Health care organizations face unique security challenges, stemming from the sensitive data they regularly work with, the appetite of cybercriminals for this information, and the difficulties of fending off breaches while also wrangling with issues such as patient identity fraud. The enormous scale of the health care industry complicates all of these problems:
Data breaches are undoubtedly still a central concern for members of the health care sector, but fraud is becoming a problem of similar scope and one that exacerbates the type of damage caused by cyberattacks. For example, medical identity theft and improper billings both contribute to higher premiums and out-of-pocket costs for patients, as providers struggle to cover losses that may have already accumulated from previous incidents.
The various types of health care fraud are all well-recognized as threats, yet they are under -addressed in terms of actual implemented security mechanisms. A 2015 study from The Office of the National Coordinator for Health IT found that fewer than half of U.S. hospitals possessed the infrastructure for two-factor authentication (2FA), including 35 percent of critical-access hospitals and 40 percent of rural ones.
There are many possible routes health care providers can take to protect patient data, ensure proper access controls and comply with applicable legislation such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. 2FA/multi-factor authentication is particularly appealing because it is a relatively cost-effective and user-intuitive method for mitigating risk and meeting HIPAA's standards.
Moreover, 2FA can be enforced in several ways, depending on the user population in question and the requirements of the organization. Indeed, a token utilized in tandem with a basic login could be implemented in multiple fashions:
Ideally, strong authentication in health care settings would be implemented with end-to-end token and credential management, whereby a single platform issues and authenticates all credentials. Entrust IdentityGuard provides this convenience. Under such a setup, it is not necessary to create a separate certificate authority since one is already built into, and managed by, the authentication solution.
Deployment can be done entirely on-premises, in the cloud or through a combination of the two. The deployment model will determine how employees are authenticated and where cards are printed. Entrust IdentityGuard has already helped health care institutions such as Gwinnett Medical Center in Georgia to improve its authentication practices.
"We now are able to save money across the board and deploy strong enterprise authentication for a larger group of users, and employees can carry the grid cards with their ID badges, which makes them much easier to keep track of than a key-fob token," explained Rick Allen, IT director at Gwinnett Medical Center. "In addition, the platform supports a wide array of authenticators that, in the future, can help us secure a variety of applications that also house sensitive patient information."
Health care spending is likely to continue rising in the years ahead, in turn raising the stakes for fraud reduction and secure authentication. Using 2FA/MFA and end-to-end token and credential management can give hospitals, clinics and pharmacies a stronger foothold in protecting sensitive data from theft.