Getty Images

Best Practices For Password Security, Cyber Hygiene

Healthcare organizations should encourage cyber hygiene among employees and require proper password security measures, such as multifactor authentication.

The first Thursday of every May is known as World Password Day, a day in which organizations and individuals are encouraged to brush up on their cyber hygiene and password security measures.

Weak passwords may be an easy way for threat actors to gain credentials and worm their way into a healthcare organization’s network. Cyber education and an enterprise-wide culture of cybersecurity can help organizations mitigate risk.

While this is not an exhaustive list, the following tips and best practices are important concepts for healthcare organizations to enforce across their workforces.

Implement Multi-factor Authentication

Multi-factor authentication (MFA), or two-factor authentication (2FA), requires a user to verify their identity using two or more authentication factors when logging in. For example, a user may have to verify their identity by entering a password on their computer and then responding to a mobile push notification.

Alternatively, a user may be required to enter a pin number followed by some form of biometric data, such as a fingerprint.

“MFA increases security because even if one authenticator becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space or computer system,” the Cybersecurity and Infrastructure Security Agency (CISA) stated in its MFA guide.

CISA recommended that organizations enforce MFA on internet-facing systems, such as remote desktop, VPNs, and email.

“Implementation schedules, costs, adoption willingness, and the degree of protection provided vary depending on the solutions selected and the platforms to be protected, so match the capability to the need,” CISA explained.

Use Complex and Long Passwords

“Practice good password hygiene by using complex and long passwords that are unique for each site you visit,” Matt Shelton, director of technology risk and threat intelligence at Mandiant, told HealthITSecurity via email. 

“A strong password doesn't have to be difficult to remember as long as it's long! Consider using a long phrase that's easy to remember.”

The National Institute of Standards and Technology’s (NIST) guidance on strong passwords recommended using the longest password or passphrase allowed by the system. CISA concurred with NIST’s recommendations in its own password guidance.

“For example, ‘Pattern2baseball#4mYmiemale!’ would be a strong password because it has 28 characters and includes the upper and lowercase letters, numbers, and special characters,” CISA reasoned.

“You may need to try different variations of a passphrase—for example, some applications limit the length of passwords and some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.”

Consider a Password Manager

“Consider using a password manager to store unique and complex passwords for every site you visit,” Shelton suggested. 

“When choosing a password manager, use an industry recognized provider and never store your passwords in a document on your desktop.”

Password managers generate lengthy and complex passwords for you and congregate them in one place, all under the protection of one strong primary password. Passwords saved in a web browser could create security risks.

“Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information,” CISA warned.

“Always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.”

Don’t Reuse Passwords

“Reusing a password, even a strong one, endangers your accounts just as much as using a weak password,” CISA explained.

“If attackers guess your password, they would have access to your other accounts with the same password.”

Users should vary their passwords for different systems or accounts and develop mnemonics to remember more complex passwords.

“For example, instead of the password ‘hoops,’ use ‘IlTpbb" for ‘[I] [l]ike [T]o [p]lay [b]asket[b]all,’” CISA recommended.

“Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to ‘Il!2pBb.’ creates a password very different from any dictionary word.”

Follow General Security Best Practices

Organizations should always keep systems up to date and use antivirus software and firewalls to prevent intrusions, CISA suggested.

Every user should be aware of basic cyber hygiene practices to safeguard protected health information (PHI). Users should watch out for suspicious activity and avoid clicking untrusted links.

While none of these methods are foolproof, they could greatly reduce a user or organization’s risk of compromise.

Next Steps

Dig Deeper on Cybersecurity strategies