What You Don’t Know and Should Know About Passwords

November 17, 2020
J.D. Norcross

J.D. Norcross, director of information technology at VitalSkin Dermatology, discusses some myths and best practices with digital passwords you should know to help keep your practice information safer.

We use passwords for many thing in our personal and professional lives, from our emails and bills to our online banking. Likewise, you probably have one or several passwords for the management, data and scheduling systems in your practice. Unfortunately, that doesn’t mean everything is always safe. 

Throughout the years, there have been many large healthcare security breaches due to password hacking. In 2019, 41.4 million patient records were breached from a 49% increase in hacking. This year is on the same track, with millions of records breached from remote connection security issues, documents not being properly disposed of and phishing attacks. Health Share of Oregon, Florida Orthopaedic Institute, and Elite Emergency Physicians are just a few healthcare organizations who have had data breaches in 2020.1

Despite these issues, passwords are still a main source of security problems today. In many ways, your digital passwords are the keys to your office door. They unlock all the confidential, important information about your practice and patients. To keep it as safe as possible, there are some key things you should know about passwords that you may not.

Password Myths

There are a number of myths out there about digital passwords that have become widely accepted. Here are a few examples:

  • Complex passwords are stronger. Typically, when you’re asked to create a password for a website or app, you’re required to use a set number of characters, often including a mix of numbers or special characters. However, this doesn’t significantly impact the security strength of a password. Using a combination of different characters can make your password somewhat stronger, but this still doesn’t do much to protect you from many of the sophisticated breaches happening now. Cybercriminals are using a variety of techniques to decipher passwords and overcome length and complexity. Yahoo’s 2014 data breach is another great example of this. Names, emails, telephone numbers, and passwords from millions of Yahoo accounts were accessed. 2
  • Changing your password often increases security. It seems like a good idea to switch out your password every few weeks or months, but this can also help cybercriminals better detect your patterns. When changing a password, many people only change a portion of their current password or use something similar, like adding a number or an exclamation point, dollar sign, etc. to the original. Or if people radically change their passwords, they often write them down. Whether it’s in a notebook or on a Post-it note, this could easily fall into the wrong hands. So if you’re changing your password frequently and can’t remember it, don’t write it down and leave it easily accessible.2

Creating Secure Passwords

Although length and complexity may not fully protect you from a larger breach, there are steps you can take to create more secure passwords. The passwords research group from Carnegie Mellon’s CyLab Security and Privacy Institute has created a password policy that balances both security and usability.

With these guidelines, passwords just need to be at least 12 characters and pass a specific test developed by the research team. This test, powered by an artificial neural network, evaluates a password, gives a strength score and offers suggestions in real-time. So instead of relying on a certain length or set of characters, users can still create strong passwords that are also more usable and easier to remember. To build this test, the research team evaluated several different requirements, such as minimum-length, character-class, minimum-strength and password blocklists (words that shouldn’t be used in passwords due to their regular use).

You can view a demo of the password strength test here.

Password Managers

If you have several different passwords protecting your systems and practice information, it can be difficult to keep track of them all. But there are many helpful tools available designed to help you store passwords and automatically fill them in on websites and apps, using browser plugins and integration with Android and iOS. These password managers only require one master password to log in. 

Password managers can also help you fill in online forms with names, addresses, and other data easily. This is quicker and safer than allowing e-commerce sites to store information. These manager apps usually sync across all your devices, so you can keep track of your passwords from your phone, computer, tablet, etc. Rather than writing passwords down for your systems and information, try downloading a password manager to store and keep them secure. There are plenty to choose from, so do a little investigation and see which one would work best for you and your team.

Preparing For a Future Without Passwords

Even though passwords are still the primary authentication method for businesses and medical practices, more than 70 percent of companies will likely do away with passwords over the next decade. Instead, newer and more secure authentication methods are beginning to become more common.

Authentication methods such as one-time passcodes delivered via SMS or biometrics like fingerprint and iris scans can work well with existing authentication methods and can be deployed across an organization. Facial, fingerprint and iris scans are now common features in new smartphones as opposed to entering a password, so it’s reasonable to think that technology could expand into other areas of our technology in the near future. 

With more than 81% of data breaches involving password cracking, it makes sense that advanced ways of protection will eventually become our new norm. But right now, passwords are likely still the main source of security in your office.

That being the case, protect your patient/practice data and take the necessary steps to make your password security as strong as possible. Avoid the myths of password length, complexity, and change frequency, and instead use passwords that are strong and usable. Make use of password managers to keep track and secure your passwords, rather than writing them down.

References:

1. Davis, Jessica. “UPDATE: The 10 Biggest Healthcare Data Breaches of 2020, So Far.” 8 July 2020. healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2020-so-far. Accessed 4 Nov. 2020.

2. Zlockie, Ryan. “Debunking the 3 biggest password myths.” 29 Jan. 2018. securityinfowatch.com/cybersecurity/information-security/article/12393173/debunking-the-3-biggest-password-myths. Accessed 4 Nov. 2020.

3. Tkacik, Daniel. “Finally: a usable and secure password policy backed by science.” 20 Oct. 2020. cylab.cmu.edu/news/2020/10/20-passwordpolicy.html. Accessed 4 Nov. 2020.

Related Content:

Practice Management