Let’s just say it: healthcare IT security is in a state of crisis. Breaches are on the rise and growing larger and more serious all the time; costs are rising too, with an average breach cost of $398 per healthcare record, compared to the general record cost of $217. In fact, one estimated cost of healthcare breaches for 2015 is $5.6 billion.
Those are staggering figures. And it gets worse when you look at recent developments in the world of U.S. healthcare data breaches, as many have been doing since the September 9 announcement of the Excellus Blue Cross Blue Shield megabreach.
Let’s review the 10 largest publically reported U.S. healthcare cyber breaches, which impacted a combined total of 116.8 million records. 7 of those breaches have occurred in the last 7 months – including the Anthem breach, impacting 78.8 million records, and the Premera Blue Cross breach, impacting 11 million records. Of those 10 attacks, 9 were either suspected or confirmed Advanced Persistent Threats (APTs.) All 10 involved stolen credentials.
So here’s the question we need to be asking: why aren’t we stopping this healthcare crimewave with Adaptive Authentication?
If you’re thinking along traditional lines of healthcare IT security, your go-to solution might be encryption. Everyone knows encryption is the gold standard for protecting valuable ePHI, right? Well, not so fast: at least one healthcare breach victim says, "Our data was encrypted, but the attackers gained unauthorized administrative access to our systems, therefore allowing them to potentially access personal information."
Darrel Ng, a spokesman for Anthem Blue Cross in California, claims that encryption wouldn’t have stopped their breach: "Because an administrator's account was compromised, no amount of encryption would have prevented this attack." Ng isn’t alone; Microsoft has recently come out with research showing that EMR database encryption may not offer much protection against attackers who have compromised administrator credentials or gained access to the system’s memory.
Don’t get us wrong. There’s a place for database encryption solutions, specifically because they can eliminate some attack vectors. The mistake lies in relying on them as the final, impenetrable last line of defense. Consider those top 10 breaches, all of which involved compromised admin credentials. If those credentials allowed criminals into systems containing ePHI and the systems’ memory, then file and database encryption just doesn’t meet the definition of “secured PHI.”
The real final line of defense? Administrator authentication. In this day and age, most system administrators know how to protect their password, which forces attackers to find and exploit vulnerabilities. More often than not this involves delivering a malware payload to be downloaded by an unsuspecting user. Once in the network, the hacker moves laterally across a network to escalate privileges. And that’s where Adaptive Authentication comes in; stopping those unauthorized movements with multiple tactics.
The Case for Adaptive Authentication
First let’s define just what Adaptive Authentication is. Traditional authentication is the “process of establishing confidence in the identity of users or information systems,” as defined in NIST SP 800-63-2. Adaptive Authentication, on the other hand, is applying additional or alternate risk-based authentication challenges that either supplement or replace traditional authentication credentials.
Adaptive Authentication includes automated contextually intelligent verification checks that can step-up credential requirements as needed during an authorization workflow. At SecureAuth, we offer contextually sensitive application methods that are both threat aware and dynamically applied. They escalate user verification criteria and identity assurance levels based on preconfigured escalation workflows – ensuring advanced security for the IT team and seamless convenience for the user.
That brings us to the million-dollar question: could Adaptive Authentication have prevented these hacks? To take what we know about the Utah DTS breach, it’s a safe bet that Adaptive Authentication would have prevented the breached server from being compromised. As for other recent major healthcare breaches, most appear to be the result of Advanced Persistent Threats or APTs; because we’re not privy to the organizations’ IT security controls, we can’t say 100 percent that Adaptive Authentication would have stopped those breaches.
But there’s a good chance they would have. By combining contextual threat awareness with strategically layered authentication controls, even APTs can be disrupted and (with intelligent monitoring) stopped before ePHI can be exfiltrated. And we can say quite confidently that SecureAuth would have posed a much greater challenge to attackers, forcing them to find different ways of compromising user credentials.
Healthcare data breaches aren’t going away. Criminals get tougher and more sophisticated every day. To stop the rising tide of attacks, healthcare IT teams must fight fire with fire and employ the most advanced security controls available – and for APTs, that means Adaptive Authentication.