You need complex passwords. Clinicians don’t. Here’s how to strike the right balance.

By Wes Wright, Chief Technology Officer at Imprivata

July 14, 2021

Cyberattacks continue to grow

It seems like every year we hear that cyberattacks and ransomware in hospitals are on the rise. Unfortunately, it’s true every year. In fact, during the first 10 months of 2020, the number of reported breaches rose 18% over the same period in 2019.

Cyberattacks are clearly terrible for any industry to deal with, but their impacts are felt especially hard by healthcare:

Cyberattacks can take hospitals down for hours, days, or even weeks. This Irish hospital learned that first-hand.
Cyberattacks can inhibit, or even prevent, the delivery of care. If doctors aren’t able to access patient information, adverse events can happen. A patient in a German hospital even died after a ransomware attack. The patient’s death was the first real, malware-attributable death on record.

The need for complex passwords

Despite the increase in cyberattacks over the last few years, the solution is the same: hospitals need real (16+ character), complex, strong passwords to prevent unauthorized entry to systems. Firewalls can help, but they’re not enough to protect the network anymore. Healthcare organization’s need a zero-trust architecture and a cybersecurity mesh, which Gartner has explained, to control access at each point of entry, for each device, and for each user.

Clinicians’ need for no complexity

The solution is the same, but so is the challenge: clinicians want less complexity, not more. Users access myriad applications and devices, and passwords for those applications and devices can be hard to remember and store. The problem with passwords is people: people prefer convenience to security, a concept called security friction. This is especially true for clinicians. Clinicians often equate “security” with frustration: technology getting in the way of patient care.

But there is a way to implement complex passwords and remove complexity for clinicians. It’s a balance between security and workflow efficiency that enables strong password policies to be implemented across all workflows, endpoints, and applications, all with minimal disruption to end users.

Digital identity solutions to simplify the complex

Imprivata has put together a digital identity framework which presents a unified security- and efficiency-focused strategy for managing digital identities across complex ecosystems.

Imprivata OneSign offers enterprise access and single sign-on (SSO) that eliminates the need for clinicians and other end users to manually enter usernames and passwords. Passwords can be as complex as needed, and end users need only tap a badge or use their fingerprint to sign in to workstations and applications.

But passwords continue to be the primary way hackers gain access to sensitive information. Even if they’re strong passwords, and even with SSO. Because of this, it’s important to augment complex password policies with multifactor authentication. Security features in support of multifactor authentication can also create a potential barrier for users, so simplifying clinical workflows, remote access, and access to mobile devices needs to be streamlined, too.

The challenges of the modern health delivery organization (HDO) demand a cohesive approach to managing digital identity, and protecting against cyberattacks.