It's Time to Better Protect Patient Data
The recent healthcare attacks by the hacker called “thedarkoverlord” were performed using a zero-day attack on the Remote Desktop Protocol (RDP). The hacker is bold, and is also kind enough to disclose how he got into the systems in the three attacks on US healthcare systems totaling 655,000 patient records. These networks were compromised by “using readily available plaintext usernames and passwords.” His hack on a health insurer’s database containing 9.3 million patient records was performed the same way.
Healthcare organizations relying on static passwords to protect their own assets and protected health information (PHI) are negligent. They have to face the fact that they are under constant attack in a cyberwar. Relying upon obsolete security practices only makes them easy targets. To put things in perspective, static network passwords have been in existence since the Eisenhower Administration and healthcare organizations are, so the saying goes, basically bringing a knife to a gunfight.
Username and password authentication processes must be replaced with multi-factor authentication. There are so many affordable options available that balance security with usability that healthcare systems must take action.
Additionally, health insurers and health systems need to deploy risk management tools that dynamically protect against fraudulent activities across multiple channels - identifying risk at critical steps, predicting risk levels, and taking quick action when fraud patterns are identified. Risk management tools are widely deployed by banks to detect potential fraud, but not by healthcare organizations. The fraudsters know that and will continue their relentless attack.
The time has come for the US Department of Health and Human Services (HHS) to require two-factor authentication to access any network containing PHI. Without mandates, organizations will continue to do the minimum, which simply isn’t cutting it. It is ironic: the federal government requires a doctor to use two-factor authentication to electronically prescribe a controlled substance, but has no two-factor authentication requirement to secure the nation’s health system containing 320 million patient records.
It’s certainly time to change that.
About the Author
Michael Magrath is a nationally recognized leader in field of healthcare identity management A frequent speaker and thought leader he leads healthcare business development for VASCO in North America. In addition, he is Chairman, HIMSS Identity Management Task Force which represents HIMSS’ 61,000 members with regard to national and industry initiatives on identity management, such as the National Strategy for Trusted Identities in Cyberspace Identity Ecosystem Steering Group (NSTIC IDESG) and other national policy and technical efforts. In addition, the Task Force develops tools and resources that will assist HIMSS members on identity management issues.