How healthcare is tackling ever rising cyber threats

Healthcare is one of the industries most highly targeted by cyber criminals. At the same time, as services have ramped up during the Covid pandemic, the sector has found itself increasingly having to fend off cyber attacks such as large-scale ‘password spraying’ campaigns. As the sector continues to innovate, widen access to healthcare through remote and virtual services, and support greater exchanges of electronic health information, the cyber threat landscape is only set to broaden.

Healthcare institutions and organisations face a unique set of challenges when it comes to making access to systems, data and devices more secure. Legacy systems, mergers, shared devices, mobile restrictions and non-employee providers all contribute to creating an even more complex digital landscape. Additionally, pharmaceutical and healthcare organisations are due to face upcoming regulatory changes focusing on wide-scale cyber-security standards, which are likely to overhaul industry-wide security practices. For example, as detailed in the 2022 UK National Cyber Strategy, operators of essential services – including health organisations – will need to comply with the requirements listed in the Network and Information Systems (NIS) regulations.

Alternative security methods such as multi-factor authentication (MFA) and passwordless solutions have proved to be far superior options for business-wide protection. Although passwords and one-time passcodes (OTPs) are better than no security measures at all, if used alone it is clear that these methods are no longer able to meet the requirements of current cyber-security practices. In 2019, a report focusing on 350,000 attempts to steal credentials was published by UCSD, Google, and NYU. Its findings revealed that a push app blocked only 90 per cent of targeted attacks with an SMS-based OTP blocking just 76 per cent.

However, implementing MFA solutions is not an easy transition to make for organisations just wanting to fill their security gaps and only looking to meet regulatory requirements. There is no one-size-fits-all process for any organisation to follow, and not all MFA solutions are created equal. It is a process that must be well thought out to address both security and the user’s needs throughout the business. This can include the handling of sensitive patient information and monitoring authorisations into restricted areas.

Modern authentication must be more than just strong but should also be user-friendly and simple to implement. However, many healthcare organisations see user experience as a major challenge to executing a solution at full scale. Secure passwordless authentication methods can resolve this issue, as they are user-friendly and can bridge the gap of user authentication both inside and outside the organisation. Passwordless authentication can be used in the form of mobile two-factor authentication (2FA), smart cards, biometric authenticators and security keys.

There are several key aspects of MFA that can affect user experience, and which healthcare organisations should take into consideration when deciding which method to use. Restricted access is a key consideration, both in terms of handling sensitive patient information and in terms of physical limitations - for example, within a GP surgery or at a call centre. Stakeholders may also want to think about whether non-employee providers will be granted restricted access too.

Administrative supervision and the role of IT support should be established long before the solution is implemented, and must be agreed by both departments. For example, it must be determined if and when passwords will still be necessary, how many authentication steps will be required, and what should be done if factors of the solution are lost or stolen.

With record highs of cyber threats targeting the healthcare industry each year, cyber security is more important than ever. Organisations must do much more than just check a compliance box. Implementing cyber security without proper consideration can leave an organisation susceptible to possible data breaches and employees resisting new security procedures. When well thought out and appropriately planned, healthcare organisations can enjoy the benefits that come with a modern authentication solution and receive a true yet effective security experience.

Nic Sarginson is principal solutions engineer at Yubico.