top of page

Healthcare – weak passwords are a significant factor in cybercrime breaches across the sector

Healthcare organizations hold some of the world’s most sensitive data. Recent studies and experience shows many remain unprepared for cyber-attacks. Threat actors target valuable confidential data, making healthcare a growing target, and ransomware is steadily picking up pace as today’s cyber-weapon of choice.

We probably all remember the global WannaCry ransomware attacks in 2017 that affected businesses in 150 countries across the world. The cost to the global economy is conservatively estimated to have been over £6 billion. If you worked in healthcare 5 years ago you will remember that the attack affected over a third of healthcare trusts in England and Scotland – as well as the financial cost it also had a massive impact on the NHS being able to provide the services on which we all rely.

In a 2021 study 81% of UK healthcare organisations reported having been impacted by a ransomware attack. This include the attack on Ireland’s health service, HSE Ireland, in May, which led to a number of hospital appointments being cancelled. About 36% of these attacks were as a result of e-mail security threats, usually caused by phishing or brute force attacks.

How are passwords identified by criminals?

Brute force attacks

This is often the simplest way for a criminal to access a system. They explain the need for strong or complex passwords by all of us. Criminals can use an ever expanding list of the most common passwords – available from the internet, or they use more focussed attacks based on name of the company and / or details obtained from social engineering and open source research.

For example a CEO’s daughter may be called Frances; and this data is easily found on Facebook. If I was to brute force the password to his e-mail or network I would look to incorporate his daughter’s name into the password, maybe adding a date of birth. And the criminals will try millions of such passwords and variations in quick succession – if the system allows it – using bots.


This remains the most common tactic to attempt a network breach. Phishing is a cyber-attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment. By clicking on the attachment the victim is then instructed to enter a number of details, which will include – you’ve guessed it – their password. That information is later used by the criminals to log back into the network and the damage is done.

Because of the way that these compromises work it is vital that organisation ensure that a combination of the below password tactics are employed, as they reduce the overall risk of an attack being successful; and importantly they reduce the access that a criminal may have to your systems should one password be identified.

What should I do now?

1. Choose a “Passphrase” Instead of a Password

Long, complex passwords are more secure, but they’re also hard to remember. Try using a passphrase with 8 or more characters. Make it something easy for you to recall but avoid common phrases, quotations or personal information.

For example, you could create a passphrase like “Footba!!4theGreate5tC1uB,” which uses dictionary words in a memorable sequence. The combination of special characters and upper and lowercase letters makes it harder to guess or for automated attacks using bots to identify a password through trial and error. Have a look at our short video about strong passwords.

2. Make a Different Password for Every Account

Don’t use one password for every account. The password you set for each application should be unique because it reduces the risk of compromise.

Hackers often get account credentials from lists published on the internet that were harvested from systems vulnerable to attack. If you use the same password everywhere, it could be used to access other systems.

3. Use a Password Manager

Does setting unique passphrases for each account sound unmanageable? Think about using a password manager, which not only helps securely store and retrieve passwords, but also generates long, complex passwords unique to each account. Some password managers also store passwords in the cloud so you can access them from any device.

If you decide to use a password manager, be sure to secure your master password. The master password should be long and complex. And because it holds the key to all your account passwords, take extra precautions to secure it with multifactor authentication. If you want to know a little bit more about password managers take a look at our short video.

4. Consider Passwordless Authentication

Some vendors have introduced “passwordless” authentication for greater security. A typical passwordless system involves two parts: something you have, like a security key or smart card; and a biometric gesture (such as a fingerprint or retinal scan) or a PIN. PINs are stored locally and never sent across the network, which makes them more difficult to compromise.


Technology has been evolving very rapidly, and it has become a critical element of modern healthcare, but it has also become a significant part of the attack landscape. What is worrisome is that healthcare technology is often deployed and used without security in mind. Password management is an important tool that can reduce the chance your organisation falls victim to cyber-attack. So take action now and protect your organisation today.

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website at and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Finally, you may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page