Every year, cybersecurity experts get together and compile lists of the weakest passwords (many of which now can be found on the Dark Web). BUT, new research is showing that there is an even less secure password that is very common in hospital networks out there.
No, I don’t mean passwords the likes of p@ssw0rd or 123456 (these are very weak and on the top of many lists). What I mean is a password that most of you probably wouldn’t even guess—but one I have seen time and time again in hospitals and clinics across the country (one I strongly advise to change immediately).
Why is this ‘most-insecure’ password so important?
Hackers and criminals are on the lookout for it. It’s a huge payday when one is found—especially one that opens doors into your networks.
This becomes even more important when you think of all of the devices on your network—IoT (internet of things) or security cameras, for instance. And this password is growing in number because of everything getting connected within your hospital network.
On the subject of IoT, as I’ve mentioned before—these devices aren’t exactly secure. Most of the technology running how they are connected has been developed over 20 years ago (when cybersecurity wasn’t a problem). And one of the big IoT cybersecurity challenges today relates to default passwords and no clear way to change them—passwords that are both weak and well-known, and the default across devices.
Another big password issue within your network is that users stick to the same usernames—maybe the same as your email address or simply ‘admin’. This completely exposes folks who have easy to crack passwords on top of using the same username over and over again within your network. As the Dark Web password databases fill up with bigger lists of passwords, many hospital CEOs are becoming growing concerns that someone within their ranks is on one of those lists.
I’m sure at this point in reading this article, you are thinking, yeah—I’m terrified of this stuff, but what is that most insecure password?
While user behavior is definitely a big concern in healthcare environments—how passwords are managed and when and how they are changed—an even bigger risk is with this most insecure password.
One of the most astonishing and unbelievable things that we discovered in assessing networks across the country is the fact that there is this one overly used password that is making you the lowest hanging fruit.
Nothing.
I don’t mean ‘nothing’ or ‘Nothing’ is the password. What a large chunk of hospitals have hiding in relatively plain sight are passwords that are completely EMPTY! Nothing contained within them at all.
Remember back when you were told your password isn’t complex enough? Maybe you were using the name of one of your kids. Or an address? Hackers were able to easily crack those.
Guess what? Nothing is even easier! They don’t even have to guess.
And the scary part of our findings? No one realizes these nothing passwords exist! They are hidden enough where there’s no visibility (no one is checking for them). And they are the lethal difference between your hospital falling victim to some attack and not—and they are out there in devices and configurations. You might think you’re safe, but over half of facilities we’ve assessed have had problems with nothing passwords on their networks.
Now pair that nothing password with a default username. How easy will that combo be to crack? There are lists of default usernames (software designers—especially in healthcare software—have not been too creative with default usernames). Guess what hackers have started to notice? Nothing passwords! And they’re advertising and chatting about it on the Dark Web as you’re reading this.
Criminals want to take the easy route—the road less traveled is too hard. Make the money as fast as you can, that’s their mentality. The places with easy pickings will be networks that have nothings out there.
My question to you: are you sure where and what your network passwords are? Are they secure? Audited? Uncrackable? Are you one of the half of hospitals with nothing passwords floating around your network, waiting to get exploited?
How can you find your nothing passwords? The easiest way is through a ransomware vulnerability assessment.