Getty Images
Can Multi-Factor Authentication Help Healthcare’s Security Posture?
Multi-factor authentication blocks nearly all automated cyberattacks, and most compromised accounts didn’t use the tech. Healthcare’s security posture is in need of improvement.
Microsoft has found multi-factor authentication (MFA) blocks 99.9 percent of automated cyberattacks on Microsoft platforms, websites, and other online services. As hackers continue to target user credentials and email compromise, providers must bolster their defenses by employing better access controls and improving the security posture across the enterprise.
The latest Microsoft stats show that 99.9 percent of compromised accounts did not use multi-factor authentication. And just 11 percent of organizations use MFA, overall.
Further, employees continue to be one of healthcare’s biggest weaknesses with hackers consistently targeting user credentials to gain access into a system. According to the Protenus Breach Barometer, insider incidents compromised 3.8 million records in 2019.
What’s worse, 55 percent of US organizations experienced one successful phishing attack last year, leading to credential compromise. The primary goal of 70 percent of these sophisticated attacks in 2018 was to obtain user credentials, according to Proofpoint research. As a result, 65 percent of infosec professionals experienced compromised accounts from these attacks, up from just 38 percent in 2017.
Adding to those concerns around access are the Department of Health and Human Services’ moves to improve interoperability and data sharing across the sector. While healthcare’s shift into greater data access is a natural course, the industry is only further expanding its attack surface without proper security mechanisms.
“Stolen identities are the number one source of data loss and on average over 100 days pass before organizations discover that there was a compromise,” a Microsoft spokesperson told HealthITSecurity.com
“If an identity does get compromised it can be hard to detect, therefore it’s always important to have good user behavior analytics and security logs (including logs from your endpoint management and endpoint security tools) to detect unusual activity,” they added.
One way to close some of these security gaps is with the use of multi-factor authentication, which can prevent a hacker from gaining full access to a network even if user credentials become compromised.
What is Multi-Factor Authentication?
The basic tool is used in all industries and provides at least one extra layer of authentication to logging into any account, beyond the basic username and password combination. As a result, merely stealing a user’s credentials will no longer be enough for a hacker to gain full access to a network.
But despite its promise, many users and organizations don’t use MFA, or what is sometimes known as two-factor authentication or 2FA, across their network. For example, Google found that just 10 percent of its users enable two-factor authentication on their accounts. What’s worse is that many others are unaware of just what MFA is and how it can secure access points.
MFA and 2FA are cost-effective and simple methods to close security gaps. But with any tech project, an organization needs to understand how the tech works, the challenges that can be solved by stronger authentication, and how to ensure a successful implementation.
Traditional credentialing uses a straight-forward access method: a username and a password. For example, when logging into an email account or online platform, an individual will plug in their designated username or email address, in combination with a chosen password.
Access is easy, however, it’s not necessarily secure. A recent TeleSign report found that about 54 percent of users leverage five or fewer passwords for all of their online accounts. And 73 percent of online accounts use duplicated passwords. As a result, if a hacker obtains user credentials for one account, there’s a high probability that those credentials will work on another access point.
MFA is specifically designed to reduce the risk of compromised credentials. According to NIST, the process is simple, and most users already use the technology in some form. For example, when a bank card is swiped at the ATM and then the user enters their PIN.
Another common method is when a user logs into a website with their credentials, the user can be sent a numeric code to their phone that must be entered to gain access to the site.
NIST describes the process as a “security enhancement that allows you to present two pieces of evidence -- your credentials -- when logging in to an account.”
Those credentials fall into three categories:
- Something you know (like a password or PIN)
- Something you have (like a smart card)
- Something you are (like your fingerprint)
“Your credentials must come from two different categories to enhance security, so entering two different passwords would not be considered multi-factor,” according to NIST.
Most MFA experiences are even more simplified from the one-time access code. In some instances, an IT team can set up the authentication so that if a user comes back to the access point from the same device, phone, or computer, the tech will remember that platform as the second form of authentication.
So when a hacker or unauthorized user attempts to log-in from another access point or from another location entirely, it creates an additional layer of security that must be broken through to gain access.
What is Strong Authentication?
According to a report from Fido Alliance, a tech industry consortium focused on addressing authentication around interoperability, the best approach to developing superior MFA is to merge the process with strong cryptography. The process is also supported by NIST.
“It’s this idea that instead of sharing secrets to certify the identity of a user, that only the user’s ownership of the secret is confirmed through public key cryptography, which helps to mitigate the most common authentication vulnerability — the chance that a secret is intercepted or stolen and subsequently replayed,” according to the report.
“This high-assurance form of authentication uses multiple factors in which at least one of those factors involves the use of public key infrastructure. Such individual solutions would include smart cards, security keys, and FIDO-enabled biometric authenticators,” the report continued.
“It’s this idea that instead of sharing secrets to certify the identity of a user, that only the user’s ownership of the secret is confirmed through public key cryptography."
The Office for Civil Rights made similar assertions in a 2016 report, which found weakened healthcare authentication measures were one of the biggest causes of data breaches in recent years. Officials made several recommendations for healthcare organizations around assessing and strengthening authentication measures.
Typically, health providers use login passwords or passphrases to gain access to public or private networks, internet portals, computers, medical devices, apps, and other access points.
“The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed,” OCR officials wrote.
At the end of the day, no measure of authentication will cure all security woes. However, strengthening credentials and making access difficult for those without the right authentication can go a long way to closing some of network security gaps.
Best Practice MFA
To start, health delivery organizations and their business associates need to conduct a thorough, comprehensive risk analysis across the network and infrastructure. The process will identify potential vulnerabilities in both protected health information and authentication measures.
“Determine the right path for your organization and start taking steps to get there,” a Microsoft spokesperson said. “Oftentimes for companies or organizations with hybrid environments, the first step is to modernize internal applications that use legacy protocols for authentication which don’t allow for MFA.”
To Erin Benson, senior director of market planning at LexisNexis Health Care, it is critical healthcare organizations take a step back before considering the cybersecurity piece when it comes to an MFA implementation.
Security leaders must first create an inventory of all its access points on the system, including where patients, vendors, and employees log into the system, Benson explained.
“Look at it from the patient perspective, not just username and password,” Benson said. “Every point of access is a potential threat to security and could allow hackers to find back channels. Providers must protect all security gaps. An analysis of where to protect data is a good start.”
However, it’s a good idea to first clean up patient records to ensure all duplicates are eliminated. The clean set of record reporting can ensure that once MFA is in front of the access point, the individual is getting access to the right record.
In recent months, CMS and Walgreens have reported breaches stemming from app errors that connected patients to the wrong records, allowing themto view records from other individuals.
In the end, ensuring an organization has a clean set of records and knows all of its access points will make an MFA implementation more successful.
Essentially, organizations need to consider their organization’s security needs to determine the right authentication for the specified purpose. A provider or business associate should consider the size of the organization, complexity, hardware, and technical infrastructure, which will also help to determine the number and complexity of access points.
“Companies should evaluate the risk of the data that they are exposing on the endpoints and the amount of user friction they are willing to have when considering MFA options for different endpoints,” a Microsoft spokesperson explained.
Both Benson and Microsoft stressed that the least amount of friction should be offered upfront without a lot of user interaction, and there should not be more than two to three steps at a particular intersection.
“Look at it from the patient perspective, not just username and password."
More advanced organizations can consider implementing tech that can recognize a device and its typical behavior to reduce friction, as well. Benson explained that the tech can detect suspicious behavior when logging in, such as a different location. The fraudster mapping behavior can also flag when a device has attempted to log into a site 50 different times in the last 24 hours.
The goal is to perform as many of those checks in the background to ensure the least amount of friction at the log-in point. Benson explained it’s critical to not just buy products and begin layering them into the enterprise.
Instead, organizations should pick vendors or products that recommend at least three checks: when an individual is logging into a portal or various systems, and match that to the kind of data they’re protecting; those with a sense of what fraud they’re protecting against and the transaction type; and whether the device has been seen before on the network.
“My advice is to research all of these different tools, from knowing the device to a one-time password sent to the individual,” Benson said.
“Taking all of that into consideration, rather than layering everything,” Benson said. “It’s more about data being protected than the actual users, and how often you’ve seen the user logging in. The first time you can perform a more stringent check than with a repeated user. Check for things like device behavior.”
NIST’s Electronic Authentication Guidelines also provides key recommendations for organizations attempting to determine the most secure access method for their network. According to the guidelines, once a risk assessment is completed and mapping has identified the key risks to the required assurance level, “agencies can select appropriate technology that, at a minimum, meets the technical requirements for the required level of assurance.”
In its guide for digital authentication, NIST outlined the different authentication types, requirements, and lifecycle management to help organizations with the authentication process.
“Digital authentication is the process of establishing confidence that a given claimant is the same as a subscriber that has previously authenticated,” the guidance authors wrote. “This guideline addresses how an individual, known as a claimant, can securely authenticate to a Credential Service Provider to establish the context for a remote digital interaction.”
“It just takes one identity compromise to cause a breach costing your company potentially millions of dollars,” a Microsoft spokesperson said. “By strengthening their security posture, an organization can maintain and earn patient trust, help prevent data breaches, and reduce costs.
Designing MFA for the User
“Ease of use is a major concern for end users, and both staff and patients tend to use the most convenient routes,” a Microsoft spokesperson said. “MFA credentials have improved over the last five to 10 years, and many people have mobile phones that can be used as authenticators too.”
“We know passwords are insecure and inconvenient which is why we’ve been on a mission to eliminate passwords and help people protect their data and accounts from threats,” they added. “In healthcare settings where shared device scenarios are often the norm, the use of a cryptographic key pair and a biometric or PIN creates a strong MFA for authenticating accounts, eliminating the need for passwords.”
Vanderbilt University Medical Center has a strong case study for best practice MFA implementation designed around the user. In November, the VUMC announced it was overhauling its authentication mechanism across the network and adding multi-factor authentication to every tech platform within the organization by March 18, 2019.
VUMC explained that the key to the overhaul was user-buy in and creating a human-centered process.
“Once we have 100-percent involvement, we can add that onto everything because every user understands multi-factor authentication, and it will add that layer of security and identify who our users are and what they’re accessing,” Executive Director of Enterprise Cybersecurity Andrew Hutchinson told HealthITSecurity, at the time.
“We wanted to make sure there was something usable for everybody – but that we were also adding a layer of security,” he said. “We offer everything from downloading the app to use it, to, if you don’t like technology, you can go up to HR and do it manually — and everything in between. There’s no reason why everyone can’t use this technology or use a process that allow us to really, really tighten up security. And make sure we’re thoroughly authenticating users and their identity.”
To ensure success, it’s imperative that organizations design these processes to be easy on the user – and tough on the hacker. VUMC began its process with a pilot program that focused on a small number of users to ensure the new authentication process was working effectively.
“MFA credentials have improved over the last five to 10 years, and many people have mobile phones that can be used as authenticators too.”
The next step is to provide users with several authentication options to ensure they are comfortable with the process, which will ensure buy-in. These methods can include downloading a mechanism on a smartphone and the individual can use that as their token, for advanced users.
For users who don’t want to download an app, the organization can select a text message option to receive a hard code. However, it’s important to note that NIST recommended in its digital guidance that SMS messaging may not be as secure as other options and it could be intercepted, so organizations should first ensure the chosen messaging platform is secure before attempting to use SMS messaging as a second form of authentication.
“Two key requirements are that the device be uniquely addressable and that communication over the secondary channel be private,” according to NIST. “Some voice-over-IP telephone services can deliver text messages and voice calls without the need for possession of a physical device; these SHALL NOT be used for out of band authentication.”
Those users who prefer to avoid a smartphone access method can opt for a physical hard token, or key fob. And for the least technical users, organizations can consider offering individuals the option of the manual method of entering details directly through the human resource department.
“Multiple factors make successful attacks more difficult to accomplish,” according to NIST. “If an attacker needs to both steal a cryptographic authenticator and guess a memorized secret, then the work to discover both factors may be too high.”
Ideally, MFA should be considered an ideal tool for closing security gaps within an infrastructure. In conjunction with the authentication mechanism, organizations should implement tools that assess user access behind the log-in page to determine what is logging in and from where, meaning a tool to determine if it’s a VPN, a real person, or a bot. These checks occur behind the scenes and don’t add friction to the user.
“Compromising two or more authentication factors presents a significant challenge for attackers, resulting in more time and cost for them,” a Microsoft spokesperson said. “For doctors and other healthcare professionals with access to critical data on endpoints, a FIDO2-compliant security key or smartcard are examples of strong credentials that are easy to use on shared workstations.”
Choosing a Vendor and MFA Benefits
According to Grand View Research, the multi-factor authentication market is projected to reach $17.76 billion by 2025, driven by advancements in biometric technologies and cloud, among others.
“Technological advancements, proliferation of smartphones, enhanced network connectivity, and high adoption rate of digital services are some of the key factors supplementing the growth of the regional market,” the report found. “Moreover, growing cases of cyberattacks are triggering the adoption of multi-factor authentication solutions in North America.”
And as more organizations shift data storage and other operations into the cloud, MFA will continue to proliferate. Healthcare providers must ensure they outline the business goals they’re trying to achieve with an MFA implementation, in addition to cost, to ensure a successful transition to MFA.
Organizations should also consult with an IT specialist to ensure the process is properly configured for the infrastructure and make sure the logins are effective.
Benson recommended when organizations are considering products and vendors that they pick a vendor with a good perspective of the fraud universe and the varying types of fraud potential. A consultant can choose tools for consistent use cases, such as a fraud attack, ransomware, or someone pretending to be someone else with a fake ID.
“Work with a vendor that understands the most common ways that fraud may present itself and how those tools can be tailored into the workflow,” Benson said. “And look for a vendor with a suite of products for these different types of fraud and who knows what types to include across your enterprise.”
“Look for those who understand the balance of user engagement with protecting cybersecurity,” she added. “Finding that right balance can be tricky. You don’t want to dissuade anyone from logging into a portal and don’t want them to give up access to their health data. But at the same time you don’t want them to feel like their data is open. Pick a vendor that will work with you on patient engagement, while meeting the right cybersecurity needs.”