Closing the Floodgates: Utilizing Identity Access Management to Plug Healthcare Breaches

By Kimberly Biddings, VP of Product, BIO-key International
Twitter: @BIOkeyIntl

Cyber attackers have the healthcare industry squarely in their sights. With one-third of the world’s data being produced by the industry alone and the average cost of a breach weighing in around $10.1 million, it’s no wonder. What’s most concerning is how effective attackers have been in accessing the private data of patients and healthcare workers alike. As of 2021 it is estimated that everyday there are two breaches of 500 or more healthcare records. Over the last 10 years this has resulted in the loss of over 300 million healthcare records, or approximately 95% of the population of the United States.

There is no single answer as to how to solve this problem, and as strategies to defend against attacks become more advanced, adversaries follow suit. The biggest year for healthcare breaches came in 2015 and the industry responded with a host of new cybersecurity policies as well as greater implementation of encryption technology. As a result, the most likely sources of a breach now come from unauthorized access or disclosure of protected data. To effectively defend against this type of attack, organizations should assess their identity and access management (IAM) strategy to ensure the right people are gaining the right access to the right resources at the right time. From establishing a comprehensive multi-factor authentication (MFA) solution to addressing the convenience needed to maintain a good cyber hygiene there are several steps organizations can take to prevent unauthorized data access.

Choosing the Right MFA

Passwords alone have long proven to be ineffective. Layering passwords with alternate methods of identification is key to improving an organization’s security posture. By some estimates establishing the right MFA strategy will reduce breaches by up to 90%. But not all MFA is created equal. The global healthcare industry has 22 million workers and that number is expected to grow steadily. While common sense says that the overwhelming majority of them would never do anything to jeopardize patient data, surveys have shown that approximately 18% may be willing to sell confidential data at around $500-1,000 per transaction. This means that all access needs to be secured.

However there are additional layers of complexity when looking at MFA for healthcare. One in particular is the unique and varied login use cases that clinicians find themselves in. Many computers are used as shared devices by clinicians who are roaming around the hospital treating patients, and there are certain situations such as in the emergency room where the speed of accessing a patient record can even be part of a life or death situation. Secondly, regulations like the Health Insurance Portability and Accountability Act (HIPAA) and Electronic Prescribing for Controlled Substances (EPCS) mean there are legal ramifications for who has access to which data.

For many situations, more traditional authentication methods like hardware tokens, one time passwords (OTPs) and Apple Touch ID that rely on a phone and identify the device rather than a person, simply will not work for clinicians.

Centralizing Enrollment & Authentication

To solve this problem, healthcare organizations can look to adopt centralized biometric methods that can guarantee the identity of a user (something you are) rather than a device (something you have). Centralized biometric solutions, like Identity-Bound Biometrics (IBB), means that authentication is completed by matching a scanned biometric to the originally enrolled one. This type of enterprise-controlled enrollment prevents workers from handing off account credentials and ensures users gain access only to the networks they are authorized for.

Furthermore, centralizing biometrics adds a level of flexibility that is essential in healthcare. Doctors and nurses access patient records, medications, and machines all over a hospital in the course of their work. They need to be able to access potentially life saving information and supplies from a variety of devices without being limited to only the devices they’ve enrolled on. By having a centralized authentication architecture, the clinician can walk up to any device where a biometric scanner is located and login – nothing to carry, nothing to remember.

This method works for compliance too. EPCS regulations dictate how doctors are able to prescribe drugs to their patients in an online system. Maintaining correct dosages and restricting access to controlled substances requires a direct knowledge of who is placing which orders. Gone are the days of prescription pads and doctors notes — electronic systems can make for much safer and efficient ways for doctors to access their tools and get important medicines to their patients. With a simple biometric authentication not only can access be given to prescribers, but there is also an auditable trail of who placed the orders and when.

Enabling Single Sign-On

After strong authentication is in place, single sign-on (SSO) is the other critical part of IAM and the way to reduce the friction caused by multiple login prompts from each application that is being accessed. In a hospital setting, time is valuable and every second spent logging in is a second not spent with a patient. Introducing SSO can help reduce wasted time going through multiple authentications, and allow that time to be focused where it should be – on the patient.

With healthcare data set predicted to continue to increase dramatically in the coming years, the industry will continue to be a target for hackers and ransomware. To address the rising incidents of inside actors contributing to breaches and reduce the friction on healthcare workers trying to do their jobs, organizations should consider centralized authentication methods and single sign-on as a critical part of their IAM strategies. As clinicians apply more advanced technologies to serve their patients, it’s necessary to build an IAM solution that works for them.