As an academic medical center, University of Utah Health Care has some special security challenges unique to an organization of its size and scope.

[See also: CISO: Security must work within workflow]

"The challenge we have is the diversity of the users, says Dan Bowden, the health system's chief information security officer.

That means different job titles, different levels of responsibility, "ways to access patient data in different ways and on different devices, from different places," he says.

[See also: CISO's biggest fear: 'what I don't know']

Furthermore, many folks there play dual roles: "The physicians are also required to be faculty members, and so they have just another myriad of opportunities for how they have to access information, what systems they use," says Bowden.

Think how many different and ever-changing passwords you have to keep straight every day, and then multiply it by those many layers of complexity.

Passwords are critical nowadays, but they're also new favorite targets of hackers and other cyber bad guys.

The biggest recent trend aimed at exploiting weak passwords is phishing – something Bowden's staff has had to grapple with firsthand.

"We, like a lot of organizations, had phishing attacks that caused (employees') direct deposit information to be changed," he says. "Their paycheck got sent somewhere else."

Events like those tend to help focus the mind on the importance of robust privacy protections – from the C-suite right on down to the med student.

In his July 1 talk at the Healthcare IT News Privacy & Security Forum in Chicago next week, Bowden will discuss his strategy for managing staff passwords at three linked U of U organizations – the health system, the university and the health science colleges.

In his session, "Aggressive Tactics for Managing Password Risk," he'll show how passwords can be bolstered with multi-factor authentication tailored specific policies and procedures for health organizations with different types of users, and he'll discuss how his team is working to incorporate that approach into a broader HIPAA security program at University of Utah Health Care.

As Bowden puts it in the précis of his speech: "CISOs hate passwords. The people they work for hate passwords. … But what adds insult to injury is this: Passwords are a growing target of hackers and password reset calls are driving helpdesk staff crazy and costs sky high."

"Password strength and frequency of changes" are a critical, says Bowden, but so are other tools in a health organization's security armamentarium.

"People say, 'I can roll out two-step authentication, and that will prevent me from having a user-oriented compromise' – but while a user is using a device, they can do something to cause the device to become compromised, and then every time they use the device afterwards, that devices is now an exploited point on your network," he says.

"We're looking at how we can secure elevated access credentials, system credentials," says Bowden. "Password storage for those where it's checked in or checked out if it's a situation where it's a system that has shared credential, things like that."

There are many approaches for managing passwords, he says: "People ask, can I get a password that always understands if I'm logging from the same IP address on the same device – the bar for identification is lower if I change devices, or it challenges me if I log in from a new device? Those are things that I think everyone has to take into account as we move forward in healthcare."

More to the point, the passwords themselves aren't always the issue.

"People for a long time have argued the problem is passwords," says Bowden. "I would argue the problem is more around behavior for how we manage passwords – 'we' being the individual users and the IT security organizations – on the flexibility and the different levels and the types of authentication we provide."

To help grapple with this at U of U, "what we have done is create an inherent risk assessment," he says. "We perform this survey on all our information systems and then anything that comes out with a high inherent risk score that means that the system is very important, that if the data were breached or there was a significant downtime event, it would definitely affect business."

That's a "process that the organization has bought into," says Bowden, and that has made all the difference in its success so far. By making the case that security is a business issue,  C-suite buy-in has come easily.

"By targeting those high-risk systems, the leadership in the organization is very comfortable in helping us set out mandated guidelines or security controls," he says.

"What we're seeing already is that after a while – it's not just passwords, it's everything – they're like, 'Why wouldn't we just use two-step authentication on everything?' The beauty of it is, it's leadership saying that, and not me. That's what spurred the adoption."

Same thing with encryption: "Five years ago, that's what we were all talking about: why can't we get our laptops encrypted? Now, leadership in healthcare is saying, why wouldn't you encrypt your laptop or cell phone? That's what we're starting to see now with passwords. … Once you get the foot in the door, where people see the value, they start selling it for you."

[See also: Password pain points]