Healthcare Cybersecurity and the Human Factor: Using Risk-Based Authentication that Considers Behavioral Factors


Healthcare Risk-Based Authentication

In the healthcare industry, a lot of energy goes into driving practitioner efficiency and making patient data easier for clinicians to access. But is enough focus being put on security and protecting patient data?

News headlines indicate the answer is a resounding no. There have been a slew of notable healthcare breaches in recent years.

For example, in 2017, Pacific Alliance Medical Center announced that several computer systems in its network had been breached by a ransomware attack, resulting in the attackers gaining access to the protected health information (PHI) of over 266,000 patients.

Similarly, Airway Oxygen, a Wyoming, Michigan based home equipment supplier, experienced another ransomware attack affecting the data of 500,000 individuals.

Furthermore, in January of this year, Onco360 and CareMed announced that a hacker had breached the PHI of over 53,000 patients using a phishing attack to trick employees into giving up their login credentials.

Which Authentication Methods are Recommended for Different User Scenarios?  Download Guide»

As you can see, many data breaches in healthcare are ultimately the result of human error. All too often, healthcare employees lack the training, awareness, and sense of urgency to handle common privacy and security threat scenarios.

To effectively protect your organization, you have to deal with the “human factor” by minimizing the risk of human error. Risk-based authentication (RBA) can do just that by taking behavioral factors into account in order to increase security, without impacting usability.

How Healthcare Employees Put Their Employers at Risk

There’s a high level of digital security risk in the healthcare industry, and often that risk comes from or is exacerbated by healthcare employees themselves.

A recent study published by MediaPro, a security awareness and compliance training company, illustrates the extent of the problem. The study found that 37 percent of healthcare employees pose an outright risk to their organizations, meaning their actions could cause a breach of privacy or a security incident. Another 41 percent fall into the novice category—they possess a basic knowledge of digital security practices, but they have a lot more to learn.

Phishing Emails

In the study, researchers found that 24 percent of doctors couldn’t identify a phishing email—a number three times higher than non-physicians. That statistic becomes even more sobering when you take into account the high levels of network privileges that doctors have. Privileged accounts are prime targets for phishing attacks—Forrester estimates that they are involved in 80 percent of security breaches.

Malware and Ransomware

Malware and ransomware are also major security threats to healthcare providers. As continuity of service is critical in healthcare, when a ransomware attack occurs, hospitals often cave into the pressure to pay the cybercriminal for the decryption key, in order to re-access patient information. This makes healthcare an attractive target for cybercriminals.

In fact, HIMSS Analytics found that 78 percent of healthcare providers have experienced a ransomware or malware attack in the past 12 months, while 43 percent of large healthcare providers experienced 16 attacks or more. These are alarming statistics considering that the MediaPro study found that 24 percent of physicians have trouble identifying a handful of common signs of malware.

Mobile Technology and Working Remotely

Employees in healthcare organizations have a tendency to engage in risky behaviors when using mobile technology or working remotely. 26 percent of respondents in the MediaPro study logged on to an unprotected, public Wi-Fi network to complete work tasks. And, when presented with scenarios involving storing company data or files on personal cloud-based storage and sending work documents via personal email, 18 percent chose actions that put their organization at risk.

Why One-Size-Fits-All MFA Doesn’t Work

Even if you have the best digital security policies in place, single-factor authentication isn’t enough. It provides a central point of attack, and even the best training can’t prevent all human error.

Most IT teams in the healthcare industry are aware of practitioners’ lack of security knowledge or awareness. Yet, many still opt for one-size-fits-all multi-factor authentication (MFA) solutions that require the same form of additional authentication for every login.

MFA requires additional layers of security, which can become a frustrating burden for clinicians who need quick, easy access to patient data. That frustration can lead to unsafe workarounds, such as remaining logged in, sending files to personal email accounts, writing down passwords, downloading data onto external drives or memory sticks, logging onto the network from an insecure WiFi connection, and sharing passwords with colleagues.

The reality is that although most employees want to be helpful and security-minded, there’s a limit to that desire. When security measures are overly disruptive or seem unnecessary, user adoption will be low (and therefore problematic).

Risk-Based Authentication Looks at Contextual AND Behavioral Factors

Not only is each login scenario different—each individual logging in is different. You need an MFA solution that adds security without impacting usability by taking both contextual and behavioral factors into account.

That’s where risk-based authentication (RBA) comes in. RBA calculates a risk score in real time for any access attempt. The score is based upon predefined rules and is weighed against the risk threshold for a given system. The user is then presented with authentication options appropriate for the level of risk that he or she presents.

With RBA, additional authentication is only required for login attempts that are deemed to be high risk, so that users aren’t unnecessarily burdened. This is critical in healthcare environments where clinicians need to efficiently access patient records.  

RBA looks at a number of factors, including contextual (the type of device, the user’s location, the time of day, and so on), application or data sensitivity, and the number of login attempts. Equally important, RBA can also take into consideration the human factor, by looking at personal characteristics and behavioral factors.

Personal characteristics include attributes, such as a user’s role in the organization and how long he or she has worked there. For example, is the person a full-time doctor, a part-time surgical technician, or a third-party contractor?

Behavioral factors take into account the fact that individuals pose varying levels of risk. As illustrated in the MediaPro study, some individuals are more likely to take high-risk actions or not recognize the signs of a threat. With RBA, you can automatically require additional authentication for these high-risk individuals, such as users who have had prior security incidents, received lower scores on internal security exams, missed taking the exams entirely, or fallen victim to internal phishing tests.

Protect Your Healthcare Organization with Risk-Based Authentication

Cyber attacks targeting healthcare are on the rise, and they’re becoming increasingly sophisticated. This fact, combined with many healthcare employees’ lack of awareness and training to handle threat scenarios, is a recipe for a breach.

To minimize this risk, healthcare providers account for the human factor. Risk-based authentication does this by taking MFA one step further to account for behavioral factors, reducing opportunities for human error, without impacting usability and productivity.

How is your healthcare organization tackling compliance, cybersecurity, and the Digital Transformation? Download this whitepaper to learn how to address these industry-specific challenges


Subscribe Here!