Electronic health record (EHR) systems have streamlined medical practice workflows, enabling clinicians and other medical staff to coordinate and facilitate healthcare processes such as prescribing medications. Through EHR systems, prescriptions can be generated and transmitted directly to the patient’s preferred pharmacy, a process known as electronic prescribing or e-prescribing. This practice offers better efficiency and patient safety than traditional paper prescriptions, especially when it comes to controlled substances.
However, as EHRs contain a multitude of sensitive patient information, they also become targets for criminal attacks. Fraudsters will try various methods to infiltrate healthcare networks to steal patient records and use the data personally or sell it on the dark web.
Many factors contribute to the risk to patients’ data. In addition to often inadequate cybersecurity measures, poor healthcare employee practices like password sharing also promote data vulnerabilities.
A study published by Healthcare Informatics & Research surveyed 299 healthcare workers and found that 73.6% of participants have been involved in password sharing. The frequency at which password sharing has occurred was estimated at an average of 4.75 episodes.
While medical staff might trust their colleagues with their login information, there is no guarantee that their account will not be used fraudulently or that their credentials will not fall into someone else’s hands.
Verizon’s Data Breach Report continues to prove that passwords are among the leading causes of data breaches. Their 2020 report cited that 80% of hacking-related breaches are still linked to passwords. Nearly similar statistics have been recorded since 2017.
Although healthcare worker authentication is required when accessing EHRs, shared secret information or knowledge-based authentication credentials are not enough to keep out bad actors. Medical institutions must deploy more robust authentication methods and stricter policies among their staff to protect patients’ sensitive data to comply with the Health Insurance Portability and Accountability Act (HIPAA) and honor an ethical responsibility to ensure patients’ safety.
Fraud Among Healthcare Providers
Once fraudulent outsiders gain access to EHRs, they can make changes to the data provided by clinicians in the EHR, including diagnoses, prescriptions, or other instructions related to patient care. For instance, if a patient receives prescriptions for controlled substances, the fraudster could obtain the drugs, which they can use themselves or sell illegally.
Compromised accounts among healthcare providers also entail far more risks as they can lead to life-threatening situations for the actual patients.
Additionally, some dishonest healthcare providers might also use their colleague’s credentials to conduct illegal activities within the medical institution. The Protenus Breach Barometer’s recent findings revealed that 8 million patient records were breached by insiders in 2020.
In the same year, the Department of Justice charged more than 300 individuals, including some licensed medical professionals and healthcare executives, for their involvement in healthcare fraud, waste, and abuse schemes, resulting in record-high false and fraudulent claims amounting to over $6 billion.
The cases included the usual schemes such as billing for products or services never rendered, prescribing and billing for unnecessary treatments and medications, and new schemes involving telemedicine.
HIPAA Log-in Monitoring and Password Management Standard
To reduce the likelihood of data breaches, HIPAA issued password requirements among healthcare workers under Section 164.308(a)(5) of the Administrative Safeguards of the HIPAA Security Rule. It mandates covered entities to implement necessary measures for “monitoring log-in attempts and reporting discrepancies” and “for creating, changing, and safeguarding passwords.” Password sharing is also prohibited because of its implication in data breaches.
Nevertheless, as these standards still involve passwords, the threat might not be resolved as intended. Fortunately, the HIPAA password requirements are addressable requirements meaning that covered entities can use alternative security measures as long as they are equally effective and compliant. A recommended replacement is multifactor authentication (MFA).
MFA provides a layered defense against fraudulent login attempts. It requires users to satisfy two or more authentication credentials before being granted access to the account. Still, it is essential to note that a combination of strong credentials must be utilized when using MFA, such as possession factors (cryptographic keys) and inherence factors (biometrics).
These authentication factors enable passwordless login, which is more secure than knowledge-based credentials and SMS or email codes. Going passwordless also reduces friction, reducing time on typing long, complex passwords and inputting security codes.
The Need for More Secure and Effective Healthcare Worker Authentication
As hackers and insiders continue to target user credentials and other login information, healthcare institutions must shore up their defenses by utilizing more efficient authentication solutions that use stronger authentication factors and capture audit trails to monitor changes that have been made in EHRs. Likewise, access controls should also be placed to limit the information certain individuals can see and the actions they are allowed to perform.
Healthcare institutions can step up multifactor authentication with FIDO 2.0-compliant passwordless authentication. FIDO 2.0’s cryptographic login credentials are bound to the registered device and can be unlocked using a secondary factor such as facial biometric authentication. Since most mobile devices often have a dedicated chip that stores and encrypts biometric onboarding templates, the biometric data cannot be extracted from the user’s device.
With biometric multifactor authentication solutions and device-based authentication, healthcare providers can meet the demand for security and convenience while remaining compliant to HIPAA standards.
Given the valuable and sensitive data held within EHR, medical institutions must deploy robust security measures to protect patients’ confidential information while remaining compliant with HIPAA regulations. Implementing effective alternatives in healthcare worker authentication and eliminating outdated passwords that have been the source of numerous data breaches, is a critical must for the health sector.
Many Identity as a Service (IDaaS) providers offer the latest technology for stronger user authentication on digital platforms, and healthcare institutions must choose the right partner to work with.
AuthentifID™ by authID delivers trusted FIDO 2.0 strong authentication that allows healthcare professionals to authenticate to their systems using on-device biometrics, thus eliminating the risk of stolen or shared passwords. During user registration, AuthentifID leverages authID’s seamless biometric identity verification service to scan an identity document and take a selfie to establish a digital chain of trust between biometrically verified individuals, their accounts, and their devices.
Verified™ by authID an identity authentication solution that delivers mobile facial biometric authentication that offers greater assurance than knowledge-based authentication or other two-factor authentication solutions. Verified confirms consent to specific transactions, captures audit trails, and biometrically authenticates a person’s identity in a real-time, seamless user experience. Verified™ enables MFA upgrades that can be easily done through RESTful API integration.
Schedule a Demo with authID
authID.ai is a provider of an Identity as a Service (IDaaS) platform that delivers a suite of secure, mobile, biometric identity solutions, available to any vertical, anywhere. authID’s biometric authentication and passwordless solutions ensure that only authorized healthcare workers can log into medical databases, maintaining patient privacy and data protection. Contact authID today at 1 (516) 778-5639 or click here to schedule a demo.