure best practice is followed.
- Have a robust and tested security incident response plan that is communicated to all employees.
- Be aware of any specific regulations or requirements dictated by customers or suppliers. These may include additional password security measures, regular audits, or documentation requirements.
In summary, while the fundamentals of password security best practices apply to both healthcare and non-healthcare organisations, healthcare organisations must place a greater emphasis on compliance, employee training, and incident response planning due to the sensitive nature of patient data and the strict regulatory landscape in the UK.