Privacy & Security

Ransomware attacks highlight critical need to move beyond just usernames and passwords

Hospitals not already using modern tools for two-factor authentication, such as facial recognition and push notifications, should take note of how they can block malware and other common cyberthreats.
By Bill Siwicki
June 13, 2017
03:25 PM

The ongoing successful ransomware attacks against hospitals demonstrate how two-factor authentication technologies could strengthen security postures, at least according to security vendors.

“Many ransomware attacks start with access to a client machine that then gets propagated throughout a network. But if additional protections were in place, the propagation is minimized and you are not left susceptible to a broader exposure to the ransomware,” said Marc Boroditsky, vice president and general manager of two-factor authentication security vendor Authy.

[Also: Webinar: Preventing and dealing with ransomware attacks]

Boroditsky and George Brostoff, co-founder and CEO of SensibleVision, a multi-factor authentication security vendor that specializes in facial recognition technology, said that many healthcare organizations still rely on usernames and passwords alone.

The Office of the National Coordinator for Health IT tracks hospitals using two-factor authentication and said in a 2015 report that half of non-federal acute care organizations had the technology and, since that was up 53 percent since 2010, it’s a reasonably safe bet that even more hospitals have two-factor authentication today. Likewise, however, it’s expected that many do not.

Two factor authentication, by its very nature, is a stronger way of safeguarding networks, systems and sensitive health data. So, for example, in addition to “something you know,” which would be a username and password, a user would be required to provide “something you are,” a biometric measure like a fingerprint, for instance, or “something you have,” like a token.

[Also: Christian Slater is on the prowl for your medical records]

That makes it much more difficult for a cybercriminal who can get past a username and password to gain access.

“In healthcare, workstations are key. And this is where two-factor authentication comes in,” Brostoff said. “The devices we access are the front doors to the house, and two-factor authentication creates a transparent and powerful lock for those front doors.”

The most common form of two-factor authentication today is sending a code via voice call, text message or e-mail to a user, who then enters the code where indicated. This is on top of a username and password, the first of the two factors of authentication. Authy now sends out these second-factor codes via mobile push notification.

“You receive a push notification like in a typical mobile app experience, but it carries a message asking you to Approve or Deny something,” Boroditsky said. “You just click Approve or Deny, and the security is based on relying on the fact the phone is in the physical possession of the user and they have secure access to their phone.”

[Also: HHS task force says healthcare cybersecurity in 'critical condition']

SensibleVision, for its part, offers a biometric system for two-factor authentication that measures the distances between points on a user’s face to uniquely identify them from the camera in a mobile device or laptop or mounted on a PC.

“The whole time a clinician is in front of a device, we know who they are,” Brostoff said. “It eliminates the need to constantly re-authenticate when they issue a prescription or to have to put in a password again or to have a very short time that locks the device to meet HIPAA requirements.”

When first signing in using the facial recognition technology, which is the first factor of authentication, the system that first time asks the user to complete a challenge, which is the second factor of authentication.

“The user touches a series of secret shapes, touches the fingerprint sensor or does another security mechanism while their face is being scanned, so the two factors are something you are, your face, and something you know, the security challenge,” Brostoff said. “The multi-factor authentication takes place in one or two seconds.”

Critics of two-factor authentication say adding another factor to the security equation harms the user experience, adding a layer of security that gets in the way of a user. Two-factor authentication proponents have a simple answer for that critique.

“Two-factor authentication does hurt the system user experience, there is no doubt about it,” Boroditsky said.

But security is not intended to be convenient, he said.

“Where the world is today online, the sort of free-wheeling experience of decades ago is no longer possible for us to be able to conduct every aspect of our lives online without the expectation to take the extra step or two to protect online activities,” Boroditsky said. “The challenge is to make it as convenient as possible.”
 

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Privacy & Security

More regional news

Nurses huddled together look at electronic health records on a tablet.

Epic and Marquette collaborate on EHR training for nursing students

By
Andrea Fox
October 31, 2023
HHS headquarters in Washington

New information blocking rules from HHS could cost noncompliant providers thousands

By
Mike Miliard
October 31, 2023
Physician using multiple EHRs and IT systems

Clinician EHR struggles compromise patient care, study shows

By
Nathan Eddy
October 31, 2023
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

HHS headquarters in Washington
New information blocking rules from HHS could cost noncompliant providers thousands

Most Read

Guardrails, data governance key to solid generative AI outcomes
AHA security leader sees 'AI-fueled cyber arms race'
Multiple data access deals signed in Korea for digital health research
FBI dismantles Qakbot malware targeting hospitals
Boards are grasping cyber threats, but CISOs still feel underprepared
Is your hospital ready for 3-4 weeks of downtime?

Research

White Papers

More Whitepapers

Artificial Intelligence
Analytics
Precision Medicine

Webinars

More Webinars

Analytics
Analytics
Privacy & Security

Video

Elise Kohl-Grant, cochair of the programming committee at the HIMSS New York State Chapter
New York State Chapter of HIMSS focuses on health equity
Dr. Michael Poku, chief clinical officer at Equality Health
Addressing health equity's cost curve
Dr. Michael Pfeffer at Stanford Health Care_Photo: Doctor using tablet by Sean Anthony Eddy/E+/Getty Images
CIO Spotlight: Dr. Michael Pfeffer of Stanford Health Care
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link

More Stories

A pharmacist doing an inventory using a digital tablet.
There is no escaping making investments in cybersecurity...
group of healthcare workers talking over hospital bed
Modernizing clinical placement to accelerate clinician training and recruitment
A male doctor sits with another man and they are looking at SDOH data on a mobile device.
Tufts Medical Center to pilot nutrition screening in EHR
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link
Yale New Haven Health
Yale New Haven radiologists boost CT scan reviews with AI
Dubai Health Authority
The current state of Dubai’s healthcare digital transformation journey
Leah Dewey, VP of clinical and consumer engagement operations at Cotiviti.
Payers have a part to play in addressing health disparities
Christie Teigland, vice president of research science and advanced analytics at Inovalon.
Medicare Advantage plans' star ratings to be affected by Health Equity Index