By Nadia ElKaissi, CHTM, and Jane Lacson, CCE, CHTM
You are troubleshooting a medical acquisition workstation, but you do not have the correct password. On a whim, you decide to search online for the default local account credentials. To your surprise, you find a document with full login credentials and instructions on using them to remote into your company’s workstations and servers. This document was meant to be an internal tutorial/training handout, not publicly accessible online. You realize the severity of the situation because it included many internal procedures and default vendor-provided users and passwords. You work with your company to immediately remove the document from the web-hosted repository and begin searching your network for other workstations and servers that might be affected. You contact the vendor to change the default password, but they advise against it, citing potential configuration issues.
Aware that the public credentials pose a security risk, you continue to work with the vendor to update the default logins for all the workstations and servers. As a healthcare technology manager, you also begin to think, is the local passwords required for the device? What are some security measures we should develop to protect these local passwords? Are there alternatives to using local passwords, such as centralized authentication methods? The following article will review security risks local passwords present and some best practices that can mitigate or lower the risk.
The health care industry is increasingly reliant on advanced medical devices for patient care, ranging from pacemakers to CT scanners. While these devices have revolutionized technology, they also introduce new potential vulnerabilities. One significant security risk that is often overlooked is the use of default passwords, which are typically set by the manufacturers and not changed by HTM or clinical staff during implementation. Proper password management and implementation education are crucial. When evaluating and managing medical equipment procurements, HTM staff must prioritize password policy. When not managed properly, health care facilities could be exposed to the following potential risks:
1. Default passwords
Local passwords, especially if they are left as the default manufacturer password, are one of the main targets for attack. Many vendors provide the passwords online in manuals or troubleshooting guides. Once attained, these credentials can provide unauthorized users with full control over critical devices.
2. Lack of strong password practices
Even if a local password is modified during implementation, the passwords are often replaced with simple passwords that can be easily guessed. “Root”, “password” and “biomed123” are some of the most common passwords for medical equipment. While it may be inconvenient to have long and unique passwords, weaker passwords are an easy target for attacks, leading to compromised device security.
3. Lack of monitoring and auditing passwords
During the procurement of medical equipment, one area that is not scrutinized as much is the evaluation of the medical devices’ logging capabilities. Unfortunately, many medical devices lack a robust method for logging credentials. Although this should not be the reason to reject purchasing the equipment, HTM staff need to discuss and find ways to monitor the devices after they are implemented. Without a way to monitor/audit passwords, unauthorized access to medical devices can go unnoticed, complicating the investigation of security breaches.
4. Poor password management
Depending on the HTM’s implementation process, password management is another critical area that can be overlooked. Often, during the procurement and implementation phases, vendors are not asked if their devices support multi-factor authentication (MFA). Consequently, health care facilities end up managing numerous local passwords. A common approach to managing these passwords is to use an Excel spreadsheet, which can come with its own security risks and limitation. Typically, if passwords are stored in a document, it may not be encrypted which leaves them vulnerable to unauthorized access if the file is compromised. In addition, the document does not offer features such as secure sharing or synchronization across devices, which can make it less efficient for managing passwords securely. Without a proper way to manage the passwords, passwords may be forgotten, written down in unencrypted/unsecured documents or shared inappropriately among staff. Such mishandling of passwords can pose significant risks to the security of the medical devices.
These potential risks can be mitigated by following some simple best practices.
1. Regularly change default credentials
Changing default user logins and passwords is essential upon installing or deploying any device or system. This helps eliminate the risk of unauthorized access using default credentials. A good practice is to develop implementation checklists with an area focused on password management. This will ensure all devices implemented are following the same process. You may find vendors insisting on keeping default passwords unchanged due to system configurations. However, it is not advisable to comply with this requirement. To ensure a smooth transition during password changes, it is essential to inquire about details such as, “What configuration adjustments are required when changing the default password?” and “What are the steps and complexities involved in changing the password?” Even if it is a complex password, the security can be compromised if the password is included in any service manuals or troubleshooting guides. Therefore, changing the default password is one of the initial steps to mitigate the risk.
2. Enforce strong passwords
In addition to changing default passwords, it is important to ensure all passwords follow strong password policies. Strong passwords are characterized by their length, complexity, and uniqueness, incorporating a mix of uppercase and lower-case letters, numbers, and special characters. The length should be a minimum of eight characters; however, it is recommended to try to push the limit to 16 characters or more. It is not advisable to include any personal information or use common words. If the device is unable to automatically require users to change the password periodically (every 90 days), then HTM should develop a tracking sheet to ensure the passwords are changed consistently. Health care facilities should implement policies that mandate password lock outs after a certain number of failed login attempts to prevent brute-force attacks. Lastly, it is important to also provide constant training on the importance of creating and safeguarding strong passwords. By enforcing these practices, the risk of unauthorized access can be significantly reduced.
3. Monitor and audit default credentials
Monitoring and auditing default credentials is essential to reduce the risk of the medical systems. Often, medical devices will not have the capabilities to monitor and audit logs. However, it is imperative to ask during the procurement and implementation of the equipment what possibilities are available. In addition to ensuring the system has monitoring capabilities, it is recommended to have policies that require periodic reviewal of default credentials. This could include ensuring default credentials are promptly identified and ensure there are no suspicious login attempts. This proactive approach can help detect and rectify oversights in changing default logins and passwords.
4. Password management
Effective password management is essential in a strong cybersecurity program. Leveraging password management tools enhances the capability to streamline and centralize password management across an organization. The benefits of using these tools can help to automate processes and allow for storing and encrypting passwords. Prioritizing inquiries with vendors about MFA support for their device is strongly recommended. MFA offers enhanced security compared to local passwords by requiring multiple forms of verification, significantly reducing the risk of unauthorized access. The goal should always be to minimize local passwords and maximize the use of MFA wherever feasible, thereby reducing the quantity of passwords that need management. Unfortunately, many medical devices still do not support MFA. Therefore, for local passwords, embracing password management is essential to safeguard sensitive information, promote efficient access control, and ensure compliance with security policies.
Default password management plays a crucial role in cybersecurity within the health care sector. Through timely modification of default passwords, adherence to robust password protocols, staff education, and deployment of effective monitoring tools, health care organizations can significantly mitigate the risks associate with default passwords. Just know that anything is better than nothing. HTM professionals should recognize the significance of password management and strive to integrate it into the implementation and sustainment of medical equipment within health care environments.
Nadia ElKaissi, CHTM, is a biomedical engineer in healthcare technology management at the VA Central Office.
