Sometimes the small things, like passwords, are what bring down the operation.
Pebbles are more likely to trip us up than boulders. Passwords are THE pebbles that have tripped up many a medical practice. If loose lips sink ships, loose password policies sink medical practices.
Here’s where we’ll start: count the characters in the password you used most recently. Feel safe? Write down the number of characters for an exercise later in this article.
In the movies, the bad guys always guess the good guy’s password within three tries and save the world. But this is the real world; the bad guys don’t need to guess a password to exploit your systems and turn your world into a public relations nightmare. Why use the back door when the front door is wide open? This is the real world, and your practice is more vulnerable than you realize.
Bad Guy Hack #1, the post-it note: If you gave me a half-hour, I could walk around most practices like I belonged and find at least ten passwords on post-it notes. All I need, though, is one. I would find them at nursing stations, under desk blotters, and my favorite, taped to a computer monitor.
Bad Guy Hack #2, the disgruntled former employee: If you think it’s a time-consuming pain to disable a former employee’s access to all systems, think about how much one of those employees might like to get even. If you didn’t take away their keys to the car, there is no telling what havoc they might cause. They could even sell their access for big bucks to one of the bad guys.
Bad Guy Hack #3, the shared password: During my career, I have never worked at a place where passwords were not shared. Convenience trumps security every time. That is not a good thing.Combine a disgruntled former employee and a shared password, and you have the recipe for disaster.
Bad Guy Hack #4, the one password for everything: Some people use the same password in all facets of their lives. If you are one of those folks, and I get your EHR password, I also have access to your bank, your credit cards, your utilities… your life. Enough said…
Bad Guy Hack #5, the brute force attack: Most systems are set up to lock up after three incorrect password attempts. Some are not; none of your Word or Excel documents are.
Now is the time to recall how many characters are in your password. I am going to ask my bad guy friend to use a ‘brute force’ attack in which his powerful computers go through every possible combination to crack your password. How long will it take? It all depends upon the size of your password and whether you use numbers and special characters (aka symbols like ‘+’ and ‘^’) in addition to letters.
Here's how long it will take him if you use just upper and lower case letters:
Requiring at least one number and one symbol makes my bad guy work much harder. Here’s how long it takes him if you add numbers and symbols into the equation:
Brute force attacks don’t require as much hardware power as you might think. The computer you are using right now can make at least 100,000 guesses per second. And my friend the bad guy has several computers either working together to crack a single password or working separately to hack multiple passwords. With computer processing speed increasing every year, it is possible your next computer could make 200,000 guesses per second.
The older I get, the longer my passwords have become. What works for me is a combination of a singer, a special character, a song by another singer, and two or three numbers followed by a symbol. For example, I might use PeterFrampton#TracksOfMyTears1965> as a password. It is long but easy to remember once I have typed it a time or two. And I might have use some permutation of a Frampton-based password with a Smokey Robinson song for my EHR log-in, some permutation of The Cure and a Neil Young song for my bank log-in, and something entirely different for my Excel files. I keep track of my passwords in an Excel spreadsheet with an obscenely long password.
Passwords are the pebbles that fell the mighty. Don’t let it happen to your practice.
I know you have a lot of passwords.Most of your employees do. That’s the nature of a medical practice. Don’t let it be an excuse.
Password protection one of the most critical elements of protecting both your patients’ privacy and your practice’s well-being. Make it important. Be strict. You owe it to your patients and to the future of your organization.