More than two-thirds of healthcare organizations have employees with compromised email credentials, according to a new study from Evolve IP, a cloud services provider.

Of these compromised accounts, 76 percent included actionable password information for sale on the dark web, the report found. And between about 55 percent and 80 percent of organizations had compromised email accounts.

To make matters worse, 23 percent of these stolen passwords are found in clear text on the dark web. While the other stolen passwords are sold encrypted, the level of encryption used isn't enough to stop a hacker from cracking it.

Hackers get into the system with phishing and key-logging attacks, researchers said. Any one of these vulnerabilities can escalate to ransomware, patient data breaches or denial of service attacks.

The study focused on 1,000 HIPAA-covered entities and business associates. The researchers pointed out that the majority of these reported compromises the passwords were outdated, which are valuable to hackers. Over 75 percent of people use the same or similar passwords in all online activities.

"By understanding the types of changes people make to their passwords over time, hackers can create a user profile and determine a person's new password fairly accurately by using simple guessing or sophisticated automated algorithms," researchers said.

Some healthcare sectors fared better than others. Medical billing and collections had the least amount of compromised accounts, while regional healthcare plans were the least secure with 80.4 percent of organizations compromised.

The overwhelming majority of these organizations used cryptographically hashed passwords, which researchers explained are inadequate for today's cybersecurity challenges. Hackers have many tools that can easily crack these types of passwords.

As healthcare organizations are hackers biggest target, security best practices must include email safeguards, researchers said. 63 percent of breaches are caused by compromised email credentials. And about 7,500 individual security incidents occurred due to these compromises.

"Organizations are failing to adequately protect customers from online account takeover and data exploit," Kevin Lancaster, CEO of ID Agent said in a statement. "To combat the growing threat, the need to develop an end-to-end solution to automate the process of identifying stolen credentials and proactively securing customer on-line accounts, is vital."

Dual-authentication or two-factor authentication is the one method that can prevent a cyber breach from happening, according to Tom Walsh, founder and managing partner of tw-Security. And users must also be held accountable for their actions.

"We're trying to advocate a principle of privacy: It's called the minimal necessary-privacy," Walsh said. "The principle of least privilege, in the security world, the idea is the same: Only give access to information as it's appropriate in order for someone do their job function."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn