The alarm has been raised as healthcare cyberattacks are on the rise warns the World Economic Forum. Unfortunately, the healthcare industry has always been under threat and has continuously been plagued by a myriad of cybersecurity challenges. In fact, statistics show that ransomware attacks hit 81% of UK healthcare providers in 2022, while according to the American Hospital Association, last year “saw an even greater number of incidents”.
As more healthcare organisations become digitised, the daily threat from ransomware, phishing, social engineering, and stolen credentials is increasing. Not to mention the impact of third-party service providers used by healthcare organisations, supply chain attacks on this industry is a proven issue.
Naturally, with such valuable information stored, cyberattacks within this industry can have huge ramifications on data privacy and financially. Back in 2017, the WannaCry attack cost the NHS £92m while a more recent data breach impacted 1.1 million patients across 200 hospitals. It is therefore the duty of these institutions to ensure they are not neglecting security best practices to provide patients the best possible protection and care.
The Problem of Securing Data in Healthcare
Limited budgets and a hesitancy to adopt new systems often mean technology used by medical institutions are outdated. Then you must factor the number of medical professionals that work within healthcare. In the US, there are over 14 million healthcare workers, while in the UK, the NHS employs 1.5 million people – and that’s not including the wider supply chain of service providers. This means that a lot of people work within the industry have access to vast amounts of highly sensitive data, which can be hard to track and secure. This is putting a great deal of pressure and strain on the systems, the wider workforce, and the security professionals employed to protect them.
Threat actors’ prey on this fact, knowing systems are under pressure and that the industry has a lack of funding. Typically, this means that cybercriminals won’t need to use advanced attack methods to exploit the systems. For instance, threat actors will always target weak credentials and passwords used by the workforce when hacking an organisation – a fact proven by Verizon’s latest data beach investigations report which revealed 74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering. Healthcare professionals are no different from other industries with password reuse an unfortunate common practise.
Healthcare Passwords: Best Practice
Passwords are easy to attack because individuals use easy-to-guess passwords. These weak passwords are guessable because people reuse passwords and follow common patterns and themes. These passwords then end up on breached lists and can be attacked via brute force and password spraying. If you examine the most common base terms used within passwords, the top 3 passwords were: ‘password’, ‘admin’ and ‘welcome’. These are common terms people use repeatedly across different accounts, both professional and personal.
With this in mind, password length and complexity may be the answer to this problem. Indeed, there are several compliance regulations that have set requirements for cybersecurity, including organisational password policies, that endorse length and complexity requirements in the password policy design.
In the US, healthcare organisations must abide by HITRUST for HIPAA, which instructs users to have a minimum of eight characters for a given passwords or 15 characters for accounts with the most privileged access. Complexity measures include at least one number and/or special character and at least one letter in upper and lower case for privileged accounts. In the UK, organisations must adhere to the rules set out by the ICO for GDPR. Although GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. Furthermore, all UK health and care organisations are expected to implement the 10 National Data Guardian (NDG) standards for data security. Any organisation with access to NHS patient data and systems must use the Data Security and Protection toolkit and follow the standards which are designed to protect sensitive data, and also protect critical services which may be affected by a disruption to critical IT systems (such as in the event of a cyberattack). The NCSC even issued a warning to healthcare organisation in both the UK and US to change any passwords that could be reasonably guessed to one created with three random words and implement two-factor authentication to reduce the threat of compromises.
Despite the requirements set by the regulatory standards, research has shown that 83% of compromised passwords would satisfy the password complexity and length requirements of compliance standards. Therefore, it is essential for healthcare organisations to screen passwords against a password list of the most commonly used passwords, leaked passwords from breaches and guessable passwords related to the organisation. It is the duty and responsibility of these organisations to provide care and protection to their patients which is why it is important to build a securer baseline of security.
Securing External Software and Third-Party Providers
Additionally, it’s important when healthcare providers purchase external software and systems or outsource information, that the necessary due diligence on the third parties is carried out. This involves ensuring the supplier is ISO 27001 accredited and meeting compliance with the industry standards while also following security best practices. Question them on what their password policies are. Is MFA in use? Do they have contingency plans and do they regularly back up their systems? The answers to these questions will give a strong indication as to whether the supplier takes security seriously.
Unfortunately, the healthcare industry will always be targeted, especially as newer technologies are adopted, and more processes and procedures become digitised. Yes, it will bring greater efficiency but having digital records will be easier to steal so it’s about striking a balance between security investment, security awareness and education and meeting the organisations overall objectives. With passwords still an incredibly important layer of security, continuously monitoring and updating the passwords in use within the healthcare organisation against compromised credentials is an effective way to enforce a strong defence, improve data security and help keep patients safe.
By Darren James, Senior Product Manager at Specops Software
