Money comes and goes, but if you have your health, you have just about everything, goes the old saying.
Hackers, as it happens, feel the same way – except those feelings are directed not at your health, but at your health records. Surprisingly enough, those are valued even more highly than financial records by cyber-thieves. “On the black market, where the bad guys sell this stuff, the value of a medical record is easily 10 times more than a credit card account number,” pri-vacy expert Larry Ponemon, founder of the Ponemon Institute, told NBC News in an interview.
Indeed, of all data breach targets in the first half of 2017, the healthcare industry was number two, behind the financial industry – but healthcare experienced the biggest increase over the previous year's percentage of total breaches, with 30.7% of all reported breaches versus 22.6% in the first half of 2016. Major hacks have already caused major damage to hospitals, HMOs, insurance companies, and doctors' networks, with irate patients suing as their personal medical details are revealed, and regulators deciding that the medical industry can't be trusted to watch its own data. How can the industry defend itself? And what can it learn from other industries that have had successes – and failures – in securing their data?
Health records are a popular target because they’re rich in data. Not only do they contain that all-important Social Security number, but they also contain medical history, date of birth, in-surance information, and possibly the credit card number used to cover co-pays. Insurance gi-ants like Allstate and Aflac, for example, now pay claims within a day, so if hackers get hold of user details, they could file phony claims, get paid, and disappear before anyone has a chance to check. Other possibilities: Using information about diseases and conditions to blackmail those suffering from those conditions, opening up credit card accounts and/or filing for tax re-funds using a victim's social security number, or stealing victims' identities altogether.
What's surprising – if not shocking – is that the industry apparently does not realize how vul-nerable it really is. “There’s definitely more value” in purloining medical information than in stealing financial records, said Ponemon, “but unfortunately, a lot of the healthcare organiza-tions that we’ve studied have been laggards in cyber security.”
“Laggards” is putting it mildly. A survey by Sophos shows that the healthcare sector had one of the lowest rates of data encryption, with only 31% of healthcare organizations reporting exten-sive use of encryption – less than in any other industry surveyed, including IT, telecom, utilities, financial services, and even retail. Twenty percent of healthcare industry firms said they didn't bother encrypting their data at all.
Healthcare currently accounts for some 6% of the US GDP – but that figure is set to rise to an astounding 25% by 2025. Surely the CEOs and directors of large healthcare industry organiza-tions are aware of how common hacking is – and how vulnerable they are to attack. How could the security situation have been allowed to get so far out of hand?
The healthcare IT infrastructure is unique in that healthcare records need to be accessible to numerous groups on an always-on basis. Unlike in finance, for example, where a specific officer or team will work on a client file for a specific period of time. Hospital records may be accessed by doctors, nurses, LPNs, social workers, the payments department, or the insurance depart-ment – perhaps several times a day, if the patient's health situation is fluid. Even if authentica-tion is implemented, it's probably meaningless, because a large number of people on staff will have the credentials to access the data – and as we all know, the more people with access to a secret, the less of a secret it is. Ditto for doctors in their own practices, who are very busy, and may work with numerous hospitals, HMOs, and insurance companies. Some of these may use authentication to allow access, but doctors will likely give out the login/password details that most of these systems require to many employees, because they all need access to the records. In some practices, patients themselves are allowed to access their records. Thus security is ex-tremely low, even with authentication.
The results of this “laggardness” is there for all to see. It became painfully apparent that Molina Healthcare, a large Medicaid and Affordable Care Act insurer, was not using any authentication at all; all it took was changing a number in a URL for anyone to access any patient's records, no login/password needed. The company shut down the records site as soon as it became aware of the problem, but it's possible that the flaw was in place for months before that. There have not been any reports of regulators taking an interest either – but it would certainly be under-standable if there were.
Clearly, something needs to be done – but the solution requires something that can accommo-date the work-style of the healthcare industry in a way that traditional authentication does not. Not that the usual login/password method of authentication is a paragon of security, either; the big hacks of banks and credit card firms in recent years have almost all been due to hackers acquiring user login credentials (usually via malware, inserted into a corporate network via some phishing scam).
To compensate for the insecurity of logins/passwords, many organizations are now using two-factor authentication, with the second factor either a code sent via text message, or biometric identification. Second-factor authentication based on text messages is probably a non-starter for the medical industry, because of the extra work involved in having to type in the code in or-der to get to data. In addition, NIST (US National Institute for Standards and Technology), which sets policy for technology-related issues, is less than enthusiastic about SMS 2FA, recommend-ing it essentially because any 2FA is better than none - although, the agency says, organizations should avail themselves of more secure methods if possible. As far as biometrics goes, it needs to be used in conjunction with another effective authentication factor, as it is not accurate enough to stand on its own, according to NIST.
If healthcare wants more security, it needs an effective authentication system that matches the way professionals in the industry work – and it should be more secure than the less than effec-tive methods used in other industries. One method that could work very well is password-less authentication-based connections. Systems are only as strong as their “weakest link,” and in many authentication systems that weakest link turns out to be the primary one - passwords, which are relatively easy for hackers to pilfer.
So long as authentication is based primarily on human-defined and -managed passwords, sys-tems will be compromised. Whether they use sophisticated social engineering to persuade us-ers to surrender their passwords, cracking tools to try password combinations until they get it right, or malware that installs key loggers that reports back authentication information, hack-ers have the edge over users in getting around password-based authentication systems. Often hackers don’t even have to resort to those tactics; despite training, warnings, and even threats, users fail to institute strong enough passwords or change them on a regular basis, often mak-ing them easy for hackers to guess. And, many users make the mistake of using the same password on multiple accounts - which means that when hackers get the information they seek, they win the “data lottery,” getting access to much more than even they expected.
By having password-less authentication, security gets better, because that weak link gets strengthened significantly; with no passwords, there is nothing for hackers to socially engineer users out of, and nothing to guess at. And users are relieved of the burden of having to re-member their passwords, and remembering to change them. With password-less authentica-tion, medical industry professionals get the best of both worlds – top-level security, but im-plemented in a way that doesn't crimp their work-style. As a result, they will be able to spend less time on dealing with security concerns - leaving them more time to concentrate on their work of saving lives without having to take on extra security tasks. Regardless of what system they do choose, healthcare industry firms need to do something to shore up their data. Setting up authentication – the right kind of authentication – is an absolute priority for them, and for the rest of us.
By Raz Rafaeli, CEO of Secret Double Octopus
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.