Not long ago, I shared the results of a survey concluding that healthcare organizations generally felt pretty confident about the state of their cybersecurity defenses, despite having had WannaCry wipe the floor with them just two years before.
Now, another survey has come out which underscores just how misplaced that confidence might be. The survey, which was conducted by LexisNexis Risk Solutions, found that most responding organizations had only basic user authentication methods in place to protect health data.
The research team, which also included the Information Security Media Group, found that 58% of 100 responding healthcare organizations believed that the cybersecurity measures protecting their patient portal were above average or superior when compared to other patient portals. As it turns out, though, they were probably wrong.
For one thing, 93% of the respondents said that they used usernames and passwords as the patient portal identification method. Meanwhile, sixty-five percent had deployed multifactor authentication, with 39% using knowledge-based Q&A for verification, 38% email verification, and 13% device identification.
According to LexisNexis, these numbers suggest that the responding organizations have some significant cybersecurity blind spots. (Of course, it has a reason to make providers feel insecure about their security measures, but let’s consider that a given.)
Given that hackers often have access to legitimate login credentials, healthcare organizations are relying far too heavily on traditional authentication methods, the survey report argues. “Traditional username and password verification are considered an entry point, not a barrier, and alone cannot be relied upon to provide a confident level of security,” the authors write.
Instead, providers should consider multifactor authentication to be a cybersecurity best practice, it suggests. “HCO should rely on a variety of controls, ranging from knowledge-based questions and verified one-time passwords to device analytics and biometrics to authenticate users based on the riskiness of the transaction,” they say.
At the same time, they acknowledge that an effective cybersecurity strategy balances data protection with user experience needs. To strike the right balance, they argue, such strategies “should layer low to no-friction identity checks up front, making it easier for the right users to get through and layer more friction-producing identity checks on the back end that only users noted as suspicious would completely.”
Speaking as a patient, I have to say that most providers do seem to be erring on the side of using basic security protections for consumer-facing data. And I can see why, particularly if they want to have a chance of getting tech-averse seniors engaged with their portals and other digital health tools.
However, it’s beginning to look as though providers are erring too far on the side of keeping security (specifically user authentication) simple. Perhaps health IT leaders need to get tougher on the subject.