Is The Healthcare Industry Anywhere Near Ditching the Password?

A new report from a security firm Duo Labs suggests that standard authentication practices may be shifting beyond the password, though it didn’t take a stab at predicting which industries may move most quickly in that direction.

To conduct its research, Duo analyzed data from nearly 24 million devices from across its customer base, including more than 1 million applications and services and roughly half a billion authentications per month.

As part of the research, Duo looked at the authentication methods its customers in several industries used. It found that where healthcare is concerned, 60% of providers use the vendor’s own Duo Push, 20.9% use phone call-based methods, 12.7% use mobile passcodes, 4.0% SMS passcodes and, 1.7% hardware tokens.

These numbers come as part of a larger world in which most Android devices are still out of date (58%) and the Edge browser is the most frequently out-of-date browser (73%).  Meanwhile, other shifts in the security environment continue to emerge, including a growing emphasis on remote and mobile work and massive increases in the use of cloud apps, with cloud integrations up 56% year over year.

Duo researchers also found that over the last four years, its customers have gradually begun to use biometric options as a second authentication factor, with most devices used by Duo customers supporting this approach. Researchers found that 77% of the devices used by its customers came with biometric capabilities, including Apple Touch ID and Face ID, Android fingerprint sensors and Windows Hello.

One thing that Duo draws from all of this is that U.S. enterprises are headed towards a future in which we ditch the use of passwords entirely. The researchers suggest that in the new, post-password future, it will become more common to support secure authentication using public-key cryptography. They also expect to see fingerprint and facial authentication capabilities get a lot more use.

The question, then, is whether healthcare organizations are best served by following in the footsteps of other industries or creating a long-term standard for authentication unique to their own needs. When I read about the many ways in which biometrics and public key options can be used to secure data, I’m optimistic that we can get there, but I don’t know whether there’s even a consensus among health IT cybersecurity pros that we should do so just yet.

It’s not that we shouldn’t challenge the status quo. Of late, it seems that many healthcare leaders haven’t been pushing hard enough to address even known threats to data security. As some of you will know, I’ve written up survey after survey suggesting that we still have a big problem with cyberattacks, but cybersecurity remains underfunded in most healthcare settings.

On the other hand, given the particularly sensitive nature of healthcare data, nobody wants to lead the pack in security innovations either. While the password-based logon may be dying, it’s likely to eke out an existence in healthcare circles for quite some time to come.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

1 Comment

  • Very interesting article. At Intercede we are actively working with a number of US healthcare providers who we have helped go passwordless. This has been achieved through the adoption of strong two-factor authentication using cryptographically protected credentials through public key infrastructure (PKI). We’re certainly finding that healthcare providers are interested to tap into experience from other sectors, such as aerospace and defense, to build out a secure, user-friendly digital identity system.

Click here to post a comment