Hospital near me has password requirements for their electronic medical records system as:
- 6 characters, no more, no less
- 2 characters must be a number
- 4 characters must be a letter
- case insensitive
- never changed
And for new hires and what not, they tell them to use
{hospital abbreviation}{2 digit year}. Likecasu24No freaking wonder
Most organizations in the US don’t value cybersecurity as anything more than an abstract concept. The reasons for that can be numerous but in my experience it’s usually a combination of cost + survivorship bias.
Lack of serious consequences is another factor. Had a breach? Pay a small fine and an even smaller settlement (or should I say your insurance pays) and then it’s back to business as usual. Even in situations where the breach is due to gross negligence, the consequences are minimal (see Equifax).
Stand by while I work out what 65% of 100 is.
Did … Did you ever figure this out?