The Call for Adaptive Authentication in Healthcare IT Security

healthcare IT security
Back to Blog
August 27, 2016

Let’s just say it: healthcare IT security is in a state of crisis. Breaches are on the rise and growing larger and more serious all the time; costs are rising too, with an average breach cost of $398 per healthcare record, compared to the general record cost of $217. In fact, one estimated cost of healthcare breaches for 2015 is $5.6 billion.

Those are staggering figures. And it gets worse when you look at recent developments in the world of U.S. healthcare data breaches, as many have been doing since the September 9 announcement of the Excellus Blue Cross Blue Shield megabreach.  

Let’s review the 10 largest publically reported U.S. healthcare cyber breaches, which impacted a combined total of 116.8 million records. 7 of those breaches have occurred in the last 7 months – including the Anthem breach, impacting 78.8 million records, and the Premera Blue Cross breach, impacting 11 million records. Of those 10 attacks, 9 were either suspected or confirmed Advanced Persistent Threats (APTs.) All 10 involved stolen credentials.

So here’s the question we need to be asking: why aren’t we stopping this healthcare crimewave with Adaptive Authentication?

If you’re thinking along traditional lines of healthcare IT security, your go-to solution might be encryption. Everyone knows encryption is the gold standard for protecting valuable ePHI, right? Well, not so fast: at least one healthcare breach victim says, “Our data was encrypted, but the attackers gained unauthorized administrative access to our systems, therefore allowing them to potentially access personal information.”

Darrel Ng, a spokesman for Anthem Blue Cross in California, claims that encryption wouldn’t have stopped their breach: “Because an administrator’s account was compromised, no amount of encryption would have prevented this attack.” Ng isn’t alone; Microsoft has recently come out with research showing that EMR database encryption may not offer much protection against attackers who have compromised administrator credentials or gained access to the system’s memory.

Don’t get us wrong. There’s a place for database encryption solutions, specifically because they can eliminate some attack vectors. The mistake lies in relying on them as the final, impenetrable last line of defense. Consider those top 10 breaches, all of which involved compromised admin credentials. If those credentials allowed criminals into systems containing ePHI and the systems’ memory, then file and database encryption just doesn’t meet the definition of “secured PHI.”

The real final line of defense? Administrator authentication. In this day and age, most system administrators know how to protect their password, which forces attackers to find and exploit vulnerabilities. More often than not this involves delivering a malware payload to be downloaded by an unsuspecting user. Once in the network, the hacker moves laterally across a network to escalate privileges. And that’s where Adaptive Authentication comes in; stopping those unauthorized movements with multiple tactics.

The Case for Adaptive Authentication

First let’s define just what Adaptive Authentication is. Traditional authentication is the “process of establishing confidence in the identity of users or information systems,” as defined in NIST SP 800-63-2. Adaptive Authentication, on the other hand, is applying additional or alternate risk-based authentication challenges that either supplement or replace traditional authentication credentials.

Adaptive Authentication includes automated contextually intelligent verification checks that can step-up credential requirements as needed during an authorization workflow. At SecureAuth, we offer contextually sensitive application methods that are both threat aware and dynamically applied. They escalate user verification criteria and identity assurance levels based on preconfigured escalation workflows – ensuring advanced security for the IT team and seamless convenience for the user.

That brings us to the million-dollar question: could Adaptive Authentication have prevented these hacks? To take what we know about the Utah DTS breach, it’s a safe bet that Adaptive Authentication would have prevented the breached server from being compromised.  As for other recent major healthcare breaches, most appear to be the result of Advanced Persistent Threats or APTs; because we’re not privy to the organizations’ IT security controls, we can’t say 100 percent that Adaptive Authentication would have stopped those breaches. 

But there’s a good chance they would have. By combining contextual threat awareness with strategically layered authentication controls, even APTs can be disrupted and (with intelligent monitoring) stopped before ePHI can be exfiltrated. And we can say quite confidently that SecureAuth would have posed a much greater challenge to attackers, forcing them to find different ways of compromising user credentials.
Healthcare data breaches aren’t going away. Criminals get tougher and more sophisticated every day. To stop the rising tide of attacks, healthcare IT teams must fight fire with fire and employ the most advanced security controls available – and for APTs, that means Adaptive Authentication.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

The Value of Deploying Multi-Factor Authentication in a Digital World

Value of Deploying Multi-Factor Authentication in a Digital World

Read this white paper to gain insights and understanding of why passwords create risk and blind spots for organizations and their users.


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Analyst Reports



Recorded Webinars

Innovation Labs

Support Portal

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth