User Authentication IS THE MOST Common Cyber Risk for Hospitals and Health Systems
User authentication short-comings, endpoint data leakage, and too much end-user permission are three of the most common cyber risks facing health systems and hospitals.
I have been reviewing security profiles in the healthcare space for at least the past 10 years, focusing primarily on cybersecurity risks to hospitals and their related business associates.
User authentication deficiencies always seem to top the list, consisting of weaknesses in both identifying the user and verifying the appropriate level of access to networks, servers, applications or workstations.
This reflects recent industry-wide studies that suggest access management will be one of the largest IT concerns across the healthcare sector in 2019. Ref: https://www.crowe.com/news/top-risk-areas-healthcare-organizations-face-in-2019
Password strength requirements, single sign-on controls, and locking accounts after too many failed login attempts are the 3 primary risks related to user authentication. These include the use of a generic password, physically posting passwords on a workspace, and or sharing credentials over external networks via unencrypted emailing.
All organization, not just hospitals, should view authentication flaws as critical, especially since 80% of all data security breaches occur from the inside-out. I’ve written too many articles and white papers on that inside-out means, but it’s based on the truth that perimeter security methods are antiquated and basically ineffective…
Here’s the scoop: a phishing email is sent to all users, one of the masses clicks on the phishing-attachment, device and the user become compromised, bad-actor moves throughout the internal network to exploit all those trust-relationships, bad-actor eventually gains administrative privilege, then steals all of your data.
The above is the common sad story that unfortunately recurs all too often. Same Story, Different Organization. How common you ask? Check out my articles last year related to the volume and predictions regarding security breaches in hospitals and health systems, leveraging the information reported to the US Department of Health and Human Services regarding actual security breaches.
- http://blogs.catapultsystems.com/ehiggins/archive/2018/10/23/healthcare-data-breaches-on-the-rise/
- http://blogs.catapultsystems.com/ehiggins/archive/2018/11/05/quick-stats-healthcare-ransomware-attacks/
In more recent surveys, 90 percent of organizations reported having a password or token management policies and procedures but lacked the technical implementation of tools that support those policies and procedures. Note, that discrepancies between policy and technical implication expose the organization to significant monetary penalties in the event of a breach-related investigation. As researchers recommend, hospitals and health systems should perform risk analysis around user authentication deficiencies, but they must also ensure that the controls are properly implemented.
It is rather ironic that regardless of years past, most security breaches are initiated by exploitation of a weakness in user-authentication (one form or another). Another irony is that the majority of these weaknesses can be eliminated through the implementation of multi-factor authentication, strong password requirements, and self-service password reset. None of these solutions introduces any difficulty for end-users doctors, nurses, administrators, or hospital executives. In fact, recent advancements in password management and multi-factor authentication have made the act of securely logging on even faster and easier.
Wishing you all very safe, happy, and uneventful New Year.
Until next time,
Ed