World Password Day, which falls on May 2 this year, is an opportune time to revisit cybersecurity basics.
In honor of the tech holiday, Becker's caught up with Jeff Tully, MD, a pediatrician, anesthesiologist and security researcher affiliated with the University of California Davis Medical Center, to learn best practices for password authentication. Although Dr. Tully's research focuses on more advanced elements of cybersecurity, like how to make hospital technology and connected devices more digitally secure, he stressed the importance of strong passwords as foundational to any cybersecurity strategy.
Editor's note: Conversation has been lightly edited for length and style.
Question: What are some common mistakes people make with passwords in the healthcare setting?
Dr. Jeff Tully: They are largely similar to mistakes most everybody makes across the board, no matter what industry you are in, no matter what you do at home. People have a lot of work to do to ensure they don't commit the basic cardinal sins of password generation — using things that are commonly identifiable, whether it's their birthday, spouse's name or even the more horrifying "12345" type of scenarios. I don't think we in healthcare are particularly better or worse. All of us can do better.
Q: Do you have any tips for creating stronger passwords?
JT: If your friends or spouse can easily guess your password, that's probably not a great password. Doing everything that's recommended as far as complex combinations of upper and lowercase letters, special symbols, nonsensical phrases. Then you can get into some of the more advanced password generators and managers, not necessarily on a hospital network but on a personal network, and getting up into two-factor authentication framework, which you are starting to see a lot of hospitals using as well.
Q: Hackers sometimes use a technique called 'password spraying,' which involves testing a list of common passwords to breach networks. Is this a threat for hospitals?
JT: A lot of the research that myself and my colleague [Christian Dameff, MD] do is more focused on advanced elements of medical device security and hospital infrastructure network protection. That's all important, but what you're hitting on is that sometimes the most valuable path a hospital can take to shore things up right away is basic cybersecurity hygiene. That includes things like passwords, not responding to phishing emails, not picking up random USB drives and putting them into your network. These very basic cybersecurity hygiene elements are just as important, if not more so, than the advanced things.
A lot of vendors and groups are coming into the space right now and pushing AI, machine learning and mapping your network of medical devices. That's all important, but in some ways it's like trying to sell people on gene therapy when a basic stock of penicillin isn't there. These very foundational elements are increasingly important. Sometimes the highest yield investments that hospitals can make are a good cybersecurity education program and enforcement of best practices.
For more information on creating secure passwords, the U.S. Department of Commerce's National Institute of Standards and Technology regularly updates password guidelines as part of its technical requirements for federal agencies. The latest guidelines are available here.
More articles on cybersecurity:
14 healthcare privacy incidents in April
Hackers gain access to Charles River Laboratories' biotech, pharma clients
Microsoft data breach targeted cryptocurrency users