Back in the old days – say, a whole 10 years ago – thieves had to be physically inside a healthcare facility to steal patient information. How times have changed.
Now, with the Internet and the seeming lack of consistent implementation of online security best practices when it comes to patient information, we're making things much easier for attackers. The proof is in the data. Gartner research conservatively estimates close to 40 million health care records have been breached to date. That's likely a conservative figure, given that breaches of fewer than 500 records are not required to be reported.
Avivah Litan, cybersecurity analyst at Gartner, told the Associated Press after the Anthem hack, "The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information."
This severe security lag causes healthcare organizations to lose credibility and client trus – not to mention having to address the immense financial costs of devastating attacks.
There are several ways in which the health care industry needs to improve security measures, but what huge breaches such as those at Anthem, CareFirst and Premera have taught us is that passwords alone are not enough to protect online health care information. We need consistent use of two-factor authentication.
That extra layer of security on top of traditional passwords must become the new norm. Otherwise, we're almost guaranteed to see more attacks, as evidenced by the more than 1 million records being compromised in the recent hack of CareFirst Blue Cross Blue Shield. Attackers know that with the right technique, combined with a clever phishing campaign, they can coax individuals into revealing administrative passwords and the valuable medical records and patient data that comes with it. Two-factor authentication takes away that ability from hackers.
One of the best ways to create two-factor authentication is through the use of digital certificates on any sort of equipment that accesses patient data. Certificates can be installed and accessed via a token that is connected to a device or computer, or embedded in a trusted platform module of the operating system of a device. Before any device is assigned a digital certificate, the unique device identifier and an administrator responsible for its operation may be verified personally by the Certificate Authority that issues the certificate. This identity binding ensures only authorized individuals and systems have access.
Each time access to patient data is required, the certificate is validated to ensure the device or its user is still authorized to access the information, and the private key associated with the certificate can be used to create an encrypted private channel through which data can be viewed or accessed. This helps assure that only authorized users and devices have access to the networks and data to which they are allowed.
The result? Health care organizations are better protected from both internal and external threats, and patients can trust that their information will be protected even if access to it is being provided over an open network like the Internet. This way, we achieve the convenience of Internet access yet with appropriate security controls. The amount of detailed personal data in medical records can be staggering, and that's why it's so highly sought after by people with bad intentions.
As the federal government contemplates steps to strengthen consumer data protections, the healthcare sector needs to decide to self-regulate or be acted upon. It's time for health care to demonstrate a stronger commitment to patient privacy and security by taking the lead on stronger standardized use of identity authentication and encryption, and application of multi-factor authentication.
We have the tools with technology like digital certificates and multi-factor authentication. We just need to consistently use them to protect patients.