Easing password pains: How CISOs can implement real, complex passwords and keep clinicians happy

By Wes Wright, Chief Technology Officer at Imprivata

September 30, 2021

In a previous post, I talked about complex passwords and how to strike the right balance between security and clinical workflow efficiency. And with breaches continuing to be on the rise – more than a 50% increase in healthcare in 2020 – that message rings true more than ever.

Data breach costs for healthcare continue to increase more than any other industry (to an average of $9.23 million per incident!), but they can also take hospitals down for hours, days, or even weeks. That means cybersecurity is, quite literally, a patient safety issue, as a breach can result in ineffective care, and even death.

Taking on cyberthreats – with the CISO at the helm

The security landscape continues to evolve, and increasing virtual interactions (hurried by COVID-19, but certainly not prompted by it) create even more high-risk endpoints that are ripe for targeting. The attack surface has never been larger, and it’s never been more difficult to secure systems and information. But establishing a culture of privacy, trust, and compliance is critical to the viability of healthcare delivery organizations (HDOs) and is at the heart of a Chief Information Security Officer’s (CISO) job.

With cyberattacks threatening to disrupt care delivery and patient safety, increased breach costs, and the potential for damaged brand reputation, the CISO role is a leadership imperative. CISOs drive information security programs and establish a culture of cyber-safety and risk awareness. Big picture: they have a big job to do, and the threat landscape isn’t making it any easier.

CISOs can no longer rely upon firewalls only to protect the four walls of their organizations. They need to control access to PHI, systems, and other information at each and every point of entry – each device and each user – with complex, real, 16+ character passwords that are much harder to hack.

But what’s the catch?

Real, complex passwords often prompt unsecure behavior

On average, care providers log in to workstations and applications 70 times per day. That means entering a username and password 70 times. It’s tedious, interrupts clinical workflows, creates frustration, and obstructs patient care.

Unfortunately, that reality often results in password workarounds, credential sharing, and leaving signed-into workstations unattended. That might help with clinicians’ frustration, but it’s yet another thing making the CISOs job that much harder. Password workarounds only add to the risks that CISOs are trying to prevent.

Addressing password pains

CISOs need to protect their organizations from cyberattacks, but also need to implement security measures that don’t frustrate care providers. Real, complex passwords are certainly part of the security answer, but clinical workflow efficiency must also be considered. CISOs can look to security partners to help them:

  1. Eliminate security friction.
    With the right partner, who develops technology with and for healthcare, CISOs won’t need to choose between security and clinical workflow efficiency. With seamless integration and a balance between security and convenience, the right solution can remove the complexities that stand in the way of security and patient care.
  2. Integrate compliance and security steps into end user workflows.
    Remember that 70+ username and password entry metric? That’s a lot. But technologies like single sign-on (SSO) eliminate the need for repeated manual password entry while also allowing HDOs to implement more complex passwords for systems and applications.
  3. Augment complex password policies with multifactor authentication.
    HDOs need a complex password policy, but passwords continue to be the primary way hackers gain access to sensitive information. The policy might not be enough. By adding multifactor authentication, HDOs gain an extra layer of security that requires end users to provide two or more verification steps before granting them access.
  4. Make security “invisible.”
    CISOs know that clinicians at their organization want less complexity, not more. But CISOs also want to make sure that their organizations don’t become another headline about a security breach, so balancing security and convenience is paramount. With seamless SSO and multifactor authentication – enhanced with capabilities like Hands Free Authentication and push token notification – security becomes “invisible” to the end user. That keeps clinicians and CISOs happy.

Simplifying security with digital identity solutions

The challenges faced by HDOs demand a cohesive approach to managing digital identities and protecting against cyberattacks, and the Imprivata digital identity framework for healthcare presents a unified security- and efficiency-focused strategy for managing digital identities across complex ecosystems.

With solutions in place, like SSO, multifactor authentication, remote access, and mobile device access, and privileged access management (PAM), among others, CISOs can help protect their HDOs from cyberattacks – from both internal and external attack surfaces.