Hacking remains a constant threat, but with each security lapse, we learn something important about the shortcomings of our current data protection methods. In October 2017, for example, hackers exposed the personally identifiable information (PII) of 18,470 patients at the Henry Ford Health System in Detroit after stealing employees’ emails. With only a single layer of authentication protecting the data, the thieves could easily break into the system.
This isn’t uncommon: Verizon's data breach report found that 81 percent of all breaches are caused by stolen or weak credentials. And the healthcare industry is particularly vulnerable: In 2017, the number of data breaches totaled 328 worldwide, costing an estimated $1.2 billion. To put that into perspective, consider that the second-most vulnerable industry—technology—experienced only 48 breaches in the same year.
To protect patients’ health records, many organizations have turned to two-factor authentication to maintain data security. The goal is to go beyond passwords and add something unique to the user—making it harder for thieves to spoof.
To meet HIPAA authentication requirements, each factor must be one of the following: a password or security question, a signature or biometric (e.g., fingerprint, voice print, or iris pattern), or a mobile number to receive SMS codes. If a hacker can obtain a password but access also requires an SMS text code, the thinking goes, the organization’s data should remain secure.
However, two-factor authentication isn’t a silver bullet against all security breaches, and even though two methods are better than one, neither is truly foolproof. When implementing two-factor authentication, be wary of these shortcomings:
1. Text codes are convenient but susceptible.
SMS text codes are one of the most popular authentication methods because of their convenience. Our phones have become an extension of ourselves, and it wouldn’t take long to realize it was missing. But if it doesget stolen, cybercriminals are instantly closer to infiltrating your healthcare organization. In some cases, thieves don’t even need the physical phone. There have been reports of hackers tricking mobile carriers into rerouting calls and texts to another number, after which they change passwords on accounts that use the number as a security backup.
The mobile market doesn’t have much incentive to increase security, either. Two major networks dominate the market, and the industry has remained one of the slowest to conform to two-factor authentication standards. This means that even if an employee receives the code, hackers could still exploit the network’s vulnerability.
One solution is to use a time-sensitive code that expires after being sent, shortening the window of time thieves have to hijack the SMS service. You can also add an additional layer of security with 2D codes—square bar codes that read both horizontally and vertically—that hospital employees scan with an app, such as Google Authenticator, before generating the text.
2. User fatigue is a real problem.
Two-factor authentication promises an additional layer of security, but compliance can be burdensome. Perhaps that’s why Google recently revealed that less than one in 10 users have enabled the free two-factor authentication measures it offers.
Hospital staff members are constantly pressed for time, and the idea of taking extra steps, even if they’re for a good reason, won’t sound appealing. As a result, they’ll be keen on finding ways to get around their own two-factor authentication to save time—making mistakes or ignoring some of the processes altogether. This can cause technical errors and bog down the tech help desk, giving hackers a weak link to exploit.
To reduce fatigue, personalize two-factor authentication with adaptive risk assessments that analyze each user’s IP address, location, device, and credential behavior every time he or she signs in. The second authentication will only be triggered if an anomaly indicates a potential risk rather than every time an employee signs in.