top of page

The Ultimate Guide to Password Management: Best Practices for Stronger Security


Image courtesy of Freepik

Introduction


Introducing new technologies in the healthcare sector is leading to the adoption of innovative ways to treat patients. These innovations bring new opportunities and benefits, such as telemedicine, electronic health records (EHR), and wearables that monitor biometrics, greatly enhancing patients' health and well-being.


However, because of this, new risks are introduced, increasing the vulnerability of patient data. Health data is considered fifty times more valuable than financial information on the dark web; therefore, it is among the most targeted data.


Recently, it has been reported that at least 15 billion compromised credentials and passwords are available for purchase on the dark web.Moreover, in recent years, there have been numerous cases where poor password management has caused significant problems for organizations. For instance, there was an incident involving France's TV5 Monde, during which a password was accidentally disclosed during an interview.


This lapse exposed the company to potential unauthorized access to sensitive systems and data. Another example is the Hawaii Emergency Agency, which raised a false missile alarm after a picture showing a Post-it (Sticky note ) with a password was visible. Additionally, there is the case of RT, a US agency, where the management of nuclear arsenals was protected by an eight-zero password.


Importance of good password management


Usernames and passwords enable users to access company systems by providing a basic form of identification. When users enter their secret password to log in, the computer reasonably assumes they are who they claim to be.


Strong passwords are vital in protecting personal and organizational information from unauthorized access. In the event of security threats such as hacking attempts or data breaches, a robust and well-managed password serves as a critical defence mechanism, helping to prevent attackers from exploiting vulnerabilities.


Inadequate password management, like using a weak or repetitive password, can lead to significant security risks. Hackers often employ brute-force attacks or phishing scams to crack weak passwords, potentially exposing confidential data. Therefore, users should avoid using easily guessable information and regularly update their passwords to reduce the chances of unauthorized access.


Best Practices


As we begin this discussion, it's crucial to acknowledge that the current digital era differs from that of 5 to 10 years ago. In the past, best practices focused on fixing the user more than the machine. However, with the rise in cybercrimes and technological advancements, developers have implemented measures to help users protect and strengthen their passwords.


Employ the use of a Password Manager

Image courtesy of Freepik

In the digital era, the internet has become a crucial part of our day-to-day lives; everything occurs online, whether running our businesses or trying to get a service. Our online/digital footprint is growing as the days go by, and it is set to grow more. This growth has led to many of us having several accounts online, some of which we even forgot we have! Users face the challenge of remembering many passwords, leading them to make common mistakes that leave them vulnerable to attackers. For instance, they use the same password for all accounts or write them somewhere, such as a sticky note, to remember.


This is where password managers come in handy. Password managers are tools that can store all your passwords securely, so you don't have to worry about remembering them. They allow you to use unique, strong passwords for all your essential accounts rather than using the same password for all of them, which you should never do.


Additionally, password managers are beneficial as they help:

  1. Synchronize your passwords across your different devices, making it easier to log on from wherever you are and whatever device you're using.

  2. Spot fake websites, which will protect you from phishing attacks.

  3. Let you know if you're re-using the same password across different accounts.

  4. We will notify you if your password appears in a known data breach so you know if you need to change it.

  5. Work across platforms, so you could, for example, use a single password manager that works for your iPhone and your Windows desktop.


You must also remember the main 'master' password to access the password manager. If you are using a computer that is not yours, do not save your passwords on that device; rather, use your account and make sure you log out. This is particularly true for web browser password managers such as Gmail (Google) and iCloud Keychain for Safari browsers.


Examples of password managers for both individuals and organizations include:


  1. Bitwarden - A highly reliable password management that is user-friendly and offers a variety of packages for everyone. For example, for individuals, it is free. Best Password Manager for Business, Enterprise & Personal | Bitwarden | Bitwarden 

  2. NordPass— A good tool, especially for organizations, as it has additional features and is cost-efficient. It allows users to pay for two years at a one-off start cost.Securely Store, Manage & Autofill Passwords 

  3. RoboForm - Offers basic password management capabilities at a cost-effective price of as low as $0.99/Month .RoboForm Password Manager | Best Password Manager for 2024 

Using a password manager is the ultimate password best practice as it enforces all the necessary measures to secure your passwords.


Avoid Sharing Passwords


In the healthcare sector, the importance of not sharing passwords cannot be over-emphasized due to the sensitivity and confidentiality of patient data. Healthcare professionals handle private health information, categorized as sensitive data, and should be guarded to maintain its privacy and integrity. Additionally, it goes against regulatory requirements such as the Data Protection Act of Kenya, HIPAA and GDPR. Breaches lead to heavy penalties for the organization and a bad reputation for the company. Moreover, sharing passwords makes it challenging to investigate logs to find out who accessed and did what. To be noted is that the healthcare sector is a hot-cake target for ransomware attacks; sharing passwords makes it easy for attackers to gain access to the systems.


In conclusion, NEVER share your password with anyone, even fellow employees or external vendors. If someone needs access to a system, provide them with their credentials rather than sharing yours. For third-party vendors or IT support, use secure, temporary access methods instead of sharing permanent credentials. This can be achieved by setting up a temporary user with limited permissions for IT staff to troubleshoot a healthcare management system.


Use secure Passphrase's instead of normal passwords


As mentioned earlier, our practices aim to secure the user more conveniently.  A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password but is generally longer for added security. Passphrases are easy to develop and offer an extra layer of protection from hash decrypting tools due to their randomness and complexity. Additionally, when you use a passphrase, ensure that you change some of the letters to symbols. E.g. instead of using "IloveChapati", use "1Love$apat!"


Users can employ the help of password manager tools and open-source software that assist in generating pass phrases such as using a passphrase. Use a Passphrase 

  

Avoid using the same password


Use a different password for every system or application you use, whether at work or at home. For instance, if the password for your patient management system is "Admin1234!" at work, make sure that the password for your cloud storage account is something entirely different, such as "Cloud@Storage%45!" Furthermore, avoid using the same password for personal accounts such as emails and social media.


Employ the use of Multi-Factor Authentication (MFA)


Image courtesy of freepik


MFA adds another layer of security, ensuring that even if your password is compromised, unauthorized access is still blocked. Ensure MFA is enabled in your organization's systems that handle personally identifiable information (PII) and billing systems. After entering your password into a healthcare management portal, you receive a one-time passcode via a mobile app like Google Authenticator or SMS. Additionally, Passkeys, i.e. biometrics, can be used to enforce MFA.


Beware of Phishing Attacks


Phishing attempts may appear as legitimate emails or messages requesting sensitive information, including login credentials. For instance, a fraudulent email pretending to be from a healthcare client or internal IT support asking you to "update your password" on a fake site with haste.


You can always verify any email requests for sensitive information by checking with the sender directly or using internal company channels. Always inspect the URL for authenticity; it should use https, not http. Additionally, you can employ the use of URLVoid, which helps you scan website URLs to check legitimacy - Check if a Website is Malicious/Scam or Safe/Legit | URLVoid  

 

Log Out of Devices When Not in Use


Always log out of systems, especially healthcare systems or medical billing platforms, after use, mainly when working remotely or on shared computers. After finishing a session on any system, log out instead of just closing the browser or tab. Additionally, one should use screen locks on all devices to enforce the clean desk policy and prevent unauthorized access. For example, tablets can automatically lock screens after 5 minutes of inactivity in hospitals or clinics.


Adhere to IT policies


Always follow the organization's password policies and procedures, especially those related to data security and compliance with regulations such as the Data Protection Act of Kenya 2019. Additionally, participate in regular security awareness training sessions to stay up-to-date on emerging password threats and data protection techniques.

Passwords are considered the keys to the kingdom, so the strength of your passwords plays a vital role in maintaining your online security. By following these best practices, we can effectively protect ourselves and our organizations from the mayhem that potential cyber-attacks can cause.


Comments


bottom of page