OCR Urges Healthcare Entities to Reassess AuthenticationExperts Analyze Why Some Organizations Resist Adopting Multifactor Authentication
Federal regulators are urging healthcare sector organizations to reassess whether their authentication methods need strengthening to help prevent data breaches.
In its latest in a series of monthly cyber awareness newsletters, issued on Nov. 7, the Department of Health and Human Services' Office for Civil Rights suggests that healthcare entities revisit their authentication strategies.
But some security experts assert that the newsletter should have more strongly advocated much broader use of multifactor authentication because it can play a powerful role in breach prevention.
"Over the past years, the healthcare sector has been one of the biggest targets of cybercrime," OCR notes. "Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider strengthening their authentication methods."
OCR notes that the "person or entity authentication standard" in the HIPAA Security Rule requires that covered entities and business associates implement "reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
In addition to authentication methods using "something you know," such as a password, other more robust multifactor authentication methods to consider, OCR says, include adding the use of "something you are," such as a fingerprint, signature, voiceprint, or retina or iris pattern; and "something you have," such as a smart card or token.
In the newsletter, OCR reminds organizations to conduct a comprehensive enterprisewide risk analysis to help "identify the vulnerabilities of their current authentication methods and practices, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach - if it occurs - can impact their business and mission."
The risk analysis process "helps entities rate the level of the risk and determine ... if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the service or process associated with a particular authentication risk," OCR notes.
Advice Comes Up Short?
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, criticizes the latest alert from OCR as coming up short, saying it "did little or nothing to promote the use of multifactor authentication."
Small provider organizations are typically unaware of risks surrounding user authentication and their options, she says. "However, they are increasingly using vendor-hosted electronic health records ... and yet I see little or no effort on the vendors' part to promote and support multifactor authentication," she adds.
"Mid-size providers, such as community hospitals, are more likely to be aware of user authentication risks, particularly when accessing cloud-based [electronic health record] systems. But they are faced with budget and resource constraints and competing priorities. And the cost of multifactor authentication can be a hard sell at the senior leadership level."
Many healthcare data breaches could have been prevented by multifactor authentication, says Dan Berger, CEO of the security consulting firm Redspin.
"Not only is multifactor authentication secure, but its mere existence acts as a deterrent to hackers," Berger says. "Hackers always gravitate to the easiest path - and cracking a multifactor authentication implementation is incredibly time-consuming."
Cris Ewell, CISO at University of Washington Medicine, points out, however, that while multifactor authentication can help to prevent some unauthorized access to systems, it cannot eliminate all risk. "For example, if an authenticated user clicks on a message with malware and this installs a rootkit that gives full access, the adversary has the potential access to a system without multifactor authentication," he notes. "Server-to-server communication is not generally controlled through the use of multifactor authentication - other than certs - and once an individual gains access, they can use service accounts to get around multifactor authentication."
Ewell says his organization uses multifactor authentication for administrative access to servers to help reduce the risk of unauthorized access. "We have not deployed multifactor for remote access for the general user population yet, but are looking at options," he adds.
Among challenges that complicate the implementation of multifactor authentication in healthcare environments are issues related "to how to integrate it into the medical system or overall internal authentication systems," Ewell notes. "In complex environments, it is not as easy as buying tokens and turning on the multifactor authentication system. There is a high level of integration that needs to take place and be well planned."
Keith Fricke, partner and principal consultant of tw-Security, acknowledges that costs are a major hurdle standing in the way of wider adoption of more sophisticated authentication in healthcare.
"In some cases it is an issue of perceived cost and lack of staff to support multifactor authentication," Fricke says. "In other cases, adoption may be hindered by challenges - perceived or real - in how the multifunction technology presents in the workflow of a clinician."
Similarly, Berger notes that multifactor authentication "does introduce a certain amount of extra overhead - longer login times, increased help desk calls - and user push-back - which is why OCR suggests that a risk analysis is the right process to evaluate what type of authentication should be implemented for specific entities, systems and/or applications."
User resistance, however, is always a factor when adopting any new technology, Berger says. "Users will always push back - they hate strong password policies, too," he notes. "So, while usability should be a consideration, it is just one element that goes into your risk analysis calculus."
But the cost and difficulty of multifactor implementation is also often overstated, argues Mac McMillan, CEO of security consulting firm CynergisTek. "There is a perception that using a second factor will create an unacceptable delay, which is a rationalization for 'I can't be bothered,' and the cost for many two-factor solutions today is very reasonable and far and away beats the cost of an unauthorized access or breach," he says.
User education can help ease the transition to multifactor authentication, McMillan says. "Communicate the benefits of using stronger authentication for both them and the institution," he advises. "Draw parallels between other things they do, such as accessing their bank accounts remotely, which almost always has a two-factor prerequisite, and create a technology demo area where they can see how the technology works first hand," he says.
"If that doesn't work, just give them a dose of 'tough love' [telling them]: 'This is a business network; a few seconds delay is worth not having a breach'."