Passwords make doctors vulnerable, but solutions are easy

Strengthening the log-in credentials on your practice computer systems can go a long way toward reducing the risk of online hackers stealing information.

By — Posted Nov. 12, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Using the word “password” — or something else simple to remember — for your actual computer password might be an easy way to remember your login credentials. But it could be the biggest thing making your computer system vulnerable to hackers.

A recent report by Verizon that looked at cyber attacks on health care organizations in 2011 and 2012 found that 72% of them were caused by hackers guessing, or using automated systems to guess, the passwords and other credentials that allowed them access to computer systems.

Practices are required under the Health Insurance Portability and Accountability Act and meaningful use rules to perform security assessments. Those assessments are a great way to develop a baseline and identify areas for improvement, such as strengthening passwords, said Brian Lapidus, senior vice president of Kroll Advisory Solutions, a security response and mitigation firm. Many practices overlook simple things like password security because they are too focused on the big issues, and on protecting health information while overlooking their other assets, said Jay Jacobs, managing principal for the Verizon RISK team, which investigates breaches of Verizon's enterprise clients.

But password security doesn't have to be part of an overall assessment. It can start by checking — right now — whether passwords are strong, where they are used and how they are stored if someone forgets one.

Verizon published an in-depth, industry-specific report in October looking at cybercrimes based on its 2011 and 2012 Data Breach Investigations Reports. It found that breaches in the health care sector represented 7% of the breaches used for Verizon's 2012 report, up from 1% in the 2011 report. Most of the breaches were at organizations with fewer than 100 employees. These small practices are considered by hackers to be easy targets not only because of their lack of basic security systems, such as firewalls, but also because of a lack of zero-cost security measures such as hard-to-guess passwords.

While the chances of being attacked by a hacker might be small, the chance that a successful attack would cause a large amount of hassle, financial costs and patient ill will for a practice is very high, analysts said. For example, Michigan-based Ponemon Institute's annual “U.S. Cost of Data Breach Study” found that the average organizational cost per breached record was $194 in 2011.

In many cases, the hacking comes from people who use automatic systems that try to guess passwords without tripping any systems that would lock out a user after a certain number of tries. SplashData, a mobile technology vendor that develops productivity tools including password management systems, produces an annual list of the top 25 most common hacked passwords. Topping the list, compiled using files of stolen passwords posted online by hackers, for the second year in a row were “password,” “123456,” and “12345678.” Paranoia doesn't automatically make a password secure: No. 12 on the list was “trustno1.”

What makes a password secure

Experts say good, secure passwords should be at least eight characters long and use a combination of letters and symbols. Suggestions include using short phrases with underscore spaces between each word such as “see_spot_run.”

Brian Gay, director of Think First Consulting in Danvers, Mass., suggests coming up with an easy-to-recall phrase, then using the first letter of each word in the phrase as the password while replacing a letter or two with a symbol to increase the complexity. For example, “my favorite food to eat is pizza” become “mff2e!p.”

Robert Siciliano, an online security expert for McAfee, said passwords also can be created by using the keyboard as a palette to create shapes. For example, if you start with the “%” key and follow it in the shape of a V, you have “%tgbhu8*”

Ryan Permeh, chief technology officer for the security firm Cylance, said different passwords should be used for each account requiring login credentials. “Unfortunately, when people reuse passwords to access multiple points, a compromise of one could result in the other,” he said.

Multiple passwords are a lot to remember, and cloud-based password managers can help store them safely. But, Gay warns, those should be used only if the master password is extremely secure.

Siciliano said it's OK to write down passwords as long as they are kept separate from the machines, and it's not made obvious that they are passwords. Or, he said, “tip sheets” can be used to offer clues to the password but not the actual key stroke combination.

Experts also say passwords should not be shared between employees. This makes it harder to determine who was on a system at what time, thus making audits difficult to perform. Plus, a physician loses the ability to revoke access to individuals who leave or are fired, Permeh said.

Also, analysts said all passwords should be changed once every 60 to 90 days.

Other steps to safety

The Verizon report found that hackers weren't necessarily targeting organizations because they were health care-related. They were targeted because they were vulnerable, Jacobs said, and because they had financial information or personal information that would help in setting up fraudulent accounts. At 64%, point-of-sale systems were the most frequently targeted, according to the report. The Verizon Data Breach Investigation report includes breaches investigated by Verizon or one of the five other international organizations it partners with to produce the report.

In a physician practice, a point-of-sale system would be any that accepts payments, such as machines connected to credit card skimmers.

Jacobs said the more those systems are exposed to the Internet, the more likely they are to be hacked. Therefore, machines used to process financial information should be limited as much as possible to only that function. But if such machines are at work stations for employees performing other job functions, Internet use should be limited as much as possible, and employees should be trained not to click on random links or plug in thumb drives from unknown sources.

Because many attacks happen through the “back door,” or network server, practices need to ensure that they have good firewalls in place. While no security measure, including firewalls, will protect the practice 100%, it will provide an important layer if a password is guessed.

The Verizon report also recommends talking to contractors about their safeguards. Many small practices get service support from third parties that provide services remotely. The networks need to be set up in a way that contractors can access the systems to do their work — while keeping the hackers out.

Back to top


Most-often hacked passwords

Experts say the best passwords combine letters and symbols, but many people fail to follow this advice. The technology firm SplashData published an annual list of the 25 worst passwords compiled from files containing millions of stolen passwords posted online by hackers. The top three have remained unchanged from 2011.

1. password

2. 123456

3. 12345678

4. abc123

5. qwerty

6. monkey

7. letmein

8. dragon

9. 111111

10. baseball

11. iloveyou

12. trustno1

13. 1234567

14. sunshine

15. master

16. 123123

17. welcome

18. shadow

19. ashley

20. football

21. jesus

22. michael

23. ninja

24. mustang

25. password1

Source: SplashData News, October

Back to top

How to create strong, memorable passwords

Industry insiders say a combination of letters and symbols that is at least eight characters long makes passwords more secure, though they acknowledge that remembering them can be a challenge. They offer tips for creating passwords that are meaningful enough not to be forgotten.

Add symbols to words making up a phrase. I_love_pizz@ (I love pizza)

Use the first letter of each word in a phrase, combined with symbols. IL2EP_vm (I like to eat pizza very much)

Use the keyboard as a palette to make shapes. @wdvgy& (letter V, starting with "@" key)

Use emotions in a phrase. Iam:)2bme (I am happy to be me)

Source: Robert Siciliano, online security expert for McAfee; Brian Gay, director at Think First Consulting

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn