Technology is transforming health care. Innovations like Artificial Intelligence, cloud computing and connected devices can improve patient care and make treatments more effective. But there’s a catch: As the healthcare industry relies more on technology, the risk of cyber attacks on its systems increases. How can we reap the benefits of the latest technological advances while keeping patients’ records safe?
The lack of password security in healthcare
The health sector is a particularly lucrative target for cybercriminals. Health records are worth up to ten times the amount as other data on the dark web. According to a Trustwave report, a healthcare record can fetch up to $250 on the market compared to payment card details. That’s because healthcare records contain almost all of a person’s identifiable information. Yet there’s a lack of awareness about that in the healthcare sector. According to a recent survey by Sophos, 55% of public sector IT leaders believe their organisation’s digital data is less valuable than that of the private sector.
As a result, password security in the healthcare sector is often inadequate. That, in turn, leads to a higher account takeover and dangerous breaches of data.
How hackers attack
Typically, hackers use malicious software to infect the computer servers of healthcare providers. Sometimes, phishing emails are used for that purpose.
Once the software has compromised the system, it encrypts every data file it can find, making it inaccessible. Then, it displays a ransom note in return for the decryption keys needed to restore locked files. The payment has to be made in cryptocurrency. Often, the demand comes with a series of deadlines for the payment. If the victim misses a deadline, the ransom demand increases, and hackers often destroy some of the files. If the hackers don’t receive the money, they discard the decryption keys to make the data permanently inaccessible.
The cost of healthcare data breaches
One of the most infamous ransomware attacks that hit companies worldwide was the WannaCry outbreak in 2017. WannaCry affected over 200,000 computers in over 150 countries. The global costs were up to £6 billion, £92 million In the UK alone. The NHS was particularly affected: although the virus was stopped within 12 hours, hospitals had to cancel around 13,500 appointments, 139 of them for patients with suspected cancer. In all, the attack cost the NHS £6 million.
A report by the Ponemon Institute shows that the cost of a breach for any industry is $408 per record, with an average cost of $3.86 million for an organisation.
Since then, not much has changed. According to the National Crime Agency (NCA), ransomware is still the most common cyber extortion method in the UK and has become more expensive for companies.
Meanwhile, criminals need fewer and fewer technical skills to commit cyber-attacks. Hackers learn from others and can often buy “off-the-shelf” malware on the darknet. Cyber attacks now range from high volume, opportunistic ones to highly sophisticated threats involving bespoke malware aimed at specific companies or industries.
In a 2021 survey, 42% of 597 health delivery organisations (HDOs) had faced two ransomware attacks in the last two years, a figure that’s likely to increase.
The security challenges in healthcare
- Staff in healthcare settings needs to use multiple devices throughout the workday.
- Medical staff is often under extreme time pressure, especially in emergency services. They need fast access to patients’ data.
- At the same time, this data is highly sensitive and must not be shared. An online attack could have life-endangering consequences.
So-called denial of service (DDoS) attacks can disrupt facilities and make it impossible to care for patients adequately.
Ransomware attacks have created delays in medical procedures and tests that caused problems for patients. According to the Ponemon study, 71% of respondents said that a successful cyber attack had resulted in longer hospital stays for patients. 65% said that the attacks increased the number of patients who had to be diverted to or transferred to other facilities. 36% saw an increase in complications from medical procedures following a ransomware attack. About a fifth said these attacks had led to a rise in their patients’ mortality rate.
These numbers show how crucial it is to protect data in healthcare. But what can be done?
What Are the Benefits of Multi-Factor Authentication?
Multi-Factor-Authentication (MFA) is essential to protect a company’s digital assets. It ensures digital users are who they say they are. It requires at least two pieces of evidence to prove the users’ identity.
Each piece of evidence must be from a different category: something they know (like a password or PIN), something they have (like a device) or something they are (fingerprint, voice, face recognition).
Even if a hacker or unauthorised user gets access to one of the factors, they can’t access the account. Requiring multiple authentication factors provides higher assurance about the user’s identity.
The most common MFA in the healthcare industry tends to be “tap and go”, where a healthcare worker uses a badge to tap in and out. If the company uses MFA, clinicians also type in a password and a code on a second device. Fingerprint authentication is used but is problematic for hygienic reasons. Often, there are a variety of authentication processes that have one thing in common: they are all relatively time-consuming. For that reason, healthcare workers frequently don’t log out of the systems. That leaves a window of opportunity for other users to access the data in this system. It can also lead to clinicians entering patient data under another clinicians’ name.
How hackers use 2FA as a weapon
Only 5-10% of users across all industries use 2FA (Two-Factor-Authentication) or MFA. That means sites still have a critical mass of accounts vulnerable to remote attacks. Often, hackers switch to 2FA in victims’ accounts if the original owners haven’t done it. They then connect the account to their phone, making it almost impossible for the victims to get access again. Too often, users are left unsupported. They have no clear path to recovering their accounts and find it impossible to verify their identity. That’s another reason why account holders must turn on the 2FA or MFA option. However, companies are reluctant to force their users to adopt it. They fear it will cause too much friction, and users will eventually abandon their accounts. Multi-Factor- Authentication (MFA) is crucial to protect patients’ data, but typing in codes on another device costs precious time that this sector doesn’t have.
How to break the cycle
Cybersecurity must not only be safe, but it also needs to be easy to use. MIRACL doesn’t require users to download or store anything. All accounts are 100% resistant to ALL remote attacks, so hackers go elsewhere. MIRACL offer the following benefits:
- Provides better security: there is no need for credentials, such as usernames, passwords and OTP seeds, and no data will be stored on a mobile device.
- Affordable: Clients add users as needed, and we only bill for usage.
- Easy to implement: As a cloud-based service, MFA is simple to activate and understand.
- Just add it: MIRACL can be extended into any desktop or mobile application via web languages.
- Meets regulatory compliance: MIRACL is ideal for regulated industries, such as finance, government and healthcare, since credentials are not stored in the cloud.
- Scalable: For less than the monthly cost of a few SMS messages to a single user, MIRACL users get company secure authentication to all customers, employees and partners.
- Improved end-user experience: A simple 4-digit PIN is all the end-user must remember - across all applications and identities they want to access.
Unlike traditional 2FA, MIRACL requires no trade-off between user experience and security.
Working in healthcare can be stressful. Technology shouldn’t add to the workload but make accessing vital patient information easier and safer for both clinicians and patients. MFA is the best way to ensure that.
If you would like to know more, our newsletter is a great way to get to know us - you can subscribe here.