Healthcare Data Security

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.

Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions

Posted by HIPAA Journal

The Netwrix Corporation, a provider of a visibility platform for data security and risk mitigation in hybrid environments, has published the results of a recent study on healthcare IT risks. Netwrix asked healthcare IT professionals about the biggest security risks faced by their organizations, how security budgets are being allocated and the main areas where future security budgets will be directed.

Netwrix said, “We aimed to look deeper into IT security practices, successful experiences and plans of healthcare organizations, as well as the most typical pain points.”

The survey shows the biggest data security concern of healthcare IT professionals is employees. 56% of respondents said employees were the biggest data security threat. Only 38% believe the biggest threat comes from hackers.

The results are unsurprising since the majority of data security incidents in 2016 were caused as a result of the actions of employees. The two biggest causes of data security incidents last year were malware and human error, with malware often installed as a result of the actions of employees. 59% of respondents said they had experienced malware incidents in 2016 while 47% said they had to deal with security incidents caused by human error.

While healthcare organizations have invested heavily in cybersecurity defenses, only 31% of respondents said their organization is well prepared to beat cyber risks. Budgets are primarily being directed at protecting endpoints, databases and virtual infrastructure. 61% said their main focus was endpoint security, 56% said databases and 47% said virtual infrastructure.  The main focus of future investment was data breach prevention for 56% of organizations, with 25% saying they are focused on new measures to prevent intellectual property theft and 25% on technologies to prevent cyber sabotage.

The report authors pointed out that “Despite following the requirements of HIPAA and other compliance standards, medical organizations are likely to focus on certain areas of IT environment instead of having visibility across all critical systems, which increases their vulnerability to cyber threats.”

The study revealed there are a number of key areas where security protections are lacking. 38% of respondents said unstructured data in third party data centers was a major data security risk. The other main areas that had been neglected were BYOD (29%) and shadow IT (21%).

Data stored in third party data centers tends not to be as sensitive as data stored on premise, although poor visibility and a lack of control of data in hybrid cloud environments posed security problems. While measures are being introduced to improve the security of personal devices, a lack of visibility threatened organizations’ security posture.

Michael Fimin, CEO and co-founder of Netwrix. “Having a clear understanding of what is going on in the environment will help [healthcare organizations] mitigate the risk of human errors, detect and investigate incidents faster, and, as a result, improve the security of their sensitive patient data.”

The main obstacles preventing healthcare organizations from managing cybersecurity risks more effectively were time and money. Three quarters of respondents said a lack of money and a lack of time were hampering efforts to manage cyber risks more effectively, while 44% of respondents said a lack of participation of senior management was a major obstacle.

Healthcare organizations have had plenty of time to implement policies to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and ensure sufficient security protections are in place to ensure protected health information is safeguarded. However, 36% of respondents said they had experienced problems with compliance and passing audits. One of the major problems was not a failure to maintain an audit trail of user activity but the inability to access that information and produce it for auditors in the allocated time frame.

The post Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions appeared first on HIPAA Journal.

Office of Inspector General Releases Results of VA FISMA Audit

Posted by HIPAA Journal

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA).

The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses.

Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight.

The three new recommendations in this year’s report are:

  • Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are implemented to ensure all systems used by the VA are formally Authorized to Operate. System security controls should also be evaluated prior to systems connecting to the Internet or the VA network.
  • Weaknesses have been identified in the VA’s configuration management controls. OIG recommends the VA should improve and implement processes to ensure all devices and platforms are evaluated using credentialed vulnerability assessments.
  • Weaknesses have been discovered in incident response and monitoring. OIG recommends that the VA’s Network Security and Operations Center should be provided with full access to security incident data to help raise awareness of information security events.

The OIG report says considerable improvements have been made and security has been improved. New policies and procedures have been implemented and great strides are being made to improve agencywide security; however, many vulnerabilities persist and the VA faces considerable challenges implementing various components of its information security continuous monitoring and risk management program. OIG found significant deficiencies in the VA’s access controls, configuration management controls, continuous monitoring controls and service continuity practices.

OIG says the VA must concentrate its efforts on four key areas to better achieve FISMA outcomes. These are:

  • Address security issues that contributed to the information technology material weaknesses detailed in the FY 2016 audit of VA’s Consolidated Financial Statements.
  • Address process deficiencies to ensure system Authorizations to Operate and conducted in accordance with VA policy.
  • Make improvements to the speed of deployment of system upgrades, system configurations and security patches to address known vulnerabilities, and enforce a consistent process across all field offices.
  • Make improvements to performance monitoring to ensure security controls are operating as intended in all facilities. Identified security deficiencies should also be effectively communicated to appropriate personnel to ensure action can be taken to mitigate risks.

Many of the deficiencies identified in the report are common in the healthcare industry. While it is not possible to totally eliminate risks, it is possible to reduce those risks to an acceptable level. Some of the vulnerabilities are expected to be addressed when the VA transitions from its VistA EHR to the new Cerner EHR.

The post Office of Inspector General Releases Results of VA FISMA Audit appeared first on HIPAA Journal.

Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years

Posted by HIPAA Journal

Internet of Things (IoT) devices such as wearable sensors, implants, medical devices and home monitoring systems have the potential to greatly improve patient services and quality of care. The IoT could revolutionize the healthcare industry and adoption of the technology already high.

IoT devices can be controlled remotely and are highly automated. Implementing the technology can result in improvements to efficiency, accuracy and there are considerable economic benefits. However, IoT devices introduce considerable risks.

IoT devices are now being introduced, even though security is a major concern and many of the devices are not covered by existing security solutions. A recent healthcare-specific Thales Data Threat Report suggested that 60% of healthcare organisations are deploying new technologies before appropriate security is implemented. That said, investment in security technologies is increasing and healthcare organizations are working on improving security for IoT devices. There is currently strong demand for new security solutions and that is unlikely to change.

Currently the global healthcare IoT security market is valued at $4.8 billion, according to a recent Market Research Future report. Over the next five years, the market is expected to grow to $15.82 billion with a CAGR of 22%.

Market Research Future says the explosive growth in the IoT security market is driven by several factors, including the potential for huge savings to be made by increasing automation. Therefore, there is likely to be high adoption of the technology by the healthcare industry.

New smart devices are likely to come to market over the next five years which will require security solutions to protect them and the data they store, with R&D expenditure likely to increase. There is expected to be greater integration of the devices into the Internet ecology and cross transferability of IoT security to a wide range of industry sectors.

Factors that could hinder growth include shorter product lifecycles and greater sink costs associated with IoT technology. While adoption of new IoT technology is expected to be greatest in the United States, globally, growth may be limited by a lack of connectivity and bandwidth, a lack of a legal framework covering the technology and a lack of trained professionals.

Market Research Future suggests the major players in the IoT Security market over the next five years will be Cisco Systems, IBM, Intel Corporation, Sophos Group, Oracle Corporation, Trend Micro Inc., and Symantec, although many other security firms are expected to expand and develop new IoT security solutions to meet demand.

The post Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years appeared first on HIPAA Journal.

Princeton Community Hospital Replaces Network After NotPetya Attack

Posted by HIPAA Journal

Recovery from the WannaCry ransomware attacks was a long and complicated process for many healthcare organizations. Recovery from the recent NotPetya attacks has also been problematic.

In contrast to WannaCry, NotPetya is not actually ransomware. While it bears a number of similarities to a strain of ransomware called Petya, the virus is actually a wiper. The attacks initially appeared to involve ransomware, but the aim of the attacks was to wipe out computers and destroy data. A ransom demand was presented on screen claiming payment of a ransom would allow an organization to obtain the keys to unlock data, but access to files cannot be restored as the decryption keys do not exist.

Attacks in the United States were limited, with five known healthcare victims. Princeton Community Hospital in West Virginia is one of the organizations struggling to recover.

Princeton Community Hospital has been attempting to bring its systems back online since the attack last Tuesday. The hospital reports that attacked devices cannot now be used on the hospital’s network. The hospital is having to replace its entire network, including installing new hard drives on all affected devices.

The NotPetya attack caused considerable disruption, although the hospital quickly restored basic access to medical records by installing new computers at strategic points around the hospital. Medical records, details of medications and allergies and other essential information could therefore be accessed through the computers. Efforts are continuing to implement a new network.

Employees have been told on social media and via its website that the attack also took out the quick charge system in the cafeteria, the Meditech payroll system and the Kronos time system.

Even though computer systems were severely affected, inpatient, outpatient and radiology services continued to be provided, although there have been some delays, especially for non-emergency patients. The hospital said it would take a few days for the network to be rebuilt and for significant functionality to be restored.

The Heritage Health System was also affected, with much of its network of hospitals, satellite and community facilities affected. Pharma firm Merck was also attacked, as was Nuance, a Massachusetts based vendor of dictation and transcription services for the healthcare industry. In total, approximately 2,000 other organizations in 65 countries around the globe were affected. Approximately half of the attacks were on industrial organizations, with Ukraine hit particularly hard.

Many more healthcare organizations are likely to have been affected, although it is likeloy to be some time before the scale of U.S. attacks is known. Indicators of compromise have been shared with HITRUST via its cyber threat information exchange platform, although since information is shared anonymously it is unclear which organizations have been affected. Ransomware and other virus attacks that involve ePHI compromises are reportable to the Office for Civil Rights, although since covered entities have up to 60 days to report incidents it is likely to be several weeks before all covered entities affected by NotPetya are known.

The post Princeton Community Hospital Replaces Network After NotPetya Attack appeared first on HIPAA Journal.

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Posted by HIPAA Journal

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices.

The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk.

Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps.

In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of patients, empowering them to make better day-to-day heath decisions and manage their health conditions more effectively.

There has been an explosion in the number and types of connected digital health devices in recent years, including health-tracking apps, fitness trackers and medical devices. There has been considerable innovation in the field, although Gottlieb said there is currently some ambiguity about how the FDA regulates apps and medical devices which results in some innovators steering clear of healthcare and focussing efforts on other ventures.

The FDA’s aim is to release clear guidance for developers that will enable them to understand all regulatory requirements on their own without having to obtain answers from the FDA on each individual technological change they wish to make.

The new guidance will cover a wide range of digital health products with multiple software functions, including some apps and devices that currently fall outside the scope of FDA regulation.

Gottlieb said, “Greater certainty regarding what types of digital health technology is subject to regulation and regarding FDA’s compliance policies will not only help foster innovation, but also will help the agency to devote more resources to higher risk priorities.”

The FDA will be running a pilot program for its new, risk-based regulatory framework this fall. The pilot program is still under development and the FDA is currently determining how a third-party certification program can be developed that will allow low-risk digital health products to be marketed without the need for a premarket review by the FDA.

High-risk products will still require a pre-market review, although the FDA is looking at ways the process can be streamlined. The FDA is considering a certification program that would assess companies on their products to determine whether they are reliably and consistently engaging in high quality software design and have been diligently validating their software products.

Gottlieb said, “Employing a unique pre-certification program for software as a medical device (SaMD) could reduce the time and cost of market entry for digital health technologies.”

“Applying this firm-based approach, rather than the traditional product-based approach, combined with leveraging real-world evidence, would create market incentives for greater investment in and growth of the digital health technology industry.”

The post FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

Posted by HIPAA Journal

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

Posted by HIPAA Journal

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice.

Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling.

The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals.

An analysis of data from enterprises that downloaded the Preempt Inspector tool showed that more than 7% of employees are using passwords for their work accounts that have already been compromised in previous data breaches. Preempt also reports that 20% of passwords used by enterprise employees could easily be compromised, even though many enterprises have systems in place to ensure password complexity.

Preempt reports that 1 in 14 enterprise employees have set an extremely weak password that has appeared in a previous breach, while 13.39% of enterprise users have shared their password, either with other users, teams or the password has been used for other services. Preempt says its research shows that 1 in 7 users have disclosed their password to other users within their network.

The study revealed that an average of 19.1% of enterprise users have set poor passwords, either those that have been used elsewhere, have been shared or are particularly weak. This translates to 1 in 5 enterprise users having a password that could easily be guessed by a threat actor.

The study revealed that larger organizations tend to have a better security posture and also a lower percentage of weak passwords in use. The larger the organization, the more secure their passwords are. This has been attributed to larger organizations having more resources devoted to security, with password policies likely to have been set and systems in place to enforce strong passwords. Those organizations are also likely to have more extensive education programs to raise security awareness.

The study was conducted on clients in multiple countries, with US-based organizations having approximately half the number of weak passwords that non-US companies. Preempt suggests that credential theft and cyberattacks are more extensively covered in the media in the United States, raising awareness of security and the need to take steps to prevent data breaches, such as setting strong passwords and not reusing passwords on multiple platforms.

The research shows that even though employees receive security awareness training and policies and technology are used to enforce the use of strong passwords, many employees are still taking big risks with their password choices. Many enterprises may believe they have tackled the issue of poor passwords, when the realty is likely quite different.

The post Study: 1 in 5 Enterprise Users Have Set Weak Passwords appeared first on HIPAA Journal.