It’s time to audit your user account security.
A recent cyberattack on the City of Hamilton serves as a stark reminder: skipping proper user account security measures—especially multi-factor authentication (MFA)—can lead to damaging uninsured losses. According to a CBC report, the city’s insurer denied a $5 million claim because required secure login protocols were unmet. The insurer specifically cited MFA as a critical missing safeguard.
While this incident involved a municipal breach, the warning applies just as strongly to healthcare organizations. Arguably, access to healthcare data systems such as Electronic Medical Records (EMRs), needs to be more secure. The hard lesson Hamilton has learned about strong user account security is one every healthcare organization should heed.
Why Lax Login Security Can Create Public Health Risk:
- Privacy Breaches and Recovery Impact Health System Capacity
Studies have shown that privacy breaches redirect resources away from patient care for weeks, months, and even years after the initiating incident. While healthcare facilities are offline or distracted addressing a privacy breach, other resources in the region are strained to compensate.
- Healthcare Systems Are Seen As Easy Targets
It is well known that healthcare organizations typically invest less effort in account security than they should. Cybercriminals commonly exploit weak or single-factor logins to gain access to PHI. Account logins that are shared by multiple team members further create weaknesses and prevent full privacy compliance.
- Healthcare Data Is Valuable
Health data can be sold on the black market for as much as $400 per record. Once they gain access, criminals can extract and expose sensitive data, or demand ransom—creating not just financial harm, but serious risks to patient safety and trust.
- Insurers Expect Strong Technical Safeguards
Like the City of Hamilton, healthcare providers may be denied coverage or face increased premiums if basic measures like MFA, strong password policies, and unique user accounts for proper user account security aren’t enforced uniformly. Discuss these requirements with your cyber insurance provider to ensure access to your full coverage
Best Practices: Don’t Leave User Accounts Vulnerable
While adding account security may seem like extra discretionary cost, the investment will pay off by preventing the massive expense of breach recovery. Managing the aftermath of a privacy breach has been shown to quickly reach deep into six-figure dollar amounts.
1. Enforce Multi-Factor Authentication Everywhere
Make MFA mandatory for all staff accessing sensitive systems—especially for those who access systems remotely.
2. Assign Individual User Accounts—Never Shared
Shared logins prevent accountability, impair mandatory access audits, and violate regulatory standards. Each user must have unique access tied to their activities. In Brightsquid Secure-Mail, users can have their own login and still manage the clinic’s Shared Inbox as a team.
3. Use Strong, Unique Passwords + Rotation
Implement password rules that require complexity and prohibit reuse across systems. Change credentials periodically or when personnel changes occur.
Strong passwords include all of these components:
- 12 characters or more
- Upper and lower case letters
- Numbers
- Symbols (e.g., !@#$&)
4. Monitor and Lock Down Suspicious Access Attempts
Establish audit logging and automatic lockouts for repeated failed logins or unusual access patterns.
5. Train Staff Consistently
People are often the weakest link. Teach your team how phishing and social engineering exploit weak credentials, and why technical safeguards matter. Make sure they understand the requirements of the privacy legislation in your jurisdiction.
Security Risks Aren’t Just Technical—They’re Operational
Skipping a security step might feel like a time or cost-saving shortcut today, but it can lead to catastrophic consequences tomorrow. The City of Hamilton’s arrival at an uninsured $5 million liability was foretold when proper login protocols were overlooked.
In healthcare, the stakes are even higher: compliance violations, patient harm, and data breaches can erode public trust and jeopardize entire operations.
Secure your systems with robust authentication, and make sure everyone on your team is properly trained in privacy to understand the rules and how to apply them.