HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Why Healthcare Workers should be Using a Password Manager

Healthcare workers access electronic Protected Health Information (ePHI) on a daily basis – most often via the use of password-protected EHRs. In order to mitigate the risk of ePHI being hacked, compromised, or unavailable due to a cyberattack, healthcare workers should be using a password manager that generates, stores, and auto-fills complex passwords.

Earlier this year, HHS issued a threat brief warning about the risks to ePHI stored in EHRs. The brief identified the top five threats against EHR as phishing attacks, malware and ransomware, encryption blind spots, cloud threats, and the misuse of credentials by employees. It also reported that the most common cause of healthcare data breaches in 2021 was compromised credentials.

According to the 2021 Data Breach Investigations Report, credentials are most often compromised by brute force attacks on weak passwords and phishing. Therefore, the best way to protect ePHI in EHRs is to use complex passwords and reinforce login credentials with two-factor authentication so that, if login credentials are exposed in a phishing attack, phishers cannot get into EHR systems.

Why Healthcare Workers should be Using a Password Manager

The Issue with Complexity and 2FA

Remembering complex passwords that use a combination of upper- and lower-case letter, numbers, and special characters is difficult. In addition, complex passwords take longer to key into an EHR than short numeric or alphabetic passwords. Therefore, even if a healthcare worker remembers their password, the additional seconds keying the complex password into an EHR could make the difference between life and death in a medical emergency.

The issue with reinforcing login credentials with two-factor authentication (2FA) is that the time between attending a patient and accessing their EHR can be further extended if a healthcare worker has to wait for a One Time Passcode (OTP) to deactivate 2FA access controls. Any delays or mistakes entering the code can have serious consequences if a healthcare worker becomes stressed (in an already stressful situation) and mistakes are made treating the patient.

How to Overcome these Issues

The way to overcome these issues is with a password manager that generates, stores, and auto-fills complex passwords and that supports Authenticator Apps. The password manager is deployed on the EHR so that, when a healthcare worker needs to access a patient´s ePHI, they do so by logging into the password manager with their master password. The password manager auto-fills the healthcare worker´s login credentials for the EHR and generates an OTP passcode.

The process takes as long as entering a weak password (because master passwords are usually long passphrases that are easier to remember than complex passwords) and has the security advantage that healthcare workers have to physically copy and paste the OTP into the login field (usually with a click of a mouse or swipe of a screen). Therefore, as mentioned above, if login credentials have been exposed in a phishing attack, phishers cannot get into the EHR systems.

Which Password Managers have these Capabilities?

Most vault-based password managers with cross-platform synchronization have the capabilities to generate, store, and auto-fill complex passwords. Some have better support for Authenticator Apps than others; and, with regards to Authenticator Apps, it is better to use an app that generates “rolling” Timed One Time Passcodes (TOTPs). This is because, although the passcode refreshes every thirty seconds, a code is always instantly available to be copied and pasted into the login field.

The significance of cross-platform synchronization is that patient EHRs have to be accessed from multiple locations, and the devices in these locations might not all run on the same operating system or use the same browser. Consequently, password managers such as Bitwarden are ideal for securing healthcare worker´s login credentials and protecting the confidentiality, integrity, and availability of ePHI. The Bitwarden password manager also meets the HIPAA password requirements.

Closing Thoughts on Why Healthcare Workers should be Using a Password Manager

Most of the preceding text has focused on protecting ePHI maintained on EHRs by replacing weak, hackable passwords with complex passwords, and mitigating the risk of exposing login credentials in phishing attacks. But there is another reason why healthcare workers should be using a password manager – to protect personal data when using employers´ computer systems.

One of the most surprising statistics to come out of the 2021 Data Breach Investigation Report was that 66% of the data compromised in healthcare data breaches was personal data – not medical data. The report attributes this apparent anomaly to medical data being more stringently protected than other data and attackers simply taking what they can when the opportunity presents itself.

Consequently, even if healthcare organizations do not deploy password managers to protect ePHI maintained on EHRs, healthcare workers should be using a password manager to protect their own login credentials, payment details, and other sensitive data that could be used by a hacker to commit identity fraud. This article provides a comparison of the best free and low-cost options.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.