Pharmaceutical and medical device companies are high-value targets for cybercriminals, making cybersecurity a high-priority consideration. A key component of good cybersecurity is adopting password security best practices.
Good password security is important to protect IP and patient data, as well as ensuring operations can continue without the often significant interruptions that can occur as a result of a cyberattack. There are also compliance considerations in the life sciences sector, including the data integrity requirements of 21 CFR Part 11.
Even minor issues in relation to password security can result in a major breach, but before getting into the best practices for password security, it is important to highlight the wider cybersecurity context.
The Starting Point for Good Password Security
To properly protect your organization’s infrastructure, data, IP, and operational integrity, it is critical to ensure there is a solid understanding at all levels of the importance of password security.
This understanding shouldn’t be limited to technical or procedural considerations, i.e., how many characters a password should have or how often passwords should be changed. Technical and procedural considerations are important, but it is also essential to understand the evolving threat landscape in relation to passwords.
This includes understanding the nature of social engineering and phishing threats, both of which can put even the strongest passwords at risk.
It is still essential to follow password security best practices, but passwords need to be considered in terms of your wider cybersecurity strategy, policies, and defenses.
Password Best Practices
Multi-factor authentication (MFA) ensures a password alone won’t allow access to a system. MFA should be implemented as much as possible in pharmaceutical and medical device manufacturing organizations.
Put in Place Effective Password Security Tools, Procedures, and Policies
There are steps that can be taken at an IT and operational level to improve password security in pharmaceutical and medical device companies. This includes implementing MFA, as mentioned in the previous point.
Other steps that can be taken include:
- Implementing password monitoring technologies and/or password managers, the latter of which help users set and remember complex passwords. In fact, with a password manager, users don’t need to remember their passwords at all, as the system does it for them. The result is a good user experience with strong password security, but it is a solution that also comes with a crucial risk that should also be considered – the risk of the password manager itself becoming compromised.
- Ensuring systems, software, PLCs, devices, etc. are configured so users can’t use a password that has been used previously.
- Automatically disabling inactive accounts and locking down accounts after a preset number of failed login attempts.
There are also some password security tools and procedures that are best avoided. This includes knowledge-based authentication systems where users are asked to answer questions like their mother’s maiden name. These types of systems can weaken, rather than strengthen, password security.
Another commonly used practice that deserves careful consideration before being implemented is requiring employees to change their passwords after a predetermined period of time. There is growing consensus among cybersecurity experts that regularly changing passwords has little effect on improving security and can even weaken your defenses.
For example, a user is more likely to write down their passwords if they have to remember new ones every two or three months. Alternatively, a user might alter just one character in their new password every time they are asked to change it. Hackers are aware of this practice of making minor modifications to existing passwords. If hackers are aware of it, they can beat it.
Encourage Good Password Structure
Best practices for password structure include:
- Password length is arguably more important than random complexity, so insisting on long passwords will help to improve password security.
- While password length is important, it is also beneficial to make passwords a random collection of numbers, uppercase letters, lowercase letters, and symbols.
- Educate users on the importance of not using the same passwords at work as they do on their personal accounts.
- Educate users to avoid using common words. In fact, using words should be avoided altogether. Phrases are better (because they are longer) but completely random collections of characters are best.
- Encourage staff to avoid common practices that meet password length and character requirements, but which do little to improve password security. While a password like Ph@rm@c3ut1caL might look hard to guess, using character substitutes like this is so common that hackers are very good at guessing these types of passwords.
Encourage Good Password Protection
Creating a unique and long password made up of a random collection of characters is only part of ensuring password security. It is also important that users protect the passwords they create. Best practices for protecting passwords include:
- Encourage staff to avoid writing down passwords, even if they think the location of the written password is secure.
- Prohibit the sharing of passwords.
- Prohibit the practice of a user logging into a system for someone else to use.
- Encourage employees to use a unique password for every account and system.
Move to a Single Sign-On Solution
Single sign-on solutions allow users to access multiple applications and systems by authenticating once. This provides a good user experience, but it can also improve password security. The benefits of single sign-on solutions include:
- Reduces password fatigue as users only have to remember one strong password, reducing the practice of choosing easier-to-remember passwords.
- Decreases phishing opportunities as users only have one set of credentials to remember. This makes them more aware of unusual requests that could be phishing attempts.
- Centralises system, device, and platform authentication to make it easier to monitor and manage user access.
- Reduces the attack surface as there are fewer passwords to steal and fewer routes of attack.
Finally, continuous vigilance is essential to maintain good password security in the life sciences sector. This includes continuously reviewing policies as well as new technologies that can improve security. It also includes providing staff with regular training on password security and other cybersecurity topics.
Nothing is completely foolproof when it comes to cybersecurity, but following these steps and best practices will help to significantly reduce risks.