Every year the Verizon Data Breach Investigations Report researches data breaches that occurred throughout the year along with trends and reasons behind those breaches. We all know that breaches are on the rise since the press is now reporting them and actually comprehending their impacts much more than in the past. The report cites nine incident classification patterns and just three of these nine patterns cover over 73% of all security incidents experienced by health care organizations. Data on health care is perhaps more reliable because reporting is mandatory. The three incidents include theft/loss; insider and privilege misuse; and miscellaneous errors (posting of private data to public sites, sending information to the wrong recipients (whether in the post or by email); and failing to dispose of assets securely (shredding paper or wiping hard drives). Nearly half of all the security incidents targeting health care were from thefts or losses of unprotected “information assets”.
What was particularly interesting to me was the fact that, despite all the money being spent on health care security measures from encryption, back up, physical lockdown, network endpoints to data leak prevention, and database security, the single largest vulnerability continues to be passwords. To be specific, 76% of all industry breaches over the past few years were based on weak or stolen password credentials. In health care, the large number of legacy (often proprietary) systems exacerbates the problem. In addition, with so many changes in physician, nurse, clerical and vendor personnel, keeping up with adequate password provisioning and deprovisioning can be a nightmare.
By Ryan Ward, CISO, Avatier
Every year the Verizon Data Breach Investigations Report researches data breaches that occurred throughout the year along with trends and reasons behind those breaches. We all know that breaches are on the rise since the press is now reporting them and actually comprehending their impacts much more than in the past. The report cites nine incident classification patterns and just three of these nine patterns cover over 73% of all security incidents experienced by health care organizations. Data on health care is perhaps more reliable because reporting is mandatory. The three incidents include theft/loss; insider and privilege misuse; and miscellaneous errors (posting of private data to public sites, sending information to the wrong recipients (whether in the post or by email); and failing to dispose of assets securely (shredding paper or wiping hard drives). Nearly half of all the security incidents targeting health care were from thefts or losses of unprotected “information assets”.
What was particularly interesting to me was the fact that, despite all the money being spent on health care security measures from encryption, back up, physical lockdown, network endpoints to data leak prevention, and database security, the single largest vulnerability continues to be passwords. To be specific, 76% of all industry breaches over the past few years were based on weak or stolen password credentials. In health care, the large number of legacy (often proprietary) systems exacerbates the problem. In addition, with so many changes in physician, nurse, clerical and vendor personnel, keeping up with adequate password provisioning and deprovisioning can be a nightmare.
An organizational password management implementation involves a number of key elements consisting of a blend of technology and internal business processes including:
- the use and misuse of multiple passwords
- composing hard-to-guess passwords
- changing and reusing passwords
- the art and science of keeping passwords secret
- intruder detection and lockout
- synchronizing passwords and the latest in single sign-on
- user authentication for self-service capabilities
- Two-factor and multi-factor authentication for privileged users
- IT support for forgotten and locked out passwords.
However, introducing password management best practices is not a daunting task, and I am certain almost every health care IT organization has the main concepts already defined (although possibly not matured). Nevertheless, based on the current breach statistics, I highly recommend you evaluate your maturity against some of the top practices defined below to ensure you improve security at a lower operational cost.
Tip #1: Multiple Passwords Can Be Inhumane
The problem with passwords in a large enterprise is that people generally require so many different accounts and corresponding passwords to access the expansive list of both cloud and on-premise systems and applications, that sometimes it feels humanly impossible to remember them all. And just about the time you feel you have them all memorized, they then need to be changed. So what is the natural reaction of a doctor or staff member who needs to efficiently accomplish all their tasks across a number of different systems? They start to develop a host of insecure behaviors around password management including:
- writing passwords down and supporting 3M PostIt Notes sales
- using passwords that are simple and easily compromised
- contacting the Help Desk constantly when they forget their password (contributing to 30 percent of all Help Desk calls)
- reusing old passwords as often as possible
These behaviors creep into the workplace because staff wants to avoid downtime and the hassles that go along with it. The solution to the entire password management problem incorporates three critical components: an easy self-service password reset capability to ensure people can reset their own passwords, a synchronization solution that changes passwords across all of a user's systems, and a single sign-on solution to limit the number of sign-ons required.
Tip #2: Compose Passwords That Are Difficult To Crack
All it takes to understand the glaring issue of password strength is to see the 1 worst passwords and their current ranking based on use (thanks to Splashdata who measures them):
- 123456 (up 1 and taking the top spot from “password” for the first time
- password (down 1)
- 12345678 (unchanged)
- qwerty (up 1)
- abc123 (down 1)
- 123456789 (new)
- 111111 (up 2)
- 1234567 (up 5)
- iloveyou (up 2)
- adobe123 (new)
But hey, at least "password" is no longer #1! The solution to this overly simple problem: prevent your users from being able to use simple, easy-to-guess passwords! Controls around password strength have been around for a long time, and most software and operating systems provide a way to prevent weak passwords from being used if configured correctly. Unfortunately, some organizational legacy system baggage prevents setting stringent controls holistically at the target system, so software solutions have been created to help enforce password policies and prevent poor password decisions at the time the password is set and then synchronized across systems.
Tip #3: One-to-Many institution password policy
There is no reason to have numerous password policies across your healthcare IT systems. Therefore, identify the strength, expiration and aging requirements of your organization and implement that same policy on all your systems. This does not take a massive amount of effort to accomplish, and it ultimately improves security while reducing support hassles. If your users know that they ALWAYS need to choose a password that has at least one upper case character, one lower case character and a number, that they cannot reuse that password for 5 password changes and that they need to change the password every 60 days on every system within the company, they will not need to remember so many different password types or go through the hassle of being rejected when entering a weak password on a strong policy system.
Once again, software can help. A solid password management solution can unify your password policies by ensuring users select a password with all of the strength requirements across a variety of system policies. While your Active Directory Domain may require 3 of 4 character types (upper/lower/numeric/special character), your SAP system may only be set to take upper, lower and numeric values. In my experience it is best to identify a single corporate password policy and implement that same policy across all of your systems while using a password management tool to help block easily-guessable passwords regardless of the strength requirement.
Tip #4: Change every password but the kitchen sync.
Password synchronization can solve so many issues around password management, so I am amazed when organizations choose a password management solution that only changes the core Active Directory or LDAP password without being able to sync to all the other systems a staffer uses on a regular basis. Syncing passwords ensures users only need to remember one core password when logging into corporate systems, and this ultimately helps prevent the problem of staff writing down their passwords. It also helps solve the password expiration problem since passwords are all changed at the same time.
The latest solutions can map usernames across systems and still sync passwords successfully. For instance, my AD account may be RYANW, but my AIX Unix password is WARDR. The password management solution keeps track of those mappings and automatically knows to change my password for both AD\RYANW and AIX\WARDR. Synchronization can now also work with cloud-based applications such as Google or Office365, so security is strengthened by regularly changing cloud-based applications that in the past were typically left unchanged or had longer expiration windows.
Tip #5: Embrace Self-Service
As stated earlier, the volume of Service Desk calls relating to password issues is massive, and Service Desks obviously have better things to do than handle these types of calls. The Return on Investment (ROI) of self-service password management solutions is lightning fast and easy to calculate. If you know the cost per-ticket of a password call, simply multiply that by the number of calls and the percentage that would be automated via self-service (such as 90%).
$10 per ticket X 10,000 tickets X 90% self-service = $90,000 saved through self service
When you steer your end-users to handle their own password issues, you have a clear justification to purchase a solution, and the ROI typically occurs within 6 months. Add more systems to the solution, and your ROI can occur even sooner. Just as important is the fact that your security improves and you can start changing the culture of your organization to be more focused on self-service. This allows new self-service capabilities to be rolled out with less effort.
Tip #6: Single Sign-On (SSO) should be part of your password management solution.
I like to think of SSO as a form of password management simply because it eliminates the number of times a user needs to use a password, which is a good thing. After logging in with a core directory username and password, a worker leveraging single sign-on in the organization is then trusted to access a variety of other applications they use since they have already been successfully authenticated. The concept here is that SSO uses one successful authentication to an authoritative source in order to automatically pass that user into other applications without the need for a second authentication.
The beauty of a really robust SSO solution is that you can combine it with password management and identity management capabilities to create a unified security approach for authentications across critical applications. The password management solution should be able to sync passwords to the cloud apps transparently, thus improving security. Your identity management solution could automatically provision and deprovision access to SSO apps which also improves security. Finally, having visibility to SSO application usage provides a great way to monitor license usage and costs.
Tip #7: Auditing, Intrusion detection and security features
Once a single enterprise password management solution is implemented, it is then possible to have a holistic view of all password management activities. This includes all user activities as well as administrative actions against the system. Security enhancements around intrusion detection are also improved with this type of solution, and your end users and administrators can actually be notified if a hacker is attempting to authenticate against the system inappropriately. Notifying target users when password-related changes occur is the best security mechanism. Users themselves are best suited to detect when they are actually the cause of password-related issues or not. Accompany this type of rollout with a security awareness campaign to promote password practices and security-related notifications.
Hopefully, you will find these tips easy to implement. In my experience, both in-house and as a member of an IT Consulting firm, these simple additions will go a long way in securing your organization. By keeping your passwords secure and your users engaged, the chance of a security breach is significantly reduced.
About The Author
Ryan Ward is CIO at Avatier Corp., a world leader in risk-driven identity management software. He is responsible for security initiatives as well as strategic direction of identity and access management (IAM) and security products. A sixteen-year veteran of the security industry, Ward spent five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts. Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).