By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations.  Based upon the feedback from 168 US-based healthcare cybersecurity professionals, healthcare organizations must deal with a growing array of significant security incidents. These issues not only compromise the integrity of your technology and the privacy of patients, but can also disrupt an organization’s ability to provide patient care.

Being prepared for cyberattacks requires doing all you can to reduce cybersecurity risks. One of the most significant risks identified by security professionals is password management. Many people are still using simple passwords such as a series of numbers (123456) or easily guessed words (password). However, the easier it is to guess a password, the higher the risk of being compromised by a cyberattack. 

While some suggest passwords using a complex combination of letters, numbers, and symbols, NIST and the FBI recommend creating passphrases instead.  According to the FBI’s Tech Tuesday, “This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.” With easier-to-remember phrases, users are less likely to store passwords on a sticky note under the keyboard.  

Passwords and phrases are a good first line of defense, particularly given Verizon’s Data Breach Investigations Report which found that 81% of hacking-related breaches were due to compromised passwords. But there are many other opportunities for hackers to access compromised passwords or phrases, including phishing or keylogging. This is where multi-factor authentication (MFA) comes into play. MFA offers additional protection against cybersecurity risks by requiring users to present two sets of credentials to access an account. Your credentials may include something you know (a password or PIN), something you have (a smartphone), or something you are (your fingerprint). 

What can you do?

• Change your passwords to passphrases 
• Use a different passphrase for each account
• If available, use MFA for added security 
• Read more about passphrases and MFA:
  • Easy Ways to Build a Better P@$5w0rd
  • Digital Identity Guidelines: Authentication and Lifecycle Management