The data breach problem in healthcare has entered crisis mode. In 2016, 36 percent of all breaches and 44 percent of all records compromised were healthcare-related. Those breaches resulted in the theft of 15.4 million healthcare records.
The phishing attacks being used to perpetrate these breaches are nothing new. They were a leading cause of data breach incidents for the eighth consecutive year, according to the Identity Theft Resource Center.
Cybercriminals are going after electronic health information simply because it offers personal information that can be re-used for many different types of fraud, including claims, Health Savings Accounts, Flexible Savings Accounts and more. In addition, because some health providers aren’t using sophisticated security controls, personal demographic information can be used to bypass password reset functions for account takeover.
These attacks are effective because much of the healthcare industry continues to depend on single-factor username and password authentication to access highly sensitive data. This dependence on passwords is not just a healthcare practice; the alarming truth is that the use of stolen, weak or default passwords is the root cause for 81 percent of all data breaches across all industries.
The government agrees that now is the time to move to simpler and stronger authentication. The May 2017 report from the Healthcare Industry Cybersecurity Task Force, “Report on Improving Cybersecurity in the Healthcare Industry,” makes this recommendation to improve the security of sensitive health data, seeking to “require strong authentication to improve identity and access management for healthcare workers, patients, and medical devices/EHRs.”
The healthcare industry must do better, and with a combination of new device attributes and “unphishable” authentication capabilities gaining traction across all forms of consumer devices, the solutions available to do so are now readily available.
In the past, authentication was assumed to be a binary event—a service challenges the user for a credential, and if the expected credential is presented, that user was authenticated. If you wanted to improve the security of the system, you would simply make the authentication challenge harder for the user to pass, typically by asking for additional “factors” of authentication—those factors being either something you know (such as a password); something you have (such as having possession of a one-time-passcode token); or even something you are (such as provide a biometric match by using a fingerprint sensor). If you wanted to improve the convenience of using the system, you would simply do the inverse and sacrifice security by reducing the effort required by the users to successfully pass your system’s authentication challenge.
Times have changed, and those assumptions no longer hold true.
The future of authentication is a standards-compliant, continual solution that is both more convenient for users than traditional password systems, and more effective at protecting them from well-known threats like phishing and account takeovers. Healthcare providers can achieve this vision of modern authentication by following a two-point plan.
First, healthcare providers should adopt industry standards to enable a more convenient user experience that can be bound to a strong multi-factor authentication event. The primary example is FIDO (Fast IDentity Online) standards. The National Institute of Standards and Technology (NIST) has recognized FIDO standards as meeting the highest Authenticator Assurance Level (AAL) in its latest version of Digital Identity Guidelines, SP 800-63-3. Following a standards-based approach to authentication will help organizations achieve:
Unphishable security. Modern standards-based authentication no longer relies on any “shared secrets” (such as passwords, PINs or OTPs) stored on a server. Instead, the account credential is a private key, bound to the user’s personal device, which is never shared with the application; the device only uses the private key to cryptographically sign authentication challenges from the application. This not only addresses the social engineering vulnerability of credential theft, but it also addresses the threat of credential replay attacks against your service from someone else’s data breach.
More convenient user experiences. Two experiences have emerged that utilize the strong, standards-based security outlined above:
A passwordless approach. Mobile phones and PCs are increasingly being shipped with new security properties that can create separation between the “what you have” and “what you are” authentication factors. This means that healthcare organizations can roll out much simpler experiences; they just touch something (fingerprint biometrics), say something (voice biometrics) or look at something (facial and iris biometrics) and have true multi-factor authentication to the mobile or web service; a benefit you only get with the aforementioned industry standard which combines both public key cryptography and biometrics vs. just biometrics alone.
A second-factor approach. Healthcare organizations also have the option to extend their current infrastructures and augment passwords with an easy-to-use second factor like a security key or wearable. The user logs in as usual, and then presses a button on his or her second-factor device to be authenticated to the mobile or web application—a much simpler process than typing in another code or using another screen.
While deploying standards-based strong authentication like FIDO helps to resolve many of the authentication problems organizations have faced around security and user experience, it still is event-based and thus only provides one essential ingredient in a modern authentication system.
With user credentials bound to the device, healthcare organizations still must manage the risks associated with lost and stolen devices, as well as so-called “friendly fraud.” This is where the second point in the two-point plan—continuous, behavior-based authentication—comes in and fills the gap.
Using continuous, behavior-based authentication, healthcare providers can look at user behaviors, expressed as device attributes, to be certain that the authenticated user is the same person throughout the lifetime of the session. To gain this level of insight a service provider must go beyond the multi-factor authentication event used to initiate the session, and build a continuous authentication monitoring system to collect and score these attributes over time. This can be done in a manner that is privacy preserving for the user and extremely helpful for the service by continuously assessing the likelihood they are still working with the same user they started with. And, importantly, it does all of this without impacting the user experience.
Today, and as we move to an even more connected future, the healthcare industry should make serious efforts to reduce its reliance on password authentication and move to this new modern vision for authentication. Doing so will dramatically change the game for cybercriminals by eliminating their ability to perform scalable attacks on account credentials as a means of perpetrating fraud.
As an example, Aetna is focused on delivering a seamless healthcare experience, which requires its team to be acutely aware of the cybersecurity risks that have the potential to disrupt the delivery of that experience.
Aetna is providing a more unified user experience for its members, partners and employees, and delivering alternative ways to authenticate in the process. Consumers have numerous paths they can take to register and access information on a mobile device or online service. In many cases, they’re likely using the same password to gain access each time. This single-factor authentication and conventional control are no longer sufficient, given the larger attack surface that now exists.
The assumption that you are the only person who knows your password is fundamentally obsolete. The most effective alternative is using advanced risk models tied to behavior and devices, providing a better probability of managing access to sensitive information. Aetna created a policy-driven authentication platform monitoring benign user attributes and biometric controls to create strong behavioral-based authentication. The attributes that are used for authentication, such as swipe speed or geolocation, do not include elements that could potentially invade patient privacy. This model enables the company to take many user attributes, apply a risk score for each one, and then combine that risk score with any biometric control to offer continual authentication.
Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process. FIDO insulates Aetna from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer, so regardless of the configuration of mobile carrier, device maker or online service, the company is able to authenticate every time. More importantly, a member's biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.