Hospital Managers: Are These Password Mistakes Happening On Your Watch?

Hospital Managers: Are These Password Mistakes Happening On Your Watch?

Hospital administrators have more responsibilities added to their plate every month. You have meetings about managing insurance requirements. Then, you get a phone call from a regulator demanding information. Later, doctors ask you to provide better equipment. It just feels like a constant whirl of action without much in the way of progress.

Now, you also have to worry about cybersecurity issues. Will your patients be safe? Are you taking enough efforts to protect their data? Health data is a special category, so taking an average approach isn’t enough. HIPAA fines for data breaches range from $100,000 to millions of dollars. You owe it to yourself to proactively avoid those problems.

One of the easiest ways to improve your cybersecurity is to learn from the mistakes of others. Review these mistakes and see which ones your hospital is making.

  1. Failure to Govern Passwords with Policy and Procedures

Picture this: a new hire joins your hospital tomorrow. He or she sets a password, reusing the same password used at home or from a previous employer, and then gets down to work. If you have no password policy or supporting procedures, there’s no consistent guidance on what’s expected in passwords.

Fortunately, hospital management doesn’t have to start from scratch. You can leverage the password policies of other institutions. For example, the University of Florida has a Password Complexity Standard that lays out a variety of requirements. For example, the University locks an account for 30 minutes if there are multiple unsuccessful attempts. For a hospital environment, you may want to adjust that policy to five minutes or provide a fast access reset.

Merely publishing a standard policy or procedure isn’t enough for employees.

  1. Not Providing Password Guidance to Hospital Employees

Put yourself in the shoes of your hospital’s employees for a moment. Nurses, physicians, nutritionists, therapists, and others are preoccupied with serving patients. Some are interested in finding ways to provide the latest and most significant innovations. In every case, nobody is going to be preoccupied with password security issues.

It’s up to you to think through these issues as a hospital administrator. Specifically, how can you make password rules simple and easy to understand? Start by recognizing that you have to sell your staff on password responsibility. Every person in the hospital – including contractors and vendors – contributes to the hospital’s password security. Once you’ve earned their interest in security, you need to design and deliver employee password security training.

Tip: How do you know if your employee password security training is effective? There are a few ways to test it. You can include a test at the end of the training session. Alternatively, you can use an indirect method. Ask your IT department about the number of password help inquiries it receives. If the help desk continues to receive basic questions, your password training is probably ineffective.

  1. Not Looking for Password Governance Gaps in Your Systems

If you’ve solved the first two mistakes, your hospital’s cybersecurity will rapidly start to improve. Your employees, faculty, and other stakeholders will understand their password responsibilities. That’s the good news! Of course, that’s not the entire solution; you also need to look for gaps in your systems.

Here’s what that looks like in practice. Every month or quarter, your IT department may bring in new applications or upgrades to your current systems. For example, you might introduce Salesforce Health Cloud or another CRM to better organize patient care. That’s an excellent innovation! However, is that service covered by your password management policy? If staff is unclear, you’re going to have a gap.

Periodically meeting with the head of the IT department and other units bringing in new software is one way to manage this gap. Of course, nobody expects a hospital administration to become a technology expert. Instead, you simply need to know enough to ask good governance questions.

Resource: For large-scale hospitals with thousands of employees, we recommend investing in ISACA certifications to reinforce your security management. At a management level, the CGEIT certification (Certified in the Governance of Enterprise IT) is a good option to equip your IT managers with a risk-based view of technology.

  1. Relying on Manual Methods to Enforce Password Requirements

Remember how little most people at your hospital think about their passwords? That’s a problem for training when you introduce or update your password policies. However, that’s not the only impact of the minimal attention people pay to passwords. When passwords are an afterthought, your organization is more likely to rely upon manual methods for password administration.

What does this mean on the ground level? You’re going to have some supervisors who take password issues seriously (probably those who’ve suffered a hacking incident themselves). Others will view password oversight as another administrative burden unrelated to patient care. That inconsistency between different units will cause problems.

In cybersecurity, you have to worry about the weakest link. A determined hacker just needs one weakness in your defenses to break in and cause trouble. The solution to this mistake is simple: implement Password Management. It’ll help you to systematically enforce password rules and controls throughout the organization.

  1. Treating Password Failures as Isolated Incidents

When you suffer a cybersecurity failure for the first time, it’s a stressful event. You’re getting calls from the Board. You have to issue a letter to patients. The government might even demand answers. With patience and hard work, you’ll eventually find a way to recover from the problem. Then, you can get back to “business as usual” at your hospital, right?

Alas, that’s a mistake. When you treat cybersecurity problems in this kind of ad-hoc fashion, you’re exposing yourself to increased security risk. With a reactive mindset, you’re unlikely to learn from mistakes or keep up with new threats.

To avoid this mistake, you need to encourage a few best practices. Start by appointing one IT manager to be responsible for day-to-day security issues. Next, reduce the number of privileged users. Finally, adopt a continuous improvement mindset; there are always new security threats to manage.

Written by Nelson Cicchitto