4 minute read
By David Schulz, MD
Proving Identity–
What I tell you three times is true
- Lewis Carroll, the Hunting of the Snark
Ancient Problem Needs New Solution
By David Schulz
Identity Theft is as old as the Bible: in Genesis, Jacob purloins his brother Esau’s identity to steal his birthright. You may recall that Rachel encouraged her son to use two proofs of identity: to bring the nearly blind patriarch Isaac food appropriate from a hunter, and to wear animal hide on this arm to imitate his brother’s hairiness. Today’s cybersecurity experts would suggest that Rachel defeated “two-factor security,” and explains why your phone and password may soon be insufficient to authenticate your identity.
The Healthcare Industry, with ever-growing use of remote medicine and Internet connectivity for devices accessing Protective Health Information (PHI), and facing Health Insurance Portability and Accountability Act (HIPAA) obligations, is woefully behind in implementing Multi-factor Authentication (MFA). MFA is a layered approach to proving identity, already prevalent in banking, shopping and some healthcare applications; but most ‘patient portals’ still rely on only passwords. A frightening concept when the most common passwords in 2022 remain “12345678” and “PASSWORD.”
Why implement MFA? Because even if one factor (like your password) becomes compromised (and almost all are available on the deep web for a pittance), unauthorized users will be unable to meet the second authentication requirement, ultimately stopping them from gaining access to your accounts. Today, two-factor security generally involves accessing a second device, primarily a phone, to authenticate identity but even Rachel beat 2FA four millennia ago. For PHI in a world of IoT (Internet of Things), three factor will become common in the near future.
Three Factor Security is defined by the National Institute of Standards and Technology (NIST), “something you know” (password); “something you have” (phone, pad, dongle); and “something you are” (fingerprint, retina scan, facial recognition).
At the moment, although two-factor authentication is not required for HIPAA, it can help pave the way to HIPAA compliance and is urged by the U.S. Department of Health and Human Services (HHS). The traditional login process with a username and password is insufficient in an increasingly hostile healthcare data environment. Two-factor authentication (2FA) has become necessary to other healthcare enterprise compliance as well, including the Drug Enforcement Administration's Electronic Prescription for Controlled Substances Rules and the Payment Card Industry Data Security Standard (PCI DSS).
According to a report released by Microsoft, by implementing HIPAA MFA, organizations reduce their cybersecurity risk by 99.9%. This is because the most common cause of cyberattacks stem from the use of stolen login credentials, with 81% of breaches caused by stolen credentials.
What’s even more concerning is that 55% of organizations in the U.S. suffered from at least one successful phishing attack last year. With only 11% of organizations utilizing MFA or 2FA, these attacks have left many organizations vulnerable to data theft.
According to HHS, “It’s more important in the post-pandemic era for covered entities to develop and implement tighter policies and procedures for authorizing EPHI access. It is crucial that only those workforce members who have been trained and have proper authorization are granted access to EPHI.” It recommends two strategies to for risk
Isaac Blessing Jacob, Govert Flinck, c.1638. Oil paint on canvas.
Image Copyright Cybersecurity & Infrastructure Security Agency and the Department of Homeland Security (DHS)
Department of Homeland Security (DHS) Image Copyright Cybersecurity & Infrastructure Security Agency and the
management: Implement two-factor authentication for granting remote access to systems that contain EPHI; and implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member.
It’s not only a HIPAA violation to be feared but the hostage-taking of an organization’s entire data and communication network. The FBI, along with HHS and CISA, has issued a warning to healthcare organizations stating that they have, “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Ransomware attacks have become more prevalent as of late with hackers exploiting the coronavirus pandemic in several ways. First it was hackers impersonating the CDC and WHO by sending out fake COVID tracking maps. Then it was hackers targeting remote workers by impersonating popular companies such as Microsoft Corporation. Now, the Federal Bureau of Investigation (FBI) is warning healthcare organizations about a new ransomware threat, based on Russia giving free license to cybercriminals attacking the United States infrastructure, including hospitals and emergency services.
For patients, MFA will likely mean additional steps to access the healthcare portals on which they’ve come to rely. Communicating annually with patients about the importance of safeguarding their Protected Health Information is a great way to both show proper stewardship and to explain any new privacy procedures they may need to adopt to satisfy MFA.
David Alex Schulz, CHP is a community member of the BCMS Publications Committee.
