- Healthcare has been steadily moving into consumerization, as the industry shifts into value-based care and patients demand easier access to their data. At the same time, cyber threats and hackers have increased in sophistication, continuing to target the sector to gain access to the troves of data.
Many health delivery organizations still struggle with some of the basic cybersecurity needs to keep up with these threats. However, the majority of providers continue to shift into greater care access, through telemedicine, patient portals, mobile, and other remote platforms.
As a result, the threat surface has rapidly expanded in recent years. It begs the question: How can health providers begin plugging some of these security holes?
What is Multi-Factor Authentication
To Erin Benson, Director of Market Planning for LexisNexis Risk Solutions, multi-factor authentication (MFA) can fill in those security gaps.
NIST describes MFA as a basic security tool used by most industries. For example, when taking money from an ATM, the card is swiped and then the user verifies the identity through a four-digit PIN.
“MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account,” NIST researchers wrote.
These credentials can range from passwords and PINs, to physical identifiers like a smart card or a fingerprint. Credentials need to come from at least two categories to bolster security, so it doesn’t mean users should use two passwords.
“Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor,” NIST researchers wrote. “Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.”
MFA use in the healthcare sector has been driven by the near-daily reported breaches or security incidents, as well as phishing attacks. In fact, phishing attacks in 2018 were driven by hackers attempting to steal credentials, instead of traditional malware infections.
“CIOs are concerned not just whether the right people can get access. They’re also concerned about protecting data, and not just data from the outside shell.”
In response to these mass phishing campaigns, Vanderbilt University Medical Center is currently undergoing a security overhaul by implementing multi-factor authentication to every tech platform within its network.
The Need for Greater Access
After speaking with a group of CIOs, LexisNexis found that cybersecurity is a top priority for most. Benson explained that while security used to be about protecting the perimeter to keep threats out, the industry now needs to shift into detection from the inside, as well, to reflect the increased sophistication of cyberattacks and hackers.
In fact, any point where someone can access your system is a potential vulnerability, such as employees logging into systems, vendor access, and other providers logging into a network given the increase in interoperability.
“CIOs are concerned not just whether the right people can get access. They’re also concerned about protecting data, and not just data from the outside shell,” said Benson. “They want to make sure all of the intersections within the system are being properly secured.
“From the need to balance security with that consumerization, and the desire to bring medical care to patients where they are through telemedicine or checking labs through patient portals, the number of ways to interact with patients is growing, as well,” she added. “All of these trends play into MFA really well to address cybersecurity.”
Balancing Security with User-Friendly Tools
The process for integrating MFA will differ for each organization and will depend on the type of system they are trying to integrate with MFA, Benson explained. Some organizations will provide coding and instructions to the IT department to implement the tool, while others partner with EHR vendors to integrate the product into the EHR, “which makes it easier on providers to implement.”
The key is to balance the need to make these access points as secure as possible, with the need to be user-friendly – with as little friction as possible, she said. MFAs should feature a variety of identity verification layers to make this happen.
“The idea is to put friction on the fraudsters to make sure they can’t get into the system.”
MFA should be considered a tool for plugging more holes in the attack surface, Benson said. “It’s critical, as there are so many security vulnerabilities, one level isn’t enough.”
Organizations first need to employ tools to assess user access to determine what is logging in, she explained. For example, the tool can determine if it’s a VPN, a real person, or a bot – which can all be red flags.
“There are about 200 elements of devices on how the person is logging in,” Benson said. “And all of these checks can happen behind the scenes. You don’t necessarily need the user to do that level of verification. But if there are red flags, then you can step up to the next level of authentication.”
The more traditional methods require the user to verify any information entered into the access fields, she said. There are tools that can look at IDs or state licenses that can determine if the user’s identity is real through picture matching to make sure the person at the computer is on the license.
But an even more basic MFA tool is knowledge-based: asking the user a question that only they would know, Benson added.
“The ones you use and in which order will be determined largely by what you’re trying to do,” she said. “For example, a new account creation will need to be more thorough. We’re starting to tailor that need around different use cases to plug in all of those holes.”
For small providers struggling with limited resources, Benson recommended starting with the first layer: performing a device assessment as a “cost effective way to get some security in place.”
Next, organizations can step up their security with deeper authentication. Not every platform needs all of these layers to be hit, she explained.
“If the user hits the initial layer of defense and everything looks fine, they don’t need to keep going,” said Benson. “The idea is to put friction on the fraudsters to make sure they can’t get into the system. It’s about layering in security: Not everyone is going to hit every layer. The tool should judge based on risk.”
“A lot of times, we see organizations start with a device assessment in the background, but then add a knowledge-based identification quiz as the second layer,” she added.
“It’s more than compliance: It’s just good business to take care of patients and their data.”
Benefits, Challenges, and Supporting Tools
To Benson, the benefit is clear: MFA keeps data safer with multiple layers of defense.
“If you’re protecting your house, it wouldn’t make sense to just look through the window to see who is there,” she said. “There are multiple layers of security on the house. And it’s the same around data, particularly health information, which is so valuable on the market. It’s a huge target for fraudsters, and it’s more and more targeted every day.”
“The information is becoming more interesting to fraudsters,” she continued. “And if patients don’t trust an organization to take care of patients and their data, they’ll go somewhere else. It’s more than compliance: It’s just good business to take care of patients and their data. MFA covers up multiple security vulnerabilities and not just one time.”
The real challenge is choosing the right layers of authentication. Benson recommended organizations work with a data provider to make sure they choose the right use case, as they “don’t need eight products on every type of authentication use. For some organizations, working with a provider can be critical to this process.
“Some products do put more friction on the patient, which is the other challenge,” said Benson. “We always recommend the simple layers up front that have the lowest friction for these cases, where they don’t need to participate to be secure.”
When it gets to the knowledge-based question there is some interaction by the user or patient, and it can take time to get into the system. However, Benson explained that the fraudster will go through this as well, with the higher friction in the back, they may be less likely to keep pursuing the access.
But with all security tools, there is no silver bullet. Effective MFA begins with data hygiene. Benson explained that clean patient records will ensure each patient is connected to the right record. Organizations need to start with this basic step to make sure they have a full view of the patient.
“I highly recommend going through doing a data cleanup to make sure there are not duplicate records,” said Benson. “It will help make sure the MFA is most effective by connecting to the right place.”
The process can be assisted with tools like universal patient identifiers that append to records, which will identify duplicates and things of that nature. The industry is getting more sophisticated with this process by working with vendors, Benson explained.