Featured Health Business Daily Story, May 17, 2016

Passwords May Never Die, but Authentication Will Keep Evolving

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

By Lauren Clason, Associate Editor
May 2016Volume 16Issue 5

Recent reports suggest that approximately half of hospitals now use two-factor authentication methods, but don’t expect the easily crackable password to disappear anytime soon. Just because hospitals have the security infrastructure for two-factor authentication doesn’t mean all of their employees use it, and stolen credentials are still one of the most common gateways hackers use.

A November study from the Office of the National Coordinator for Health IT found that 49% of non-federal acute care hospitals have had the capability for two-factor authentication since 2014. Since 2010, the number of hospitals with this capability has increased by 11% each year.

Passwords, however, still are very much alive...and often very weak. According to the 2015 Verizon Data Breach Investigation Report, 50.7% of web app attacks were executed through stolen credentials. Good old-fashioned hackers are still out there, too — Verizon attributed 6.8% of web app attacks to “brute force,” when a hacker gains access to a database simply by guessing a user’s log-in.

Password management company SplashData released its fifth annual Worst Passwords List on Jan. 20, with the two most commonly leaked passwords — “123456” and “password” — taking the top spots for the fifth year running. SplashData compiled its report from roughly 2 million passwords that leaked in 2015. (The next two most commonly leaked were “12345678” and “qwerty” — or the letter equivalent of “123456.”)

Passwords Are Far From Extinct

While it’s safe to say that many covered entities (CEs) have stricter requirements when it comes to company log-ins, the password still is far from foolproof and very far from extinct. Lisa Gallagher, vice president of technology solutions for the Healthcare Information Management Systems Society (HIMSS), tells RPP that the health care industry is still mostly reliant on the traditional username-and-password combo.

“We’re not very far along in the trajectory,” Gallagher says, noting that the industry only in the past couple years began identifying stolen credentials as the primary vulnerability. “I do think we recognize that’s the direction we need to head.”

Implementing multi-factor controls for an entire health system staff isn’t always feasible on a budget, and different uses call for different levels of authentication. Darren Lacy, chief information security officer for Johns Hopkins Medicine, believes the password still has purpose depending on the user’s access.

“I think passwords have a lot of value,” Lacy tells RPP. “They’re just going to be appended with some other form of authentication. For a lot of people, it will be either token-based or one-time passwords, those types of things. That could change, but I suspect passwords will be around for a while.”

Report on Patient Privacy

Johns Hopkins uses a mix of authentication methods for its staff. Administrators, remote users and other workers who need access to crucial information log in through multi-factor authentication, while other on-site employees sign in with a username and password. On-site employees are also given a keycard out of convenience, but they don’t need it to log in.

Lacy believes the “realm” of necessary multi-factor authentication is increasing, and Gallagher says the industry is slowly adopting the technological means to account for the new threats. According to the ONC report, medium and large hospitals, as well as small urban hospitals, claim the highest rate of two-factor capability, while critical access and small rural hospitals report lower rates.

“You have physicians and other employees who may work at multiple sites and for multiple organizations; you have to train people, you have user resistance,” Gallagher says. “Those kinds of things are challenging but I do see them taking that on.”

Lacy is a fan of token-based methods that use “something you have” like the employee’s cell phone, which he says reduces attacks by an “extraordinarily high amount,” taking the number of cybersecurity incidents “from lots to very, very few, if any.” He adds, “I don’t feel like it needs to work in every instance to be useful.”

As the tech sector moves further into biometric authentication — which identifies a user by “something they are,” like a fingerprint or an eye scan — different vulnerabilities are introduced while others are eliminated. “Obviously multi-factor related to an immutable characteristic of a person, like an iris print or a thumbprint, has a different set of vulnerabilities than one that isn’t immutable,” Lacy says.” A stolen phone is different than a stolen thumbprint, but it’s easier to steal a phone than a thumbprint.”

While multiple advocacy organizations and legislative bodies are pushing for mandatory adoption of multi-factor authentication, hackers are already at work trying to find the soft spots in new software.

“Any time new defenses are put into place, they work on ways to do that,” Gallagher says. “I think a lot of the technologies that are out there represent pretty strong authentication. So I think in terms of whether there are residual vulnerabilities there. I think we need to focus instead on the reduction of vulnerabilities between username and password, and then two-factor.”

© 2016 by Atlantic Information Services, Inc. All Rights Reserved.

Read practical news and strategies for safeguarding patient privacy and data security each month with your own subscription to Report on Patient Privacy. Get more information and subscribe today at the AIS Marketplace!

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?