Healthcare’s cybersecurity problem puts lives at risk

FIDO-Andrew-Shikiar

When it comes to patient care, every minute counts and even the smallest details matter. 

Cyber attacks on patient privacy, which might seem remote from patient care, can also affect health: organizations need time to recover after a data breach and return to normal operations. Deploying a software patch, or retraining staff, negatively impacts clinical workflow and slows down treatment. 

Compounding the issue is that healthcare’s data breach problem across Asia Pacific (APAC) has entered crisis mode. A Frost & Sullivan study last year showed that nearly half of healthcare organizations in APAC have either experienced a data breach or – more worryingly – are not certain if they even had one. 

The resulting cost is tremendous. Data breaches can cost a large healthcare organization in APAC SGD31.6 million on average, and every 3 out of 5 cybersecurity attacks against healthcare organizations in 2018 resulted in job losses, according to the Frost & Sullivan study. In Singapore, incidents such as the SingHealth breach and the leak that compromised personal information of more than 800,000 blood donors have also damaged public confidence in the healthcare system. 

One reason why attacks on the healthcare industry are effective is because the sector continues to depend on single-factor username and password authentication to access highly sensitive data. The alarming truth is that the use of stolen, weak, or default passwords is the root cause for 81 percent of all data breaches across all industries. Healthcare organizations need to act and move beyond the security methods that cybercriminals long ago learned to bypass.

Out with the old…

The username-password combination has remained the first line of defense for decades. Authentication had a binary outcome; the service challenges the user for a credential, and if the expected credential is presented, that user was authenticated. 

If you wanted to improve the security of the system, you would simply make the authentication challenge harder for the user to pass. This typically meant asking for additional “factors” of authentication – those factors being either “something you know” (e.g., shared secrets like a password), “something you have” (e.g., in possession of a one-time-passcode (OTP) token), or even “something you are” (e.g., provide a biometric match by using a fingerprint sensor). 

If you wanted to improve the convenience of using the system, you would simply do the inverse and sacrifice security by reducing the effort required by the users to successfully pass your system’s authentication challenge. 

… In with the new

The future of authentication needs to be both more convenient and secure for users than traditional password systems in order to protect against well-known threats like phishing and account takeovers. 

Healthcare providers can achieve this vision of modern authentication by adopting industry standards that enable simple and strong multi-factor authentication experiences. 

The industry standards will insulate the authentication process from the application developer. Regardless of the online service, device maker or mobile carrier, ridding the need to store “shared secrets” (e.g. passwords, PINs, or OTPs) on a server can help organizations achieve unphishable security. 

By utilizing public key cryptography techniques, organizations address the vulnerability of social attacks and the threat of credential replay attacks against your service from someone else’s data breach. 

Healthcare organizations can also tap onto biometric recognition technology on mobile phones and computers in novel ways. Users just touch something (fingerprint biometrics), say something (voice biometrics) or look at something (facial and iris biometrics) and have true multi-factor authentication to the mobile or web service. The process is highly secure and very convenient, striking a balance between security and ease of use. 

Alternatively, healthcare organizations can extend their current infrastructure and augment passwords with an easy-to-use second factor like a security key or wearable. The user logs in as usual, and then presses a button on their second-factor device to be authenticated to the mobile or web application – a much simpler process than typing in another code or using another screen.

Eliminating the traditional password and/or leveraging user-friendly second-factor authentication will help to bring health practitioners peace of mind so that they can focus more on patient care. 

However, no single technology will be foolproof. With user credentials bound to the device, healthcare organizations must manage the risks associated with lost and stolen devices, as well as so-called “friendly fraud.” 

For situations where security is extremely important, healthcare providers can look at user behaviors to be certain that the authenticated user is the same person throughout the lifetime of the session. 

To gain this level of insight, a service provider must go beyond the multi-factor authentication event used at the moment of log-in and build a continuous authentication monitoring system to collect and score these attributes over time. Of course, this should be done in a manner that is privacy preserving for the user and without impacting user experience – both of which are also possible with new authentication standards.

The key is to stay ahead of cybercriminals while providing a simple, convenient and secure experience for users. Passwords do neither of those. In 2019 and beyond, the healthcare industry should make serious efforts to move to a more modern vision for authentication. Doing so will dramatically change the game for cybercriminals by eliminating their ability to perform scalable attacks on account credentials as a means of perpetrating fraud. It is time to let patients focus on improving their health without worrying about the security of their information.