Debates concerning online privacy and data security have been active across the globe. Some of these, favorably, has resulted in far-reaching changes on how things are governed on the internet, with the European Union’s General Data Protection Regulation (GDPR) being just one example of a significant measure taken by an international, governmental body. Yet, there is one subject close to home that is not up for debate: The American healthcare brigade’s casual treatment of protected healthcare information (PHI), which are collectively one of the most vulnerable resources for exploitation today.
Outdated security systems and authentication protocols adopted by healthcare organizations and a sheer lack of knowledge in handling PHI is the root cause of modern-day medical data breaches. What further makes this situation problematic is that most users – whose private data such as medical history and payment details are on the line – do not have much idea about this vulnerability. This eventually forms a loop and turns into a gold mine for hackers and cyberpunks looking to extract private data from vulnerable platforms and selling them on the nether side of the web, or worse, for drug diversion and claims fraud. The consequences of such a multitudinous event in cyberspace can be catastrophic.
It is high time that the status quo of data security techniques in PHI is questioned, and safer and more secure means to collect, maintain, and manage our data on the cloud are adopted. The world is already well-equipped with the infrastructure needed to get the ball rolling, but there’s still a long way to go! Here’s how…
A more in-depth look into this looming threat of PHI vulnerability and exploitation, outdated authentication protocols prevalent in the industry today, and a strong, permanent solution to it all. Read on…
The Other Cost of Healthcare
Even as the medical industry in the United States scrambles to provide the best healthcare to its people despite the burgeoning cost, there is a much higher, extra toll that people pay to get aid. An average American citizen has at least some of her information in some form recorded in the hospitals she has visited over her lifetime. This data collectively called PHI under the federal law and, as stated under its Health Insurance Portability and Accountability Act (HIPAA), is lawfully collected by the hospitals as part of their patient data entry. The problem enters the equation with a closer look into this data, its entry, and its retrieval.
How poorly hospitals and healthcare organizations at large handle, attempt to anonymize and de-identify, and store this particular set of data is what adds to the extra cost that users pay. To have personal information such as one’s medical history and insurance details, social security number, and other private identifiers out in the open in a hospital’s network available for hackers to extract through brute-force is not only a serious issue but also a case that needs to be discussed and acknowledged by the people who are most affected by it.
According to a recent survey report released in 2015 by a security software provider, almost 22% of US healthcare workers do not require credentials to access data from their hospital’s network. What’s even more surprising is that data access limitations based on time and place are rarely applicable, which is not so worse than the high number of workers having direct, no-holds-barred access to PHI. But, the most concerning part is how this data is stored and protected: using passwords.
To further understand how this infant system provides easy access to a healthcare worker without credentials or multi-factor authentication, let’s take a look at the necessary security standards used by these very organizations. It should be noted that this is, in no way, meant to undermine the efforts taken by hospitals to solve this issue. Instead, this is intended as an exercise in creating awareness about it.
The Limitations of OAuth
Most healthcare organizations’ security systems use an open authorization standard called OAuth for access delegation. Here a healthcare worker can access resources from a PHI database with the help of an access token through an authorization server. This is effectively implemented with the approval of the resource owner, i.e. the patient.
In such a system, a mother-to-be knows that her hospital has an entire record of her private information, including her health report, but does not have a definite assurance about its security. She assumes that this data will be scrupulously used by her attending physicians and medical experts to help her get medically better and ease her and her newborn into their new life. But she does not know that this same data is held insecurity in the hospital’s first cloud network using a weak password that could very well be “Password1” and which is known to not just the head gynecologist but also her entire team of twelve members.
The same password may also be the magic phrase of other applications, say the Gmail account, of the person who initially set it. Of course, there may be additional authentication factors involved, like the popular one-time password (OTP). Yet outside of a layman’s perspective, such considerations are as vulnerable as passwords to a hacker’s attacking lines of codes. A phisher can effectively steal passwords and all other “shared elements” (also known as shared secret authentication) as long as they are tied to the network and the platform. And that is where OAuth loses its competence.
Additionally, the problem with such a standard for authorization lies in its implicit flow, which authorizes the user, say a nurse on duty, but does not authenticate her, which can lead to user impersonation. A very advanced form of this example is what recently led to a so-called 51% attack against Ethereum Classic, one of the world’s top 20 cryptocurrencies. In January 2019, an unknown attacker took hold of more than half of the cryptocurrency’s computing power through the exchange platform Coinbase and used it to allegedly siphon virtual money to the tune of $1.1 million.
Sure, such cyber heists executed on complex networks like blockchains are blamed on more than just the exchange platforms’ basic security systems, but what needs to be deduced from this example is the vulnerability of a system that does not make the case for strong authentication, a protocol that depends not on passwords and digital tokens but on data that depends on retrieval of information that only the end-user owns.
Passwords have been passé for a long time. Yet, healthcare organizations still depend on them to secure essential patient data online because it’s cheap and universally accepted. The biggest issue with OAuth – which is also present in its 2.0 version, still used and widely accessible – is that it does not support encryption or client verification. It also does not support biometrics, a key authentication element in protocols that is the best possible solution to this menace in this twenty-first century.
Embrace the FIDO Alliance
The concept of ‘strong authentication’ was mentioned above while noting its different powers to not only protect sensitive PHI but also act as a way to end the problems that arise from the usage of passwords as a security trick.
The FIDO Alliance, which stands for ‘Fast IDentity Online,’ is a global consortium of several private and not-for-profit organizations that makes use of cryptographic protocols to provide security to online information. A complex system that impugns the use of passwords as a way to secure data, defining FIDO in simple words would mean comparing it with the very notion of strong authentication.
In such a system, the protocol does not depend on passwords but elements that are permanently linked to a person. For example, a secret that only the user knows, or simply, a scan of the user’s iris. Think of it not as a password that you have to remember all the time to access your account on a social networking website or as an OTP that is shared on your mobile number that can be easily intercepted by following a video on YouTube.
Instead, think of FIDO as a protocol that will require multiple forms of verification (an authenticated device like a smartphone embedded with the Universal Authentication Framework (UFA) protocol; a fingerprint or iris scan; or any other private information that establishes the user ‘as is’), selected randomly by an uncompromising server (the FIDO server), and matched with a previously-generated public key to provide access.
Going through that previous statement and decoding each word may result in more questions, but suffice to say that the protocol promises a stronger, more secure way to deal with PHI. But how? Let’s find out quickly…
Why FIDO? Why Strong Authentication? How Safe is PHI Then?
Embracing the FIDO Alliance, which has already been done by internet behemoths like Google and Microsoft (it should be added that the popular browser from the former already supports FIDO), definitely has its own set of benefits and improvements over existing data security practices. How it can inspire better PHI security lies in these quick pointers:
- Public-key cryptography – the core system in FIDO – makes use of two keys (a public key that is shared across websites and platforms; and a private key that is known only to the user) – to facilitate an interaction where anyone can encrypt the data but decryption will require the key that the user owns
- Apart from reducing users’ reliance on passcodes, it makes use of convenient methods like biometrics and behavioral authentication (popularly adopted by American healthcare giant Aetna), a single login for multiple devices, and one-touch control – all without the risk of a 3rd-party or middleman
- There is no server-side information (passwords, security question, and answer) that an attacker would take the pains to steal. The data (which is encrypted) is retrieved from the server only when the private key is provided
- Strong authentication protocols also provide patients with the much-needed confidence to freely supply their health information as well as the consent to use them that will help them in their own health’s upkeep, this time with a renewed assurance that everything is done with the highest trustworthiness
- FIDO is cost-efficient and future-proof because of its more straightforward setup, lower risk of breaches, and cleanup thereof and because it’s the highest level of security technology currently available.
This is the basic premise of the FIDO Alliance and why it is touted as the future of data security in PHI. In a few years, FIDO’s advanced security protocols will be so strong that people will be using their smartphones as primary authenticators. All the more reason to embrace it and spread awareness about the canons of power that it holds over existing, meeker approaches when it comes to data security.
If blockchains – known widely for being unhackable – can now get hacked due to poor security practices on the part of organizations, then there is enough cause for concern to shift the focus on PHI security. The healthcare industry may have been lucky so far if the total number of breaches that have been reported in general so far is measured. However, it’s time not to wait for a tragedy to strike and act before precious data is compromised.