What We Do

You’ll get fast decisions, responsible technicians and quality outcomes.

Healthcare Cyber security and the Human Factor: Using Risk-Based Authentication that Considers Behavioral Factors

Data privacy and security in the healthcare industry is just as important as staff efficiency and ease of access to data.

However, it may appear that not as much priority is given to data security as is given to other concerns as is evidenced by recent multiple security breach incidents including the 2017 ransomware attack which exposed sensitive data belonging to 266,000 patients.

Data breaches in healthcare ultimately come as a result of human error, and it is often the case that healthcare employees are ill-equipped to handle common privacy and security threat situations.

The first step towards protecting organisations from these threats is to deal with the “human factor” by minimising the risk of human error. Risk-based authentication achieves this by putting a focus on human behavioural factors with the aim of increasing security without compromising usability.

How healthcare employees increase risk

The high digital security risk that is prevalent within the healthcare industry tends to be exacerbated by healthcare employees themselves. A recent study by MediaPro, a security awareness and compliance training company, illustrated the extent of the problem where they found that 37% of healthcare staff posed a risk to their organisations. This meant that the actions of these employees could cause security incidents or privacy breaches. Another 41% of employees were classified as novices, as they only had a basic knowledge of digital security practices. 

Phishing emails

The study identified that 24% of doctors failed to identify a phishing email – a figure three times higher than in non-physicians. This is particularly poignant when considering the high-level network privileges that doctors need access to, in order to effectively perform their jobs. Privileged accounts tend to be prime targets for phishing attacks, and it is estimated that these privileged accounts are the prime targets in 80% of security breaches.

Malware and ransomware

Ransomware is a kind of malware which limits users access to their systems until a ransom is paid, and both malware and ransomware pose serious security threats to healthcare organisations. The need for continuity of service in healthcare means that whenever ransomware attacks occur, hospitals often concede and pay the ransom, as service disruption and disclosure of sensitive data can have far-reaching consequences. For cybercriminals, this is the ideal response, making healthcare organisations an attractive target.

Ransomware attacks are on the rise, and healthcare organisations are one of the primary targets, with 78% of healthcare providers being reported to have experienced an attack within the last 12 months as a study showed. Furthermore, 43% of large healthcare providers had experienced a minimum of 16 attacks. These statistics are particularly sobering in light of the study by MediaPro where 24% of physicians had been unable to identify common signs of a malware attack.

Mobile technology and remote working

Healthcare employees are particularly vulnerable to certain risky security practices, particularly when working remotely or when using mobile technology. 26% of respondents to a study by MediaPro admitted to logging into unprotected, public Wi-fi networks for work-related purposes. Furthermore, 18% of respondents selected actions that put their organisations at risk when presented with simulated data breach scenarios.

One-size-fits-all MFAs are ineffective

When it comes to data security, single-factor authentication is not sufficient for healthcare organisations, even with the best digital security policies in place. This is because single-factor authentication provides a central point of attack and human error is always a possibility.

While IT teams might be aware of the limitations in data security knowledge among clinical staff, many still opt for one-size-fits-all multi-factor authentication (MFA) solutions which depend on the same kind of additional authentication at every login attempt.

Where clinicians need quick easy access to patient data, MFA can prove to be cumbersome and frustrating due to the additional layers of security required for each login. To circumvent the processes causing frustration, unsafe practices such as not logging out, sending files to personal e-mail accounts, written passwords and password sharing begin to emerge. In clinical practice, the primary focus tends to be the patient not patient data. Therefore, overly disruptive security measures could quickly result in low user adoption and an increased security threat.

Risk-based authentication for contextual and behavioural factors

Because user requirements and login scenarios differ, it is important to consider MFA solutions which improve security without sacrificing usability by taking both contextual and behavioural factors into account. Risk-based authentication (RBA) helps MFAs achieve this by offering a real-time risk score for every access attempt. The risk score is calculated based on set rules and is measured against the risk threshold for each system. Users are then offered authentication options which match the risk level that they present. Because additional authentication is requested for login attempts deemed to have an elevated risk, the majority of the users are able to enjoy a seamless login experience. This is important in clinical environments where ease of access to patient records is a top priority.

The factors RBA takes into account when risk scoring consist of contextual factors (device type, user location, time of day etc) and human factors such as personal characteristics and behavioural factors.

Examples of personal factors include attributes such as the user’s position within the organisation, or the length of time spent with the organisation. Is the user a full-time physiotherapist, part-time doctor or third-party contractor, for example?

Behavioural factors consider the varying levels of risk across a variety of users. For example, for users who pose a higher security threat due to a lack of awareness, RBA allows for the identification and allocation of additional authentication to these high-risk users. Factors that may identify these users as high risk could include previous security incidents, low scores on security exams, or even failure to sit the security exams.

Protecting your healthcare organisation with risk-based authentication

Because of the increased incidence of sophisticated cyber attacks on healthcare organisations, there is an increased need to provide the highest level of security required to mitigate these attacks. Employee security-related naivety also increases the already risky situation and it is important for healthcare organisations to account for the human factor when taking the necessary steps to minimise the risks.

Risk-based authentication is the ideal solution as it is an improvement from MFA, which accounts for behavioural factors and effectively reduces the probability of human error without sacrificing usability and productivity.