October is Cybersecurity Awareness Month
The National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency invite you to celebrate Cybersecurity Awareness Month 2022 this October as we raise awareness about the importance of cybersecurity and ensure that all individuals and organizations have the information and tools they need to be safer and more secure online. “Do Your Part. #BeCyberSmart.”
Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance in October of 2004. It was launched in an effort to help Americans to be safe in the rapidly growing Internet. Since its inception, the month has only grown more important as our lives become increasingly digitized. We are only one of many industry participants who are taking this month to educate our community on the importance of cybersecurity.
As always, follow our posts this month and hear what the healthcare security experts have to say. This week they are offering their two cents on enabling multi-factor authentication.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
In March of this year, Microsoft engineers reported that 99.9% of the account compromise incidents they deal with could have been blocked by with the use of a multi-factor authentication (MFA) solution. That should be reason enough, but MFA solves so many problems, given the world we live in, it is a no-brainer for security. It protects against weak employee passwords; with remote work it enhances security on employees’ personal devices and WiFi connections; it supports the ability of other security tools to function more effectively; enhances privacy compliance and other regulations/rules/laws that require strong authentication – – not to mention that your cyber security underwriter is going to require it.
Enabling multi-factor authentication is a critical step for preventing unauthorized access to your information and infrastructure. Combining something you know (your password) with something you have (your phone, hardware token, one-time password generator) creates an additional barrier that is significantly harder to compromise than a password alone. Industry leading MFA providers also add a time-based component — expiring one-time passwords or prompts within a few minutes to decrease an attacker’s chances of success in acquiring a one-time password from you via phishing or other means. When considering ways to harden your defenses, implementing multi-factor authentication should be at the top of your list.
Multi-factor authentication (MFA) has become a must to enable, not an option, especially for accessing applications in the cloud. Third-party vendors who provide applications containing confidential information must be vetted to confirm that they provide MFA for their application(s). In addition, cybersecurity Insurance companies require MFA to comply with their insurance policy requirements.
Cyber requirements continue to evolve throughout the industry in response to evolving threats, and health IT is experiencing a significant push for multi-factor authentication, or MFA — for good reason. Healthcare is increasingly a top target for security attacks and data breaches, and enabling multi-factor authentication is a critical step in safeguarding access to sensitive health data. Each added layer of defense strengthens the protection of health data, and MFA provides an important upgrade over passwords alone to control account access. Every stakeholder in healthcare IT owes it to patients to safeguard their information, and MFA is just one efficient and relatively simple way to provide additional protection and peace of mind.
Healthcare is one of those verticals that must put people at the center of security when implementing any type of security control, especially multi-factor authentication (MFA). When you think about healthcare the entire system is focused on clinicians being able to provide excellent patient care, when and where a patient needs it. This could be for general services such as an annual checkup, or during an ER visit when a patient’s life is on the line. When it comes to healthcare there are two key things that all security professionals need to keep in mind when they look to implement MFA, 1) the workflows across healthcare are unique and differentiated, and 2) poor security can have direct impact on patient lives and outcomes.
A study conducted by Vanderbilt University in 2018 showed that while the cyberattacks conducted on six hospitals and healthcare systems had technology impacts such as data loss, it was the security controls that were put in after the fact, to mitigate future attacks, that increased patient mortality rates. Yes, that’s correct – implementing security controls incorrectly can cost lives.
When implementing MFA in healthcare the change management is the most important aspect. It is critical to have a solution that offers all categories of authentication methods, something you have, something you know, and something you are, to be able to offer all clinicians and staff options that work for them. For example, identity-bound biometrics using fingerprints are excellent for shared workstations where nurses are charting after seeing a patient, or when they go to unlock a medicine cabinet to access controlled substances, or for that annual physical when a doctor needs to access a patient record. But what about in an ER situation where triage nurses are wearing gloves? That may be a better situation for a proximity card, where a quick badge tap gives them quick access to the patient’s record.
There’s a common denominator across recent cyber incidents involving multi-factor authentication (MFA): victims enabled MFA to protect their apps and accounts, but threat actors found a way to bypass it. No MFA method is completely bulletproof on its own; the most common MFA methods— including SMS-based and time-based One-Time-Password — come with their own risks that security professionals need to consider. The latest MFA standard, WebAuthn, relies on trusted coordination between users, their devices, and the apps they’re accessing. Organizations need solutions that enable them to embed secure MFA into every web application and on every user flow. This enables administrators to build secure workflows for users within any application, thus protecting all activity within the browser and safeguarding critical data. MFA everywhere means protecting the enterprise while still empowering the user.
Using Multi-factor Authentication helps our organization achieve a higher level of security against phishing attacks. Ensuring that all of our IT systems enforce MFA means an additional piece of time-based information and phishing of the username and password are not enough. It also can mitigate more sophisticated attacks, such as Man In The Middle (MITM).
As part of a multi-factor authentication strategy, many organizations use single sign-on (SSO) and federated identity management (FIM) tools. SSO adds security to your organization and your identity access management processes and helps your organization be more efficient (think of it in terms of a single domain). Generally, a FIM gives you access to multiple domains so you can streamline a user experience. This process doesn’t just keep users happier, it also makes password reset processes more efficient. Here are a few benefits of using both SSO and FIM:
- Enables access to applications and resources within a single domain
- Reduces the number of user passwords needed for access to resources
- Better customer experience
- Improved productivity
- Lower costs
- Enables single-sign on to applications across multiple domains or organizations
- Standard protocols include SAML, Oauth, OpenID Connect, and SCIM
- Third-party integrations, for example, Salesforce.com, Workday, and Zoom
- Trusted relationships between an identity provider (IdP) and service provider (SdP)
Mohan Badkundri, Vice President of Development, HSBlox
Multi-Factor Authentication (MFA) is a pivotal tool in achieving Zero Trust Security, the most definitive cybersecurity measure in the modern era threat landscape. MFA requires users to submit two or more forms of authentication that fall under these four categories: Knowledge (PIN), Inherence (biometrics like fingerprint, voice, etc.), Device possession (USB key, token, etc.) and Location (via GPS tracking). The flexibility available to increase the number of factors required to authenticate identity makes MFA a core component of Zero Trust Architecture and is a must for any organization dealing with healthcare data.
We can all make everything we do more secure by taking affirmative actions and working in partnership with vendors and suppliers. This can be done by considering ourselves as end-users and customers of everything we use, whether that’s a physical shop, an online store, an app on our phone or a computer. Ask questions, for example, “does this app have 2FA?”, and, if not, move on and use the one that has. When in a store and asked for your email address or date of birth, ask “why?”, “what is it used for?”, “why do you need it?” and don’t share if not needed. By thinking about security and asking “is what I am using secure?”, we may prompt a chain of ownership. Now go ahead, grab a coffee and take timeout to change all your passwords to be unique and difficult to guess, and make sure all your software is on the latest version to reduce the chance of attack. You’ve got this, and if you are not sure of the best way to be secure, just ask!