Addressing healthcare’s password problem

In 2022, healthcare was ranked as the most breached sector with some of the weakest passwords. This should come as no surprise. The COVID-19 pandemic, coupled with the resulting digital acceleration, has led to a burgeoning digital health industry in Asia that is expected to reach US$10 billion by 2025.

As healthcare organisations move further along their digital transformation journey and more of our health-related data being transmitted or stored online, there is an increasingly urgent need for companies to strengthen their cybersecurity postures. While there are various steps that healthcare organisations can take, it is important that they address one key issue: passwords.

The problem with passwords

The healthcare sector has long been plagued by data breaches, even before the pandemic. For example, in 2018, Singapore faced one of its worst data breach attacks. Hackers infiltrated the computers of SingHealth, Singapore’s largest group of healthcare institutions, and stole the personal particulars of 1.5 million patients – including that of the country’s prime minister’s.

More recently in January 2022, approximately 39 million health records were reportedly stolen from a hospital in Thailand and offered for sale on an internet database-sharing forum.

As we continue to see an upward trend of data breaches, one cannot not help but ponder the question: What role do passwords play in such cyberattacks?

Experts have long warned about the fallibility of knowledge-based authentication such as passwords. Poorly managed, easily guessed, and stolen passwords are the most common reasons for data breaches. At the core, knowledge-based credentials like passwords are human-readable and can be pried out of users’ hands by hackers through various methods such as phishing, credential stuffing, or password spraying.

Even good cyber hygiene alone is insufficient as cyberthreats continue to evolve. For instance, the average user has nearly 200 pairs of usernames and passwords, which is challenging to remember and keep track of.

Particularly in the healthcare sector, where speed and efficiency are of the essence, this has led to many healthcare workers reusing the same few passwords. Such habits magnify the threat of an account takeover, as just one leaked password can put all other accounts at risk.

What are the options?

That said, how can we address these issues?

The answer lies in moving away from knowledge-based “secrets” like passwords to possession-based authentication methods that are simpler, faster, and more secure. Going passwordless takes the guesswork out of secure, frictionless authentication – an increasingly urgent priority as healthcare goes digital. These techniques leverage devices that we have at our fingertips, such as using smartphone biometrics or a hardware security key.

While this only requires a single gesture by the user behind the scenes, an advanced cryptographic authentication dialogue takes place between a “private key” stored securely on the user’s device and its “public key” counterpart on the service provider’s server. Hence, relying on advanced cryptographic algorithms instead of human recollection makes the authentication process far more secure. Furthermore, going passwordless leads to plenty of options for authentication. For instance, when a healthcare worker is wearing gloves, he or she can use either facial recognition or PIN to access the system. Such an approach has been proven to be resistant to phishing and account takeovers.

Users of digital health services will be looking for convenient and seamless online experiences, and that starts from the logging-in process. A report by Jumio showed that 63% of consumers are more likely to engage with a business in the healthcare industry that performs robust identity verification, highlighting authentication as an important factor when choosing to engage with an organisation.

Passwordless authentication is the new reality

Passwordless authentication is fast becoming our new reality as more companies pledge to eliminate passwords. Big tech companies like Google, Microsoft, and Apple have also already expanded their support for a common passwordless sign-in standard – potentially paving the way for hundreds of millions of users to go password-free soon.

There is no better time than now for the healthcare industry to take a step forward to adopt common passwordless sign-in standards, especially as many organisations in the sector embrace digital transformation. Of course, it is crucial to note that standardised authentication alone cannot solve security issues unless it is widely adopted throughout the healthcare industry.

Overall, a consistent approach to security and standardised authentication that flows across healthcare platforms and apps is urgently needed to protect patients and their health data.