In the summer of 2013, Cedars-Sinai Medical Center in Los Angeles fired six medical workers for a data breach. The breach resulted in the compromise of 14 patients’ personal health information (PHI), including that of celebrity Kim Kardashian. Kardashian’s family suspected a leak when the media revealed information about the delivery of Kardashian’s baby that hadn’t been shared with reporters.
According to the LA Times, four of the workers who were fired worked for doctors that had staff privileges at the hospital. The doctors had given their workers their usernames and passwords in violation of hospital policy, and the workers had used the information to access Kardashian’s PHI.
Although this incident involved a hospital, it offers lessons for businesses, not-for-profits and public sector agencies as well. Sharing passwords using non-secure methods can result in the compromise of customer information and the loss of intellectual property. A password manager stores and generates complex passwords to prevent data breaches. Many offer ways to share passwords without even revealing them to other people. Encrypted email is another way to share passwords so that they don’t fall into the wrong hands. Of course, passwords should never be shared unless there’s a compelling reason to share them.
Sharing a Password via Encrypted Email
Outlook, Gmail and Yahoo are the country’s largest email clients, and they offer differing levels of email security. Gmail encrypts the connection between the email user and the Gmail server using HTTPS technology, and Outlook does the same. Yahoo just started using HTTPS technology, but it has a long way to go to develop a strong solution. However, none of these email clients encrypts outgoing messages, which means someone else can easily read a password sent to an employee or co-worker.
Try some of these tools for email encryption if you’re sharing a password with someone else:
- Infoencrypt. To send a single encrypted message, visit Infoencrypt.com. In the interface, type an email, create a one-time password and click “Encrypt.” Then, copy and paste the encrypted message into Gmail, Outlook, Yahoo or other email client and send it. The recipient can copy the message, paste it into the Infoencrypt window, type the password and read the message.
- Mailvelope. Mailvelope is an extension that integrates with Gmail, GMX, Outlook and Yahoo Mail. Compose an email and then encrypt it by clicking the Mailvelope button in the corner of the message.
- Virtru. Virtru offers a Chrome extension and Firefox add-on that works with Gmail, Outlook and Yahoo. The company also has an iOS app and plans to produce an Android app in the future. Simply compose an email containing a password and then click “Send Secure.” The recipient can read the message within Virtru’s Web Reader even if he or she hasn’t set up a Virtru account. Virtru accepts any Google, Microsoft or Yahoo credentials. Even better — the sender of a Virtru email can withdraw viewing privileges from the recipient at any time.
Sharing a Password Via Password Manager
Some password manager tools like LastPass allow you to share a password without making it visible to the recipient. Within LastPass, the user can open the Online Vault, find a stored password and click the “Share” icon. Then, the password is stored in the recipient’s LastPass account, but the recipient never has the ability to see the password.
After a Password Is Shared
After sending a password to a recipient, make sure to change the password as soon as the recipient no longer needs it. In fact, let the recipient know that the password will only be valid for a limited period of time. Set a reminder on a calendar or use a smartphone’s reminder app so you remember to change the password when the time is up. If the password becomes vulnerable because someone loses a device, remotely wipe the device as soon as possible to avoid exposing both customer data and company intellectual property. Most importantly, stop sharing passwords on sticky notes or on USB drives. Also, avoid calling someone and leaving the password in the form of a voicemail.
Finally, the case of Cedars-Sinai Medical Center should remind everyone that sharing doesn’t prevent an untrustworthy person from misusing login credentials. Never share passwords with an employee who doesn’t need to use privileged information. A business doesn’t need a celebrity customer like Kim Kardashian to tempt an employee to misuse information.