As a healthcare professional, you already know how important data security is for patients, staff and the enterprise as a whole.
Healthcare organizations are stewards of the most private and sensitive information imaginable, including patient health records and financial information, care plans, staff HR and payroll records, staffing and training schedules, controlled substance prescriptions, and much more. And beyond the risk of data theft that hurts individual patients and practitioners, there are highly sophisticated hacker organizations all over the world dedicated to extorting entire organizations and sowing chaos for providers and patients alike.
As much as $5 trillion will be lost to hacking and data breaches by 2024. By one estimate, every record breached costs healthcare organizations an average of $614. But it's not just criminals you need to worry about. Complying with audit requirements for HIPAA, EPCS, GDPR and other regulations can be burdensome in itself, and violations can be costly.
Passwords are the historical (or should we say, old-fashioned) way of authenticating users to protect data and enable organizations to track who has accessed which systems. But as everyone knows by now, passwords are notoriously insecure. They are easy for bad actors to steal, guess by brute force, or simply buy. More than 2 billion username/passwords were breached in 2021 alone, and the danger has only escalated since then.
What is less understood is how passwords themselves rob the organization of time and resources. Password management is expensive, with a typical labor cost of $70 for each password reset. Healthcare workers have to log in an average of 70 times each day, every day. With all the effort of resetting, memorizing and repeatedly entering passwords, clinicians waste as much as 45 minutes with every shift, time that could be more usefully and profitably spent caring for patients.
If passwords are so bad, what are the alternatives?
SMS authentication. One alternative is to supplement passwords with a code sent by SMS text message. By now, almost everyone is familiar with the process: You log in with your usual password, but the login screen prompts you to enter a “one-time password” or OTP that is sent to one of your known accounts. Entering the code provides a second authentication factor that reduces the risk that a criminal is impersonating you.
One downside of SMS authentication is that the process is extremely cumbersome. You need to have your smartphone with you, wait for the OTP to arrive, open your text application, and enter the OTP correctly or risk being locked out. All of this means that logging in can take four or five times as long as entering a username/password alone. That’s time healthcare providers can’t spare.
Worse, SMS authentication provides a false sense of security. The truth is, SMS is vulnerable to many hacking methods, including man-in-the-middle attacks, social engineering, SIM swapping and more. More than 30 years old, the SMS protocol isn’t even encrypted.
Passwordless, tap-and-go identity authentication. For several years, forward-thinking healthcare organizations have been using employee ID badges not only for physical access to the building but also for logical access to workstations, medical devices and health records. The same concept has also been extended to medication and supply dispensing, visitor management, secure printing, time and attendance, cashless cafeteria and other applications, including single sign-on across all use cases.
Authentication is simple, fast and secure. Users simply tap their credential—typically a contactless smart card—on a credential reader that can be placed on the desktop, mounted to a surface, attached to a notebook or tablet, or even embedded within medical devices such as dialysis machines, radiology systems, carts on wheels and more. Today, digital credentials are also available that allow users to authenticate by simply waving their Bluetooth® Low Energy or NFC-enabled smartphone over a mobile reader.
The reader passes user identity information on to authentication software offered by a partner such as Imprivata, AuthX or ForgeRock, specializing in the management of digital wallet security for healthcare. In addition to login information, smart cards and mobile credentials can provide detailed information about user roles and permissions for healthcare systems and business applications throughout the enterprise—such as Imprivata, Cerner, Workday and others—supporting sophisticated single sign-on structures while greatly simplifying management and providing audit trails.
Unlike passwords and SMS messages, smart cards and mobile credentials are virtually unhackable. They’re also much harder to steal. Password theft may go undetected, but physical or mobile credential theft is likely to be noticed and permissions revoked immediately.
Passwordless authentication is far more secure, and—best of all from each user’s point of view—far quicker and easier than dealing with passwords. It’s literally tap-and-go.
Multi-factor authentication. MFA requires the user to present two (or more) proofs of identity. The difference is that the multiple factors—knowledge, possession and/or biometrics—are owned by and under control of the user, never transmitted in a manner that could be subject to interception, phishing or the other vulnerabilities of a text message. Properly implemented, multi-factor authentication reduces the risk of successful attacks by 99.9%.
Passwords and PINs can actually be useful as a knowledge factor when combined with a possession factor, such as an ID badge or mobile credential, or a biometric authentication factor such as a fingerprint, facial recognition, or speech recognition. It’s also possible to do away with passwords altogether in an MFA implementation.
For example, facial recognition or a fingerprint (biometric) can be used to unlock a mobile credential (possession). Or, a combination biometric/physical/digital credential reader can provide nearly instantaneous multi-factor authentication with a quick touch of a finger and tap of a card or smartphone.
What’s the best way forward?
If you’re still relying on passwords as a single authentication factor, stop. Physical credentials—such as the smart card-based ID badges your staff probably already has—provide a far more secure means of healthcare access control.
If you’re already authenticating via ID badges, think about how you can make the system even more secure for your organization and more productive for your users. Single sign-on and multi-factor authentication are key technologies.
Also consider ways to future-proof your security solution as new credentials become available and new threats emerge. rf IDEAS can help you achieve a more productive, truly secure healthcare enterprise, today and tomorrow.
Get in touch at +1 (866) 439-4884 or with our Contact Us form to discuss the possibilities.