Healthcare and the Need for End-to-End Authentication

By Mike Nelson, Vice President of IoT Security, DigiCert
Twitter: @digicert

Healthcare cybersecurity is facing two problems – neither of which can be solved using better technology alone. In fact, these problems have more to do with economics than cybersecurity.

The first problem is that healthcare is such a critical part of our economy. If you want to wreak havoc, disrupting a country’s healthcare system might be the best place to start. Additionally, Electronic Health Records (EHRs) are highly lucrative. To give you an idea of how valuable they are, your social security number might fetch 10 cents on the black market, but your medical records could go for up to $1,000 – that’s 10,000 times the value. If you were a hacker, which would you be after? The incentives are clear.

The second problem is that, even within a single hospital, security is a shared responsibility. When a resource is shared commonly, each party’s incentive is to get as much benefit as they can while simultaneously incurring the lowest possible cost. This problem is known as the “tragedy of the commons.” Let’s take the example of a healthcare provider that relies on an infusion pump to treat diabetic patients. Does the responsibility to secure that device rest on the shoulders of the manufacturer or the healthcare provider? Who owns securing the transmission of data from the pump to the EHR? The answer to these questions depends who you ask.

To add even more complexity, a healthcare network might use devices from 50 different manufacturers – who’s responsible in this case? Unfortunately, the questions don’t stop there. Are the vendors of your EHR software providing secure updates? Are you confident in the integrity of the code being uploaded to your devices? What measures do you have in place to ensure only the right people gain access to patient data? The questions continue from there, but I digress. Unfortunately, we human beings tend to only make changes when we’re presented with attractive incentives or when the problem we’re dealing with becomes sufficiently painful.

The two problems described above point to the need for end-to-end authentication, which is the process of proving the validity of all digital connections – from secure system login for nurses and doctors to communications between devices, the network and external services or databases such as EHRs. It might be helpful to view these connections as two parts in a single system. On the front end, you must verify the identity of any person using a device or accessing patient data, such as doctors and nurses. On the back end, it’s just as crucial to authenticate connections between devices and the servers, EHRs, drug libraries, etc. with which they interact.

The foundation for end-to-end authentication is Public Key Infrastructure (PKI). Using digital certificates, PKI authenticates users, systems and devices without the need for tokens, password policies or other cumbersome user-initiated factors. This decentralizes authentication and allows it to happen across disparate systems.

Security providers, such as Imprivata, have introduced several solutions on the front end described above. These include single sign-on, multifactor authentication, and patient identification to establish trust between users, technology, and the data transmitted throughout the healthcare ecosystem. Most medical patients don’t worry about their security when they go to the doctor; they simply expect that their information and health will be taken care of using reliable security measures. Unfortunately, this isn’t always the case. Ponemon Institute has found that more than half of companies have experienced a security incident due to a careless employee. PKI can mitigate this threat by requiring nurses and doctors to use multiple layers of authentication to access patient data.

On the back end, some modern certificate authorities (CAs) have built infrastructure capable of deploying billions of certificates to connected devices. In addition to providing identity assurance for devices connecting to servers, systems and databases, these CAs offer solutions for ensuring the integrity of code and the reliability of software updates.

End-to-end authentication won’t come to fruition in the healthcare industry until device manufacturers, hospitals, insurance companies, software vendors and security providers recognize their shared responsibility and begin working collaboratively. Because of the rising number of exploits in healthcare, cybersecurity is becoming much more of a pain point for those in the industry. This pain is causing some to act and put better security in place. However, the industry has a long way to go. For now, only one question remains: will we respond to anything other than pain?