MFA for Hospitals: Password Sharing, Workstations, and Other Challenges

Written by Thales.

Healthcare organizations today face an evolving cyber threat landscape, and a range of attacks such as phishing and ransomware that continue to grow in sophistication, leaving patients, doctors, and hospitals nervous. The healthcare industry is one of the most targeted critical infrastructure sectors and the data from various reports is compelling.

• The average cost of a data breach in the healthcare sector is $9.23 million
• Compromised credentials continue to be the most common attack entry point; 61% of data breaches can be traced back to credentials

The security challenge of shared workstations

Shared workstations in hospitals and other healthcare service providers are necessary since they facilitate the smooth operation of critical areas where a large percentage of personnel work in shift rotations taking care of their patients. However, these beneficial devices may become a security threat if robust authentication measures are not implemented.

Shared workstations create extra security vulnerabilities in crucial sectors such as emergency rooms and call centers because of insecure shared workstation behaviors, such as password sharing and the use of post-it notes for passwords. In fact, 46% of employees share work-related passwords for accounts that are used by multiple co-workers. The risk of a shared workstation being unavailable due to a cyberattack should not be underestimated as this can lead to business downtime, affect patient health and treatment, and entail HIPAA compliance penalties.

Password sharing is a HIPAA violation

A HIPAA password sharing policy should prohibit hospitals, doctors, nurses, and employees from sharing passwords that provide access to electronic Protected Health Information (ePHI).

Under the Technical Safeguards of the HIPAA Security Rule, hospitals and healthcare entities are required to create procedures to authenticate the identity of an individual accessing electronic health records (HER) and to assign a unique name or number for identifying and tracking user identity. In addition, the Administrative Safeguards of the HIPAA Security Rule stipulate that healthcare providers must adopt "procedures for creating, modifying, and protecting passwords."

Looking at the provisions of the HIPAA Security Rule, it is evident that sharing passwords to access EHR is a clear violation of HIPAA. Despite that, 73% of respondents to a 2017 study of healthcare professionals reported using a colleague's login credentials to access medical data.

Authentication considerations for healthcare shared workstations

While considering authentication solutions for shared workstation in healthcare environments, organizations should consider the following four factors that will enable them to ensure the security of EHR and compliance with HIPAA without disrupting operations efficiency.

1. How do you secure shared devices and EHR with multiple rotating individuals, making sure both the employee accounts are secure and that healthcare professionals are gaining access to only the applications, services, and data they should have access to?
2. How do you provide fast and easy authentication for your healthcare professionals to avoid workflow disruption and unauthorized workarounds?
3. How do you deploy a consistent authentication solution that works in all healthcare related use cases with diverse levels of access requirements?
4. How can you reduce the operational costs related to employee authentication?

How to secure shared workstations in healthcare

The answer to these questions is to move away from insecure passwords that promote unhealthy habits like password sharing.

Phishing resistant MFA

The first obvious option is to deploy multi-factor authentication (MFA). While all MFA methods are not equally safe, they are by far more secure than just having to rely on passwords. When selecting an appropriate MFA solution for healthcare settings, you will have to consider the following:

• Most of the time, mobile phones are restricted in emergency rooms and other critical operational areas inside hospitals.
• US government regulations and EU guidelines mandate the deployment of a phishing resistant MFA method.

The combination of these two requirements means you cannot rely on OTP push notifications provided by authenticator apps installed on mobile phones. Hence, you will need a solution that is based on FIDO2 security keys.

The most recent FIDO standard, FIDO2, employs public key cryptography for enhanced security, with private keys never leaving the authenticator. FIDO2 hardware security keys provide passwordless and multi-factor authentication with a high level of security and an amazing user experience that does not slow down operations where success is only a few seconds away from failure. They provide a portable root of trust that is highly suitable for environments with shared workstations.

Pattern-based authentication

A healthcare professional can produce a one-time passcode using pattern-based authentication without the need for hardware tokens or software apps. The individual is presented with a matrix of cells containing random characters, from which they select a "personal identification pattern" (PIP).

When an employee attempts to authenticate to a shared workstation, a challenge grid comprising random characters is given to them. The individual then enters their PIP characters in the corresponding cells. The outcome is significantly superior to static passwords. Each time the challenge grid appears, the characters in the cells are different, requiring the employee to input a unique passcode each time. In addition, there is no hardware to lose. Pattern-based authentication offers speed and security, both essential in a healthcare environment.