The following is a guest article by Steve Gwizdala, VP of Healthcare at Ping Identity
The healthcare security landscape has become an increasingly critical concern. According to the 2023 ForgeRock Breach Report, healthcare has consistently ranked as the most targeted industry by cybercriminals for the past five years. These relentless attacks come at a staggering cost, with the average healthcare breach reaching $10.93 billion according to IBM Security.
The primary cause of breaches is unauthorized access. The 2023 Verizon Breach Report further highlights vulnerabilities with the healthcare sector, identifying web applications as the number one attack vector. This is largely due to inadequate authentication methods. Internal actors are the second-leading cause of breaches in healthcare. This is mainly due to misuse, such as unintentionally compromising consumer credentials, Personal Identifiable Information (PII), and Personal Health Information (PHI).
The repercussions of healthcare breaches are far-reaching, encompassing financial losses, reputational damage, and legal liabilities for affected organizations. Most concerning, however, is the potential impact on patient health. The Ponemon Institute reveals that more than 20% of surveyed healthcare provider organizations report increased patient mortality rates following cyberattacks. Respondents also state that cyber attacks delayed procedures and tests and prolonged stays in healthcare facilities. Ransomware also leads to significant disruptions in patient care, with 64% of organizations reporting procedure or test delays as a direct result, and 59% citing extended patient stays.
Governments are starting to act in response to the growing amount of cyber threats in the healthcare industry. For example, New York Governor Kathy Hochul recently announced a statewide proposal that calls for healthcare facilities to strengthen and protect their networks, which are critical to providing patient care. This nation-leading proposal sets forth a blueprint to ensure New York stands ready and resilient in the face of evolving cybercrime.
The healthcare threat landscape underscores the critical importance of safeguarding patient data and protecting digital health ecosystems against cyber threats such as unauthorized access, account takeover (ATO), and internal misuse. Healthcare organizations must prioritize implementing robust identity security measures in 2024 to safeguard both their operational integrity and the well-being of their patients and consumers.
While implementing new identity security may seem daunting, the benefits are clear. The right digital identity solution can result in significant security improvements, cost savings, and consumer engagement.
For example, a recent Forrester Total Economic Impact (TEI) study of ForgeRock CIAM shows that over three years healthcare enterprises may achieve:
- $4.7M reduction in the impact of fraud
- 40% reduction in security-related calls to the call center
- 400% increase in customer engagement
To meet the sophistication of today’s cybercriminals and achieve these results requires some keystone identity security capabilities. One key tactic is using identity verification. This process involves verifying the identity of an end user to ensure their digital identity is tied to their real-life identity. There are several advantages to implementing this practice, the main one being that it gives greater assurance that users truly are who they claim to be from the beginning.
Another useful tool is CIBA and secure impersonation. As opposed to having callers answer weak authentication questions, client-initiated backchannel authentication (CIBA) enables front-desk, call-center, and help-desk representatives to authenticate callers with methods such as sending a prompt via a mobile app or text. CIBA also enables secure impersonation, which, upon an authentication prompt, allows consumers to shift temporary control of their account to another party, such as a call center agent, for a set period of time. Both of these security methods make it increasingly difficult for fraudsters to achieve their mission.
Artificial intelligence (AI)-powered threat protection also helps healthcare security leaders prevent account takeover (ATO) and fraud at all points of authentication. Overall, AI is used to analyze threat signals and anomalous behavior patterns and provides risk scores to assist in stopping bad actors from carrying out malicious attacks in real time. AI-informed risk scores can be incorporated into the design of call-center and help-desk journeys, allowing healthcare security leaders to remove unwanted friction and improve the experience of legitimate users.
AI should also be used for identity governance. Internal actors are the second-highest cause of healthcare breaches. Advanced identity platforms use AI to disrupt the traditional, static identity governance models used to grant workforce access by looking at an organization’s entire entitlement landscape. The solution then provides insights to make informed provisioning and governance decisions and identifies high-risk areas that may require more governance. This allows healthcare security leaders to significantly reduce the number of users that have access to materials that aren’t necessary.
Another way to better safeguard users and organizations is to implement authentication systems. This eliminates the need for a password during authentication using a variety of alternatives, such as passkeys and biometrics, or by gathering contextual authenticators such as device, IP address, or geo-location, among others. Additionally, multi-factor authentication (MFA) validates a user’s identity through multiple authentication mechanisms in addition to standard login credentials. These may include a push notification or biometrics, such as facial recognition or Touch ID, all of which are extremely beneficial methods that better protect users.
Lastly, continuous and contextual authentication is key to protection. This is due to the fact that predicting whether fraud is possible requires context. Advanced digital identity platforms offer a no-code identity orchestration engine that enables administrators to design authentication journeys for all users that detect anomalies both before and after authentication. Anomaly detection goes on behind the scenes and is invisible to legitimate users; their experience is not impacted at all. However, suspicious actors are required to provide added proof of their identity, which can often stop them in their tracks.
These enterprise-grade digital identity capabilities, listed above, can address risks and vulnerabilities to significantly improve security while enhancing end-user experiences. By implementing a few or even all of these practices, organizations can better protect their patients and themselves.
About Steve Gwizdala
Steve Gwizdala started his healthcare journey in 1988 in biomedical engineering working for Sutter Biomedical in postoperative continuous passive motion durable medical equipment. Since that time he has segued into enterprise software providing solutions ranging from supply chain operations, employee enablement, governance risk, and compliance and identity. Currently, Steve is responsible for the North American Healthcare and Life Sciences Vertical as well as the Central Region for Ping Identity serving as their Vice President.
