Stealing and exposing patient data is, unfortunately, a lucrative activity. Hackers are relentlessly looking for vulnerabilities in institutions that amass personal health data. In 2018 there were 365 data breaches involving patient data, that is one per day! In addition to the personal costs to the individuals who are compromised, data breaches are expensive to the institutions. In 2018, healthcare systems paid out over 28 million in HIPPA fines and penalties.
Although hospital IT departments do a great job of thwarting attacks, having a secure, single-user login is the last line of defense before a breach happens. Hospital systems are increasingly interconnected, and one piece of software treated with lax security could jeopardize the whole organization.
It might not seem like a big deal to share a password among colleagues, especially if there is a rotating staff. It can seem like an administrative efficiency; instead of having to add and remove user accounts periodically, just give the login to new staff. In a trusting environment of medical professionals, it may seem highly unlikely that this practice would lead to a problem, but it does increase exposure to hackers in several ways.
First of all, the distribution of a shared login creates opportunities for hackers. If a password is emailed or sent as part of onboarding materials to temporary team members, it can be more easily stolen. Lack of accountability gives a user less incentive to keep the shared login as secure as possible. Use of a login that has been passed around may cause users to save the password insecurely on their computer desktop or a similarly convenient location for easy access. If the password storage device does not have a secure password itself, it can be an easy win for a hacker.
Another problem is the lack of changing the password periodically. Those who use shared logins typically hand out the same password over a long period of time. The more logins that are handed out to team members, the more important it is to change the password from time to time in case the password is mishandled or ends up in a compromised situation. However, changing a password and notifying all users is inefficient and could cause a lapse in access if they don’t receive the notification.
Shared logins also prevent an IT team from tracing the source of a security breach quickly. In the event that a breach occurs, time plays a role in the effectiveness of containment. Single user logins give an easier path to find the attack and shut it down to limit the damage. Many IT departments have policies against shared logins for this reason.
Passwords are highly prized targets for hackers. Not exercising the highest level of security practices in healthcare can lead to compromising patient data. How can we encourage or make it easier for users to never share a login and to change their password regularly?