October is Cybersecurity Awareness Month, a time to remember that security is everyone’s responsibility, especially in healthcare where a patient’s information privacy is vital.
Passwords have protected sensitive electronic data since the 1960s, and they have been flawed since the beginning. Most people choose passwords that are easy to remember, which also makes them easy to guess. Even after spending decades in the cybersecurity business, my family still creates passwords inspired by the name of our pets. You’ve heard the saying, “the cobbler’s children have no shoes.”
In our personal and professional lives, it is not enough to identify October as Cybersecurity Awareness Month if we do not act on the awareness content. Take for example a recent study published out of University of California San Diego Health that found 19,500 employees were no more likely to recognize phishing attempts after years of cybersecurity awareness training. The results call for a new approach in securing health information and educating staff on good security hygiene.
Over time, password requirements became more complex: uppercase letters, special characters, longer strings. Yet the fundamental weakness remains – human behavior. The latest guidance from the National Institute of Standards and Technology (NIST) encourages longer, more memorable passphrases rather than random password complexity. This shift is helpful, but it doesn’t fix the root problem. Passwords depend on people, and people are fallible.
The future of cybersecurity in healthcare must go beyond stronger passwords; it is moving to stronger authentication. Organizations should map a plan to mandate multi-factor authentication and passwordless solutions. Consider a solution that fits each business case such as:
- Passkeys – secure, cryptographic credentials stored on your device
- Biometrics – fingerprint or facial recognition
- Behavioral heuristics – systems that recognize how you type or move your mouse
- Security keys or proximity cards – physical tools that verify identity
- One-time passcodes – dynamic codes that expire quickly
These tools create layered defenses that protect against unauthorized access to sensitive systems, including remote networks, prescription authorization, and PHI data lakes. Biometrics is now commonly available to open your phone, authenticate a tap financial transaction, and update your security options. Proximity cards are in use in hospitals and clinics where staff must rotate access to shared IT/medical devices. Coupling one or more of these technologies together, such as biometrics with a proximity card provides a solid authentication schema.
Passwords, however, are not the only threat. As artificial intelligence becomes more advanced, so do cyber attacks. AI-generated phishing emails, deep fake videos, and voice bots can convincingly mimic executives, vendors, or coworkers. These attacks also target people, not systems. Awareness of the newest threats can help healthcare staff members identify and report AI-enabled cyber threats.
At RazorMetrics, security is foundational to everything we build. Since our technology supports physicians, patients, and plan sponsors who depend on the confidentiality and integrity of healthcare data, we carefully assess security controls, potential threats to cyber exposure, and design our systems to exceed compliance standards.
That is why awareness must evolve alongside technology. Even the best authentication and encryption still depend on the judgment of the person behind the screen. Training teams to pause, verify, and think critically before clicking or replying remains one of the most powerful defenses against AI-driven attacks and common human mistakes.
Healthcare organizations hold some of the most valuable and vulnerable data in the world. The value of the data to criminals has not diminished. While standard financial records like credit card information has decreased in value on the dark web, valid health record values remain upwards of $1,000 each. The industry knows how to replace stolen credit card information quickly, only leaving a small window for thieves to utilize it. Whereas medical information is often unchangeable; a cancer diagnosis, blood type, prescriptions, treatment history.
According to the National Institutes of Health, the estimated healthcare fraud cost health organizations between $100 billion and $170 billion annually. A good portion of this cost can be attributed to false claims using stolen PHI.
The future of cybersecurity in healthcare depends on smarter systems, stronger authentication, and vigilant people. Help build a cyber strong America!
Contributed by David Phillips, Chief Security Officer, RazorMetrics
