By Jerome Becquart, COO of Axiad
In 2020, we’ve seen a healthcare system stretched to its capacity. Frontline workers are battling to save lives. Management are searching for supplies and capacity. Technologists are vying to create alternative, remote healthcare solutions. Pharma and governments are racing to create a vaccine for COVID.
All of this is happening in real time, at warp speed; however, moving quickly always carries risks. Decision makers in healthcare know this. And so do hackers.
Cyber-attacks on entities within the healthcare system are nothing new. But they’ve increased in scale and frequency in recent years. In 2019, ForgeRock’s Consumer Breach Report cited healthcare companies as the most targeted sector in the nation. Almost half of the data breaches in the U.S. in 2019 were in healthcare. The total yearly cost for these breaches is nearing $20 billion dollars. We’ve got to do better.
Healthcare is a particularly enticing target for hackers for multiple reasons. Healthcare, obviously, is big business. It accounts for just over 17% of U.S. GDP according to the World Health Organization (WHO). But despite the financial might and frequency of attacks on the industry, healthcare organizations appear to be behind other industries in security investment and knowledge.
Companies contain troves of personal data on patients, which can be used for anything from identity theft to blackmail. Patient data being captured and sold is the most common type of data breach within the sector. The IP of healthcare companies is also a tempting target, given the amount of investment and profits, for corporate and state-based theft.
That last part has been in the headlines prominently lately. Recent reports have the U.S. and British governments claiming that both the Chinese and Russian governments have been actively hacking pharma companies to steal information related to a possible vaccine for COVID. With Russia announcing that they had a vaccine ready, many have theorized that it was created based off of stolen information gained by the infamous Cozy Bear hacking group.
The reality is that attacks to steal IP and patient data are likely to continue to rise, as are ransomware attacks. The question then becomes, where are the vulnerabilities and how do we stop them? The connectivity of devices and apps has become an essential component of healthcare teams. From a treatment and collaborative perspective, these technologies have benefits. But they also contain profound security vulnerabilities when not safeguarded properly.
Issue identities, institute MFA, and ditch passwords
One of, if not the most common ways hackers are gaining access to healthcare platforms is via credential theft, with phishing scams being the most frequently used method. While preventing phishing scams is in some ways a people-based problem, there are steps you can take to thwart them.
First, each person and device that connects to your systems needs to be issued a digital identity to ensure that no unknown entities can connect to your systems. You also need strong multi-factor authentication (MFA) protocols, which render stolen credentials basically useless.
Here’s how digital identities and MFA work hand-and-hand. If a hacker somehow manages to steal an employee’s credentials via a phishing scam or other method, to sign in with MFA, they need to verify their identity another way. Usually this is done with a temporary code sent to a mobile device, which should have an assigned identity in order to access your system. So when you combine digital identities with MFA, the hacker would have to somehow steal the credentials and be in physical possession of the employee’s phone—a highly unlikely—but not impossible scenario.
It’s also essential that you eliminate passwords, particularly temporary passwords issued for emergency access. Hackers actively target emails issuing temporary passwords to regain access. The healthcare industry now employs one in eight Americans (more than 16 million people), and is the largest employer in the U.S. labor market.
That’s a lot of people, with a lot of passwords, which will eventually be forgotten or lost, requiring some sort of intervention from your IT team. If, each time this happens you issue a temporary password, you’re providing ample opportunity for hackers to steal credentials. With a workforce as large as that of the healthcare industry, it’s only a matter of time before a hacker gets lucky and intercepts this email.
The above steps are best practices for any industry, so for anyone handling sensitive data on the scale that healthcare does, it’s essential. By doing those three things, you can effectively diminish the most common types of attacks. That doesn’t mean that you’re un-hackable—even an industry with compliance mandates as stringent as SAFE-Biopharma has shown that it can be breached by sophisticated hacking attacks. But the reality is, most of the attacks that cause data breaches in the U.S. today aren’t all that sophisticated. They take advantage of passwords and credentials not backed up with MFA, which is easily avoidable.
For companies, these data breaches are incredibly costly. The average healthcare data breach costs a company $6.5M, or $429 per patient record. For patients, they can be devastating on a personal and financial level, and can take many years to fully reestablish their identity and fix their credit. When it comes to something as important as the COVID vaccine, there are profound humanitarian and geopolitical consequences.
Adopting identity security technologies, instituting MFA, and moving to passwordless access isn’t complicated with the right digital security partner. There are companies that can help you achieve this, with solutions that work with your existing IAM infrastructure. There are also solutions to help your IT team easily manage identity credentials in order to reduce complexity and continuing times costs. While adopting these technologies will create additional IT security investment, those costs pale in comparison to the financial and reputational damage of a breach.
The days of firewalls and encryption as your sole security measures should be long gone. As we move to more interconnectedness, with increased online tools, a robust IT security infrastructure is necessary to deal with today and tomorrow’s threats. While identity security and credential management aren’t a silver bullet to solve all of your security needs, they absolutely have to be a part of your security portfolio if you want to keep your sensitive company and patient data safe.
About the author
Jerome Becquart is the COO of Axiad, a credential management platform headquartered in Santa Clara, CA with offices in Canada and India. He has over 20 years of experience in identity, credential, and access management solutions.
