63%: A Cybersecurity Story

When I wrote about cybersecurity last week, I attempted to sound an alarm bell for healthcare providers about the magnitude of the threat we face as we seek to protect our businesses and their data from cybercriminals. Today, I want to follow up with a story that should scare you. It definitely scares me. Our company invests heavily in IT security, and we’ve done a pretty good job of making our systems and data secure. One of the things we do is hiring an outside firm to do system penetration testing. Essentially, we hire a professional hacking team to try to break into our systems however they can, and then we use their findings to enhance our security measures and reduce our vulnerability. It’s something that everyone should have done on a regular basis. During the test, our security consultants tried to crack as many of the passwords established and used by our employees to access our network and systems as they could. We were fairly confident in the strength of our passwords. After all, we require them to be at least eight digits long with a combination of letters, numbers, and special characters. We also force all employees to change their passwords every ninety days. Our confidence was quickly revealed to be hubris. During a 48 hour period of focused effort, our consultants were able to identify 63% of our 1,000+ employee passwords. They “guessed” the private passwords of nearly two out of every three employees! OMG. After the test was completed, I was informed that many of our employees, perhaps most of them, had chosen passwords that are easy to remember. They use things like “Packers#12”, “Hogwarts!23” and “Fall2019!” for ease. Unfortunately, a password that is easy for an employee to remember is just as easy for a hacker to crack. We’re fortunate that we also use multi-factor authentication as an added layer of security, but we’re taking steps to improve our passwords as well. I raise this issue today so that you, like me, can be energized to pay more attention to cybersecurity before you have a major incident. You can refer back to my last post for specific recommendations. You can also check out and download the cybersecurity playbook written by Jeremy Kauten, VGM’s CIO. It contains a wealth of information about who hackers are, why they want the protected health information that our businesses collect, and what you can do to stop them from getting it.