Snippet: Are reports of breaches at health providers sending your blood pressure skyward? Straightforward, effective authentication is just what the doctor ordered!

Are reports of breaches at health providers sending your blood pressure skyward? Straightforward, effective authentication is just what the doctor ordered!

We tend to associate authentication with the obvious things we want to protect, like the money in our bank accounts. Increasingly, consumers are also becoming aware of the inherent value of their personal email, social media interactions, and other account information – monetized as it now is on the black market. Few of them are yet aware of why the healthcare industry needs multi-factor authentication too. Where would you use it, and how would it work?

In the early 2000s, hospitals, treatment centers, and medical professionals started using electronic patient records owing to their accessibility and space-efficiency in comparison to paper records. Today, these systems are employed throughout the world; in some countries, like Norway, Denmark, the United Kingdom, New Zealand, and the Netherlands, penetration in general practices is over 95 percent. This seems like a win for everyone: centralized and detailed information for staff, better service and faster treatment for patients. If only it wasn’t also a win for cybercriminals.

Holding hospitals hostage

There are two reasons why electronic patient records are attractive to criminals. The first is simply to make money: the stolen data is held to ransom until the hospital or facility pays a large sum of money to release it. Last year saw a disturbing increase in these attacks, very likely due to the vulnerability of the industry’s data and the consequent high chance of success for hackers. According to the US Identity Theft Resource Center (ITRC), 43.6% of the data breaches in the US in 2016 were at medical or healthcare facilities. In February, the Hollywood Presbyterian Medical Center in Los Angeles had to pay $17,000 in Bitcoin to regain control of its electronic data, which had been held hostage, so to speak, for ten days. In May, the Kansas Heart Hospital in Wichita paid “a small amount” in ransom money to unlock their files. Late in July, the Marin Healthcare District in Greenbrae, California and the New Jersey Spine Center in Chatham both paid the demanded amounts to release their data after ransomware attacks. Things are also not looking any better in the UK, where 30% of National Health Service (NHS) Trusts have suffered a ransomware attack.

Another way to make money is to sell the stolen records on the darknet, where a “fullz” – an individual’s complete health record, along with financial information and even utility bills or insurance receipts – can earn a hacker up to $50. At the beginning of May 2016, a fraudster was able to access the tax information of 2,800 employees at the Saint Agnes Medical Center in Fresno, California, through a phishing attack. Two months later, servers containing the personal health information of 22,000 patients of the North Ottawa Medical Group (based in Michigan) were accessed by an unauthorized user. And in August of last year, hackers obtained access to the test results, health insurance data, and driver’s license information of more than 29,000 patients of the Integrity Transitional Hospital in Denton, Texas. That’s a lot of “fullzes”.

The second motivation hackers might have for stealing patient records is political – to expose confidential information, or plainly as a show of power. Shortly after the Olympic Games in Rio, the Russian group Fancy Bear revealed the medical histories of Venus Williams, Rafael Nadal, and other sportspersons as “sensational proof of famous athletes taking doping substances”. (The same group later hacked the Democratic National Committee (DNC) in the US, as well as presidential candidate Hillary Clinton’s campaign staff.)

The road to recovery

So how can hospitals, medical practices, and health insurers protect themselves against this threat? The first step is to understand the link between identity, authentication, and security. Only the necessary users (staff, patients or customers) should have access to your database. Then, when such a user wants to log into your system, whether onsite or remotely, they must first prove their identity (i.e. authenticate themselves) to the system. Finally, the system must have a way of knowing if that user is an impostor. And considering the risks discussed so far, this security measure should be on par with those used by banks.

Entersekt’s technology not only has a proven track record at financial institutions and wider; it also creates a quick and hassle-free way for legitimate users to access your system – while keeping pilferers out. Instead of carrying around a security token, your staff and customers can simply use their mobile devices to authenticate themselves. By providing a separate, end-to-end-encrypted channel between your servers and the user’s device, we enable the user to log in securely with a single tap.

This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about how Entersekt can secure healthcare and insurance-related interactions intuitively and conveniently.

Subscribe to our blog.

Jolette Roodt


Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.