“123456” and “password” top the list of the ten most frequently used passwords in healthcare organizations, followed by passwords consisting of all or part of the practice’s name.
Unfortunately, passwords like these are easily guessable by bad actors who are eager to capture and exploit sensitive patient information, a prized commodity on the black markets of data trafficking.
Are you starting to regret keeping that password you’ve had since high school? Don’t go rushing to change it (yet).
I’m here to share the art and science of creating an unbreakable password—as well as three crucial password best practices for healthcare organizations to adopt in 2024.
Introduction to Password Security Best Practices
First, it’s essential to understand that an unguessable password doesn’t mean it’s unhackable—just that it’s not easy to guess. That’s why boosting password complexity is one of the frontline defense strategies against cyber attacks.
Although HIPAA doesn’t stipulate a specific password format, recent guidance underlines how to create strong passwords. Here are the highlights:
- Use unique passwords for different systems, sites, and applications. This is password safety 101!
- Require passwords that are at least eight characters long with a mix of upper and lowercase letters, special characters, and numbers. The longer, the better—very secure passwords can reach a length of 20 or more characters.
- Recommend the use of passphrases, which are strings of words, special characters, and numbers that employees can remember with the help of mnemonics. You might use “Pleas3Excus3@MyDearAuntSa11y!” if you really loved math class, for instance.
- Discourage the use of weak passwords. This includes commonly used passwords, or ones that are easy to guess (see common mistakes below). And never—never!—use a password that has been compromised in the past.
- Prohibit the use of shared passwords. In the healthcare industry, access to electronic protected health information (ePHI) must be logged and monitored in accordance with the Technical Safeguards of the HIPAA Security Rule, which means password sharing is a HIPAA violation.
But creating strong passwords is just the first step in improving organization-wide security. To take it up a notch, here are three best practices I recommend across the board.
1. Conduct Annual Data Security Training
Unfortunately, human error is a significant risk to healthcare data security. That’s why it’s critical to hold annual cybersecurity training sessions for everyone in the organization—and I mean everyone.
Scheduling training events gives you an opportunity to update staff on a constantly evolving threat landscape and raise awareness about the importance of data security. For example, you might review the essentials of password hygiene or cover common cyber attacks like phishing. Each session should help staff protect themselves, your patients’ health information, and your practice’s compliance.
Make sure your training session isn’t just a one-and-done deal. Cyber threats are constantly changing, becoming more efficient and harder to block. Yes, it may be challenging to make time with everyone so busy. However, it is more than worth the effort when you consider the cost of a breach.
2. Thoroughly Secure Your Systems
As we mentioned above, unguessable passwords are still technically hackable. Create an additional layer of security to your systems with some (or all) of the following:
- Implement two-factor (2FA) or multi-factor authentication (MFA). 2FA and MFA include an extra level of sign-on security by requiring a biometric (like a fingerprint) or an emailed code during login. Even if a hacker could guess or access the password, the extra authentication process might stop them in their tracks.
- Consider single sign-on (SSO) authentication. This authentication method allows users use one set of credentials to securely access multiple applications or sites. Think: Using your Gmail or Facebook account to sign in to your favorite news site.
- Implement password generators and password management systems to make it easy to keep track of and update login information. A password vault can store login credentials, generate complex passwords, and prevent passwords from being reused.
- Screen new vendors and partners. Thoroughly screen all new Business Associates and vendors, making sure to review their privacy and security policies, as well as assessing potential risks. Risk assessments and partner agreements should be continually re-evaluated.
- Properly close old accounts. When an employee leaves the practice, and their account remains open, it can create a vulnerability. Close any unused accounts as soon as possible.
💯 Practical Advice
Be sure to keep patient experience in mind, too. Consider how your patients access their own PHI and health records. Password policies and security standards like 2FA can be implemented to protect your patient portal, for example.
3. Focus on Continuous Improvement and Assessment
Your password guidelines should be continuously refreshed and updated. Cyberthreats are constantly evolving as hackers develop new tactics to evade detection and capture valuable data, so a strong security posture requires regularly revisiting existing systems and updating or adding new password best practices as needed.
For example, experts at the National Institute of Standards and Technology no longer recommend routinely updating passwords at set intervals. Instead, they emphasize creating strong passwords up front, and keeping up with password monitoring, which means that compromised passwords can be identified and updated as soon as possible.
Get the Newsletter!
Key rehab therapy insights and resources. Twice a month. Unsubscribe any time.
Avoid Common Mistakes (That Can Be Costly)
Human error is one of the top threats to the security of healthcare data. Here are some of the most common mistakes made by both organizations and individuals—and what to do about them.
Mistake #1: Choosing a password that's easy to break.
First, understand what makes a password “weak.” Weak passwords are often oversimplified or obvious—after all, people tend to choose phrases or sequences of characters that are easy to remember. But memorable passwords can be your downfall.
Solution: To boost password strength and complexity, steer clear of…
- Predictable words and phrases. For example, “password” or “123456,” which are unfortunately among the top 10 most common passwords in healthcare. Attackers can use software to quicky test for the most common phrases and probe for weak links.
- Referencing your practice’s name, address, or other business details. One major IT firm fell victim to a data breach because an intern chose a weak password that included the firm’s name.
- Personal information that can be found online or on social media. This includes names of family members and other loved ones, pets, birthdates, references to sports and hobbies, and favorite hangouts or vacation destinations.
Mistake #2: Keeping the default password on a new device or platform.
When you’re initially setting up a new account or device, it may come with a pre-set credentials that you can use to get started. Even if the initial password seems strong, you can’t rely on it to be secure. Factory default passwords are often simple, duplicated, and easily identifiable.
Solution: Whenever your organization implements new software or hardware, staff should promptly create new login credentials and delete defaults.
Mistake #3: Storing passwords in unsecured formats.
Don’t fall for the trap of “convenient.” It might seem convenient, for example, to keep login info for shared workstations in a readily-accessible location, like a sticky note attached to the bottom of a keyboard. A new admin might write down a new password in case he forgets it later. A therapist might feel confident saving credentials in a digital keychain on her phone.
Unfortunately, these conveniences lead to bad password habits and poor security practices.
Solution: Healthcare providers should invest in convenient—but secure and governable—systems for storing credentials or accessing health information technology. This can include solutions we’ve discussed so far, like providing a password manager that can only be accessed via a strong master password.
Password Security Leads to Better Patient Care
A strategy built on security awareness, diligence, and a commitment to improvement will protect both your practice and the patients you serve. There’s a good reason PHI is protected, and why data security in the healthcare field is such a critical priority.
Now go change that duplicate password. Shred that sticky note. Flag that phishy email. Take daily steps to improve the cybersecurity posture at your practice.
Every improvement goes far in keeping your patients’ privacy and trust intact.
Here at Raintree Systems, we help physical therapy, occupational therapy, speech-language pathology and multi-disciplinary practices grow and succeed with scalable and robust software solutions. Raintree offers the only ONC-certified EHR system designed specifically for rehab therapy. Want to learn more? Schedule a demo and learn why high-growth PT, OT, SLP, and multi-disciplinary practices choose Raintree.
Don Silva Sr. is Raintree Systems’ Chief Information Security Officer and VP System Ops & Infrastructure. As a senior leader with over 20 years experience leading Global Technology Teams across a variety of industries, he has helped companies grow, mature and align Security & Engineering Teams with business goals. Read Don’s full bio >
