Risk management firm LexisNexis Risk Solutions, in conjunction with Information Security Media Group (ISMG), recently announced the results of an online survey they conducted to identify current trends in healthcare cybersecurity. The survey is based on responses from more than 100 participants working within including hospitals, physician group practices and payers. The survey was conducted over the spring of 2019.
The takeaway? That’s simple: healthcare organizations appear to be way over Confident when it comes to their ability to protect patient data.
The survey report, The State of Patient Identity Management, sought to identify Healthcare organizations’ cybersecurity strategies, current best practices in patient identity management and how they plan to invest in the future to improve their current security posture. The survey found that healthcare organizations have a very high level of confidence when it comes to their perceived preparedness. Paradoxically, most of those surveyed had only basic user authentication methods in place.
The survey found:
- 58% believe that the cybersecurity of their patient portal is above average or superior when compared to other patient portals
- 93% use username and password as the patient portal authentication method
- 65% report that their individual state budgets for patient identity management will not increase in 2019
- 65% deploy multifactor authentication
- 39% use a knowledge-based Q&A for verification
- 38% use email verification
- 13% deploy device identification
The report authors cited three primary tramways from their survey:
Traditional authentication methods are insufficient: As a result of many healthcare data breaches, hackers have access to legitimate credentials; users are also easily phished. Therefore, traditional username and password verification are considered an entry point, not a barrier, and alone cannot be relied upon to provide a confident level of security.
Multifactor authentication should be considered a baseline best practice: HCOs should rely on a variety of controls, ranging from knowledge-based questions and verified one-time passwords to device analytics and biometrics to authenticate users based on the riskiness of the transaction. The riskier the access request is, the more stringent the authentication technique should be.
The balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy: HCOs need to make it easy for patients and partners to access records while ensuring adequate data protection. To do this, an HCO's cybersecurity strategy should layer low to no-friction identity checks up front, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would complete.
"There are some surprises in the results, particularly the higher than expected confidence that organizations have in regard to the security of their patient portal and telemedicine platforms given that only 65% deploy multifactor authentication," said Erin Benson, director, market planning, Healthcare, LexisNexis Risk Solutions, in a statement. "Multifactor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn't catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users."
As we’ve covered, the healthcare industry remains a cybersecurity laggard and continue to be a prime target for cyber attacks as covered by Razvan Muresan, “Indeed, according to a survey conducted early in 2018 by HIMSS, a non-profit global advisory organization supporting the transformation of health through the application of information and technology, most healthcare organizations had experienced a significant security incident in the previous 12 months.”
Recently, in the most recent Beazley Breach Insights Report, it was found that 41 percent of healthcare organizations fell victim to the highest number of data breaches when compared to any other business sector. According to the Beazley findings, the causes of the breach were direct hacks or a malware infection. Some breaches were due to human error, such as falling for a phishing attack.
So, those 59% who believe that their the cybersecurity of their patient portal is above average or superior when compared to other patient portals, it’s just as likely their organization, along with most healthcare organizations, still has a long way to go before they would be considered reasonably secure.