Healthcare organizations are increasingly the targets of malicious hackers and that means healthcare executives must first and foremost make sure that the individuals they are allowing to access their data are indeed the individuals they say they are. Today, it’s not too difficult for a hacker to masquerade as a legitimate user in order to gain access to confidential and valuable information.

“It is important for every organization to understand that the whole principle of confidentiality means the right people have access to information and the wrong people do not have access to information,” said Mansur Hasib, program chair for cybersecurity technology at The Graduate School at the University of Maryland University College and author of the book “Cybersecurity Leadership.” “When you think about protected health information, you must have a need to know to gain access; if you do not, you should not have access.”

Authentication is the mechanism by which a system user proves he or she can legitimately gain access to information – before a system grants access to a user, the system must know a person is authorized to access data.

 Learn more at the Privacy & Security Forum in Boston Dec. 5-7, 2016.

“Very simply, in order to prove that you have the right to information, you have to provide authentication credentials, and the simplest form is a user ID and password,” Hasib said. “You can also do biometrics, all kinds of things. But we’re often using weak authentication mechanisms, like a user ID and password – if someone knows my user ID and password, that’s it, I’m done, they can get in as me.”

The user ID and password mechanism has been a problem not just for healthcare but all industries, Hasib added, and what makes the problem worse is that the user ID and password mechanism is usually the default protection with any system.

“They just leave things at the user ID and password, and when a hacker hacks into a system, all the hacker has to do is record keystrokes to access user IDs and passwords,” he explained. “Hackers will download something on your machine that records and reports your keystrokes, so when you type in a user ID and password, once you do that, that’s it, you’re gone. It doesn’t matter how long and complex your password is once a hacker has recorded it.”

Hasib said the same goes for biometric authentication mechanisms.

“If your authentication system is biometric, for example, and you store that information on your computer, and that is stolen, then someone can pass on that data and authenticate as you,” he said.

So what is the future of authentication in healthcare and other industries? More complex, foolproof technologies, Hasib said.

“But just because you make a system complex doesn’t necessarily make it foolproof,” he said. “Authentication needs to be something where even if someone steals it, it cannot be used. Some people use one-time passwords. These are where you get a token and it temporarily issues a password for a minute so on your screen you put that in and once you use that password you can never use it again. All kinds of mechanisms are possible, but essentially it needs to be more secure and thought-out more carefully.”

Even a better, more complex, more secure authentication mechanism, however, cannot place too many barriers in front of system users, Hasib added.

“IT professionals, when they develop authentication systems, often think about the complexity and security but don’t often think about the usability,” he said. “That needs to be balanced. The key is to create things that are simple but very strong so hackers cannot just record your keystrokes and pass them on.”

 Hasib will speak at the Privacy & Security Forum. What to expect: 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches

Like Healthcare IT News on Facebook and LinkedIn