Getty Images
Healthcare’s Password Problem and The Need for Management, Vaults
Credential theft remains a prominent issue in healthcare. Given many are habitual in password reuse, the sector must improve its policies, management, and consider employing password vaults.
Digital Shadows recently reported that at least 15 billion compromised credentials and passwords are for sale on the dark web. The data should serve as a warning to healthcare entities on the need for enhanced password management, employee education, and the need for password vaults.
User authentication and identity access management are crucial to any mature security posture. However, many users actively engage in risky password and authentication practices, including the reuse of passwords across multiple accounts.
Particularly in the healthcare sector, deficient user authentication and excessive user permissions are frequently named as the leading risks to the enterprise.
Password issues can include strength requirements, single-sign-on controls, and failing to lock accounts after too many failed login attempts, along with generic passwords, physically posted passwords, and emailing unencrypted passwords.
While seemingly innocuous, failure to strengthen password and access controls across the enterprise can allow hackers to easily hack into networks. Specifically, brute-force attacks on the remote desktop protocol (RDP) and ransomware attacks often rely on stolen credentials to break into networks.
The COVID-19 pandemic has heightened those risks, further spurring brute-force cyberattacks, prompted by the rapid adoption of telework, telehealth, and remote connections. In many of these attacks, hackers attempt to breach RDP and Virtual Private Networks (VPNs) by systematically trying all possible credential combinations.
While some attempts focus on random characters, others will use popular or compromised credentials. A successful exploit provides a hacker with a backdoor into a network. As it’s incredibly easy for a hacker to find and purchase compromised credentials on the dark web, these attacks will only continue to increase in their success.
Troy Young, AdvancedMD chief technology officer, explained that healthcare continues to be the leading target for ransomware with hundreds of thousands of hackers leveraging sophisticated human-operated campaigns or even Ransomware-as-a-Service, where a leading group of hackers distribute malware variants by sharing the profits from successful attacks.
Ransomware attacks continue to be increasingly targeted, with some of the worst attackers sending spam emails masked as messages from the IT team – urgently asking the user to provide credentials, explained Young.
As these attacks increase in frequency, it will become even more important for the sector to ensure credentials are secured.
Common Password Misconceptions
Stolen passwords are incredibly valuable for use in brute-force attacks, Young explained. As recent threats demonstrate, hackers will often seek stolen credentials to sell access to victim networks on the dark.
For example, the hacker known as TrueFighter is targeting the remote desktop protocol (RDP), especially those in healthcare, to sell the compromised RDP accounts to the highest bidder.
Far too often, organizations seek to create in-depth password policies that rely on length. Young explained that these can be very inconvenient to type and to even remember. Instead, the focus should be on password complexity: “A passphrase as simple as ‘mydoghasfleas’ is actual more secure than a 10-character password.
In the end, the length of a password is less important than its complexity.
“Think about the approaches hackers are using to crack passwords and credentials. Number one, if it’s a brute-force attack, the longer and more complex the password, the longer it will take them to crack into the network,” Young explained.
“Usually when passwords are stolen, it’s because the hacker has obtained access to a database. Databases rarely have the password in clear text, instead it’s written in hashes due to one-way encryption,” he added. “They can’t decrypt the password from the hash, but instead post hashes on a website.”
The hacker can then readily find the password when the user employs the same password for all their accounts.
Young recommended administrators instead consider using password vaults, which have security and password management built into the tool. Many enterprise versions can manage all employees and only the administrator can add or remover users – without seeing the passwords.
Each user is assigned their own vault, and when an employee leaves the organization, the account can be easily removed. Thus deleting one more access point.
The Case for Password Management
Reports have repeatedly shown some of the most commonly used passwords are the easiest to hack, such as “123456,” qwerty, abc123, 11111, and password, just to name a few. But even when a password is deemed secure, defenses become irrelevant due to credential theft and when users often reuse passwords used for personal accounts in the workplace environment.
Password challenges drive the need for organizations to employ two-factor authentication (2FA), at the very least. In this way, if a hacker obtains credentials in some way, they’re limited in what they’re able to access, he explained.
To Young, the biggest mistake healthcare entities continue to make is not taking advantage of 2FA or multi-factor authentication. Notably, Microsoft reported MFA blocks 99.9 percent of all automated cyberattacks.
“In most cases, simply using 2FA will sort of absolve all other sins,” Young said. “Even if a password is not long or complex enough, or an employee makes the cardinal mistake of password reuse, employing 2FA on all endpoints that provide system access from outside the network, can protect the organization.”
Users should be encouraged to use a password vault, which reminds users to employ passphrases while keeping credentials secured. Young noted employee training is also needed around authentication, as well as avoiding password reuse between personal accounts and those in the work environment.
Further, the IT teams must provide employee training on passwords, both in the corporate side and for those on the front lines. Young added that the education can provide real value to the employees for their personal accounts, as well.
Especially as healthcare continues to be the leading target for ransomware – and as the value of health data has diminished – hackers will continue to prey on the need for all providers’ to have constant access to patient data.
Even in 2009, when it released its password management guidance, NIST stressed that effective management can effectively reduce the risk of compromising password-based authentication mechanisms.
The guidance provides organizations with insights into outlining password policy requirements and how to choose centralized and local password management solutions, along with common threats that prey on character-based passwords and mitigation techniques.
“Agencies need to consider using several mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms,” NIST officials explained at the time.
“Most organizations' password policies rely primarily on password strength—an organization might require, for example, that passwords be a certain length and include a variety of letters, digits and symbols,” they added. “These policies were created to protect against brute-force password guessing and cracking.”
However as noted by NIST, and seconded by Young, strong passwords are no longer enough to stand up to the challenge of the modern threat landscape. From spyware hidden in browsers to socially engineered phishing campaigns, password management is crucial to reducing the likelihood and impact of compromised credentials.