First Do No Harm — Then Do No Passwords

by Ori Eisen, Founder & CEO Trusona

Featured in Health IT Outcomes

login.jpg

In light of the recent cybersecurity guidelines issued by the SEC, companies’ policies are under the microscope more than ever. It has called on public companies to be more forthcoming about disclosing cybersecurity risks, even before a breach or attack happens.

The healthcare industry is hemorrhaging cash and trust, while cybercriminals are still bleeding sensitive patient data from the system. The number of healthcare data breaches caused by hacking is increasing threefold each year, with some 14.6 million patient records stolen in 2016 alone.

Over 81 percent of security breaches overall are a direct result of cybercriminal hacks involving stolen passwords, and all but three of the largest healthcare data breaches in 2017 were a result of password phishing/IT incidents. A weak IT infrastructure results in user credentials falling into the hands of criminals who turn to the dark web where highly-specific patient information, such as medical conditions, prescriptions and Social Security numbers can be sold for as little as a penny per record. In late 2017, investigators found that 1.9 billion stolen passwords and usernames were up for sale. Stolen records are far more valuable to cyber criminals who use them to initiate multiple kinds of fraud, from insurance scams to identity theft, adding up to crimes that cost the U.S. taxpayer billions of dollars per year.

The SEC guidelines are not compulsory, yet many lawmakers have argued that given the major breaches of the past year – from Equifax to WannaCry – the public should expect and demand more transparency about how their personal information is being handled.

A primary care physician can be responsible for overseeing a portfolio of 1,200 to 1,900 patients which can leave many individual accounts vulnerable to attacks. The sheer numbers can make them difficult to secure, especially if passwords are the primary barrier between sensitive data and cyber criminals. A study by Healthcare Informatics Research found that healthcare professionals frequently share passwords amongst staff members, a practice that further puts confidential information at risk.

Beyond insecure, passwords are inconvenient – in a typical healthcare setting, 91 minutes are wasted because of inefficient systems and workflows. On average, healthcare providers log in to workstations and applications 70 times per day and spend an average of only 46 percent of their time on direct patient care. This also places a burden on IT and helpdesk staff as they respond to their most frequent complaint: forgotten passwords.

So how can healthcare providers ensure they won’t make the next big “breach” headline? Service providers, businesses and end-users need to universally adopt a multi-faceted approach to identity authentication, moving away from knowledge-based methods where answers can be easily stolen and manipulated. When it comes to adapting to the latest security threats, the healthcare industry is lagging behind, and with the rise of “smart” medical devices which is slated to see the largest growth through 2023, technological developments will continue to place a heavy burden on IT infrastructure.

Authentication can not only rely on what an individual knows, it also needs to consider unique factors that will protect against those trying to impersonate you. Overall, the healthcare industry will better serve the security needs of patients, increase employee productivity, ensure major security and compliance benefits, and save thousands on helpdesk tickets. Investing in and implementing multi-factor authentication solutions within healthcare organizations is not just the logical thing to do – it’s good for business.

We must take a unified step towards modernizing approaches to cybersecurity within the healthcare industry and beyond so that past mistakes are not repeated year in and year out. Industry giants such as Aetna and NH-ISAC have already begun spearheading the #NoPasswords revolution. Now is the time for the healthcare industry to set a precedent for how organizations can assure patient data and confidentiality is secure.

Karen Dayan