Facepalm Files: To password or not to password, a healthcare cybersecurity tale

The setup

Early in my cybersecurity career, I performed vulnerability assessments for a managed security service provider (MSSP). The goal was simple: review an organization’s security posture, identify vulnerabilities, and align solutions to the MSSP’s offerings. One surefire way to grab a security leader’s attention? A password audit. Show them how many passwords you could crack in a matter of seconds, and you’ve got their focus. Armed with my trusty laptop with L0phtCrack installed, I set out to my next target: a regional hospital. Little did I know, I was in for not one, but TWO facepalm moments.

The facepalm moment

There’s an old adage in healthcare: doctors are the worst patients. They are great at giving direction, but let’s just say they can be less enthusiastic to take it. This became painfully clear as the results of my password audit came rolling in. While not stringent, the hospital's password policy did have some fairly standard guidelines for the time: at least eight characters, a capital letter, and at least one number. The first facepalm moment: over 90% of the passwords were cracked by the simple hybrid, dictionary attack (common words with numbers at the end). My palm was firmly affixed to my face as I saw Steelers75, Lemieux66, Roberto21 scroll past. (Yes, I was in Pittsburgh, but I won’t tell you which hospital).

I dutifully anonymized my results, destroyed the files, and prepared my final presentation. I couldn’t wait to reveal this little bit of information as the ‘grabber’ to open my presentation of findings. Here comes facepalm moment two. As I present the findings to the hospital’s head of information security, the gentlemen calmly proceeded to tell me: “We were actually thinking of getting rid of passwords altogether.”

What I did next

After picking myself off the floor, I took a deep breath, nodded knowingly, and managed to utter a single word: “Why?” The director explained that in an emergency, the last thing a medical provider needed to do was type in a long, difficult to remember password. “Yes,” he said. “Those passwords are very weak and easy to guess. But, if I had to choose between saving a life or a strong password, I would choose the life every time.” Even I, a young infosec professional, recognized the hyperbole on that discord. Unfortunately, at the time, alternatives to username and password were very nascent. I was left to recommend watchdog logins with extra scrutiny and highlight the risks of weak passwords. It wasn’t the ideal answer, but it was the best I could do at the time.

The lessons learned

It’s easy to laugh at the idea of ditching passwords entirely, but this story underscores an important lesson: Walk a mile in someone else's shoes before passing judgement. The same goes when applying best practices: They’re not a one-size-fits-all. What may be a best practice for a defense industry could be disastrous in a healthcare environment. With 31 years under my belt in my career, this is a lesson I revisit as I talk to any customer. We must keep in mind: who is using the system, how they are using it, and what the unique risks are to their situation. Of course, the other lesson is to pick a strong password that follows your corporate policy.

Final thoughts

Looking back, I still shake my head and think: Steelers75 as a password? Really? (And that’s coming from a die-hard Steelers fan!)

That wraps up another round of Facepalm Files—where we learn from the mistakes (and triumphs) of the past. If this story resonated with you, or if you’re looking to strengthen your organization’s identity security, check out our Identity Security for Dummies ebook. It’s packed with practical tips and insights to help you stay one step ahead of the next facepalm moment.