Why the Healthcare Sector needs MFA

Why the Healthcare Sector needs MFAImage | Unsplash.com

With an increase in digital records and healthcare appointments, sufficient security like MFA is becoming more vital to protect patient privacy and data.

It should be common sense to know that data breaches are costly both when it comes to monetary loss and business reputation. However, this cost steepens in the healthcare industry, as providers are responsible for a plethora of their patients’ confidential and sensitive data. Healthcare organisations cannot afford to have any downtime, making them an attractive target to threat actors looking for what they suspect will be easy money. And unfortunately, what often gives threat actors entry onto a network is as simple as a weak password or an unsecured account – something which can be quite easily avoided. The COVID-19 pandemic resulted in a surge in attacks on hospitals and other healthcare organisations, highlighting the significant risk they are exposed to. As such, this industry must take special care to properly secure its networks and devices while identifying and securing all accounts to protect the privacy and health of both patients and staff.

Why is authentication in healthcare important?

Similar to most industries, the healthcare sector has been undergoing a digital transformation over the past few years, resulting in the accumulation of electronic medical records and devices. Wearable smart devices, for instance, make it easier for patients to track their health and for doctors and nurses to consequently provide diagnosis or advice. However, this proliferation of sensitive health data poses a gold mine for attackers looking to exploit organisations for monetary gain, as these kinds of records can be extremely profitable for attackers on the dark web. An increase in exposure online and through shared servers has already resulted in an explosion in information breaches, identity theft and various violations of the Health Insurance Portability and Accountability Act (HIPAA).

This is where authentication comes in. This digital transformation has also sparked an increase in account creation: accounts which all must be secured. If these are properly protected, digital identities can, in fact, streamline the identity verification process and make it much easier for doctors, nurses and healthcare staff alike to access valuable information. It also makes it possible for patients to have a direct line to their healthcare professionals to share important information and receive necessary and fast support. This being said, they must be sufficiently protected or they provide attackers with an easy entry door to a treasure trove of information.

Unsurprisingly, a static password is no longer seen as an adequate security barrier to prevent unauthorised access. As a matter of fact, 80% of data breaches are associated with weak, stolen or reused passwords – they are becoming easy gateways for quick access to a network, underscoring the problem with using them for account security.

Using Multi-Factor Authentication (MFA)

Due to the nature of personal health information (PHI) and other medical records stored on the servers of healthcare organisations, it must be kept as secure from a breach as possible. Nonetheless, the information must also be easily accessible when it is needed. Accessibility and availability are imperative in the healthcare system, especially as patients and workers are increasingly accessing their information from various locations and various devices as the healthcare system is moving toward a more integrated, cross-border approach to patient care.

Multi-factor authentication (MFA) can provide healthcare organisations with this type of safe access along with the necessary security to keep threat actors out. In fact, a 2018 report to Congress on the Federal Information Security Management act revealed that up to 65% of cybersecurity incidents were preventable with strong multi-factor authentication. This is often down to the fact that many of these types of attacks actually lack sophistication and will exploit simple human error to gain access to a network or system. As it stands, passwords are a security factor many people don’t take very seriously, meaning they are often reused or far too easy to for an outside party to deduce. When it comes to healthcare institutions who cannot afford a lack of security, there are many options to consider that allow them to protect their systems. For example, the Salisbury NHS Foundation Trust deployed a password management solution alongside MFA allowing them to reduce the number of breached passwords on their systems from 3,000 to 7. This is an efficient way to reduce bad password practices and prevent the resuing or sharing of passwords in the future.

When it comes to MFA, there are three categories of authentication, which are ‘something you are’, ‘something you have’ and ‘something you know’. Simply put these are typically a biometric scan, a device and a password. For better security, two of these are used in conjuction with one another, the two most common being the combination of a password and a mobile device. Consequently, when it comes to using MFA in healthcare organisations, it can allow users to decrease their reliance on passwords, improve clinician workflow and open a window to a world of passwordless authentication. Granted, while it provides a stronger level of security, it also has its disadvantages.

What to consider with MFA/Authentication in healthcare

100% security is impossible, especially when considering the amounts of accounts and digital identities that must be secured within a healthcare system. In addition, there are several things that must be kept in mind when authenticating accounts in healthcare such as the fact that:

  • A high number of accounts and workflows drastically increases the need for services that require user authentication. Adding layers of security could create inefficiencies and create a burden for clinicians and staff constantly having to verify their identity.
  • Security must be balanced with convenience for better patient experience. In order to achieve this, it should include embedded authentication workflows that integrate with existing applications, medical devices, remote access gateways, virtual desktop platforms and other systems.
  • Compliance with the highest standard of regulating care and data privacy regulations is vital.
  • If a password is required as part of the authentication process, it must be safe to use. More simply put, it should be unique to the account (I.e. not breached) and be more complicated than a simple word. It also can’t be something that can be easily guessed through social engineering; anything related to favourite sports or an openly displayed birthday is a big taboo. As such, a passphrase is the most effective way to generate a password.
  • A security barrier surrounding the perimeter alone isn’t always enough. Protecting the perimeter is the first step, however, MFA should be deployed alongside other cybersecurity solutions that will internally protect individual assets and data.
  • Healthcare MFA can be costly as well. Of course, there is a cost of distributing and managing thousands of authentication tokens. What businesses should keep in mind, though, is that the cost of non-compliance to data privacy and the resulting monetary loss to data breaches far outweighs the price of implementing the right security.

Being so vulnerable to data breaches due to the vast amounts of valuable and sensitive data it stores, the healthcare industry must make sure to adequately secure all accounts and identities. Passwords are no longer sufficient; multi-factor authentication is the safest and most efficient method of protection. Even if credentials are stolen, shared or easily guessed, a threat-actor will be unable to access any account without the second factor needed to bypass the login page. As a result, healthcare professionals and patients will be able to input and access their information safely and efficiently, knowing it will be protected from compromise.

Article by Steven Hope, CEO of Authlogics