Passphrases are good, multi-factor authentication is better

By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations.  Based upon the feedback from 168 US-based healthcare cybersecurity professionals, healthcare organizations must deal with a growing array of significant security incidents. These issues not only compromise the integrity of your technology and the privacy of patients, but can also disrupt an organization’s ability to provide patient care.

Being prepared for cyberattacks requires doing all you can to reduce cybersecurity risks. One of the most significant risks identified by security professionals is password management. Many people are still using simple passwords such as a series of numbers (123456) or easily guessed words (password). However, the easier it is to guess a password, the higher the risk of being compromised by a cyberattack. 

While some suggest passwords using a complex combination of letters, numbers, and symbols, NIST and the FBI recommend creating passphrases instead.  According to the FBI’s Tech Tuesday, “This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.” With easier-to-remember phrases, users are less likely to store passwords on a sticky note under the keyboard.  

Passwords and phrases are a good first line of defense, particularly given Verizon’s Data Breach Investigations Report which found that 81% of hacking-related breaches were due to compromised passwords. But there are many other opportunities for hackers to access compromised passwords or phrases, including phishing or keylogging. This is where multi-factor authentication (MFA) comes into play. MFA offers additional protection against cybersecurity risks by requiring users to present two sets of credentials to access an account. Your credentials may include something you know (a password or PIN), something you have (a smartphone), or something you are (your fingerprint). 

What can you do?

Leave a comment


  1. Such a great resource, keep up the good work!


  2. Such a great resource, keep up the awesome work!


Share your thoughts on this topic!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 183 other subscribers
  • Contact Us

    Kasey Nicholoff
    staff @

    Amanda Patanow
    Communications and Media
    ehracomms @
%d bloggers like this: