Security Environments Using Passwords Are Obsolete

All provider organizations face password-management problems as no providers have a single vendor enterprise application portfolio. Key challenges for password management are the following:

  • The absence of systemized password management. (This should be rare as the occurrence of ransomware and other security attacks has prioritized security in the executive suite. Most healthcare organizations have implemented single-sign-on solutions to mitigate this risk.)
  • The use of personal password managers by employees to manage risk.
  • Failure to implement an enterprise password-manager solution for all applications.
  • Failure to manage password rights and roles for individual employees.
  • Failure to remove passwords for employees leaving the organization.

We have all observed people or are guilty ourselves of writing down passwords in order to not forget them. That drives people to use password managers, which create a new security risk. How many times have we observed people sharing passwords? How many of us use the same password for multiple environments to reduce the frustration with knowing multiple complex passwords?

IT professionals spend 20% of their time on passwords, and that work is one of the least-efficient uses of their time. Freeing up IT people from monitoring and managing password security allows them to become enablers rather than administrators. So, it is not surprising that four out of five global data breaches are caused by weak or stolen passwords.

New Personal Authentication Techniques Improve System Security

The global cost of cybercrime is $2.9 million per minute. New security identity solutions are generating huge valuations and acquisition costs. Transmit Security is an example of a new company providing a next-generation identity management solution. The solution called BindID uses face or fingerprint scanning to generate a QR code that enables two-factor authentication in an efficient manner. BindID works as follows:

“A company could, for example, deploy a “login with mobile” button at the top of their website. When the user taps that button, it calls BindID using OpenID Connect (OIDC), an identity layer built on top of the OAuth 2.0 protocol. This then throws up a QR code, which the user scans with their mobile phone to open a web browser that invokes the device’s preconfigured biometrics. The user does have to register each online account (e.g., banking or ecommerce) with BindID the very first time they access an online service. When they initially try to access a website that has BindID embedded, they will have to provide their login credentials to register their biometrics. After that, they won’t have to provide any additional credentials when accessing that particular online service on any device.”

The new model for identity management is called “frictionless.” It will eliminate the frustration people have when they forget their passwords when accessing a secure environment like a patient portal or a shopping cart. This approach also removes the need to access and enter an authorization code from your smartphone to access an application.

The Justification: Lax Security Can Be Very Expensive

There were 600 clinics, hospitals, and healthcare organizations attacked by 92 individual ransomware attacks that affected 18 million patient records in 2020. The cost of these attacks was almost $21 billion, according to a Comparitech study. Provider organizations are increasing their security budgets and staff training on “digital hygiene,” but new identity management approaches will be needed to stop the cybercriminals.

A key strategy to improve enterprise security is multifactor authentication (MFA) in which users authenticate their identity in multiple ways, such as using security tokens, an authenticator app, or a code that is sent through a text message or email. The use of face, voice, and fingerprint identification will advance to make multifactorial authentication a new line of security defense for provider organizations.

The Players: Big Company MFA Solutions Will Be Applicable to Healthcare

Emerging MFA solutions are being implemented by large retail companies and financial companies. Representative examples are the following:

  • Transmit Security – a suite of solutions to eliminate the use of passwords for an enterprise.
  • Auth0 - MFA that can be activated and adapted to whenever and wherever you choose without impacting every user.
  • WSO2 – MFA using knowledge factor, ownership factor, or inherence factor approaches.

Success Factors

  1. Providers should prototype the implementation of MFA solutions in lower-risk security environments to evaluate the implementation and support processes and cost.
  2. Scalability should be a key consideration for selecting any solution to ensure the same solution is used enterprise-wide.
  3. Providers should ensure that the MFA solution integrates with and supplements other security functions.

Summary

Most healthcare organizations are still using identification and password functions to manage secure access to enterprise and departmental applications. We have all violated rules for managing passwords or creating sophisticated passwords to comply with higher security standards. Large retail and financial services companies are adopting MFA solutions that use biometrics to improve sign-on/access process efficiency for applications and portals to reduce consumer frustrations and improve engagement satisfaction. Healthcare organizations will begin to adopt these technologies to thwart ransomware attacks that have plagued organizations for several years.

The use of MFA is especially important for identity and access management for consumers that are accessing healthcare portals via their smartphones. Any outside access to an organization’s enterprise application environment invites threat actors to attack what could be a vulnerability in the organization’s security foundation. It only takes one successful attack to install malware in the organization’s IT environment that can result in costly ransomware payments to the cybercriminals.

“Passwords are like underwear; they shouldn’t stick to the wall.”

Photo credit: Sabrina, Adobe Stock