In February 2024, the Change Healthcare ransomware attack shut down healthcare billing and authorization systems for providers across the nation, substantially impacting business systems, finances and patient care. United HealthGroup, the parent company of Change Healthcare, estimates that losses so far have topped $872 million, including a $22 million ransom payment and other direct and indirect costs related to the event. The attack also exposed some 124 million patient records, spurring a congressional investigation and leaving UnitedHealth in violation of HIPAA laws.
How did hackers breach United HealthGroup’s systems? Compromised user credentials. Hackers used stolen credentials to enter a server that was not protected by multifactor authentication (MFA).
The attack highlights the importance of strong cybersecurity protocols around user authentication for healthcare providers, insurers and others in the healthcare industry. The healthcare sector handles vast amounts of sensitive data, including patient health records, billing and financial records, and sensitive business data. The industry is also highly regulated, with substantial fines and other repercussions for violating patient privacy.
Strengthening user authentication can help healthcare providers, insurers, and others in the healthcare sector comply with evolving cybersecurity standards and data privacy regulations. Passwordless login using radio-frequency identification (RFID) or near-field communication (NFC), as part of a phishing-resistant MFA solution, can help healthcare organizations protect sensitive data, minimize the risk of a catastrophic cyberattack, and prepare for evolving cybersecurity regulations in the healthcare space.
How Compromised User Credentials Put Healthcare Organizations at Risk
Organizations in the healthcare sector are a tempting target for hackers. Hospitals, physicians’ offices, and insurers store a wealth of sensitive data—including personal identification information (PII), medical records, and financial information—that are highly valuable on the black market. The healthcare industry also operates in a high-stake environment, making ransom payouts more likely. In 2023 alone, more than In 2023, the HHS Office for Civil Rights (OCR) received reports from more than 540 organizations in the healthcare sector, with breaches implicating 112 million individuals. These incidents, in addition to causing substantial disruption and financial losses, put organizations out of compliance with data privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and other federal and state laws regarding data privacy.
Many of these cyberattacks start by targeting the weakest link in cybersecurity architecture: the user-entered username and password. Compromised user credentials are a significant vulnerability for healthcare institutions—especially provider and staff user accounts with access to sensitive data and applications. Once threat actors gain control of a user account with the right access privileges, they can engage in malicious activities from inside the network, including data theft, installation of malware or ransomware, financial fraud or direct sabotage of business systems. In fact, the August 2023 Threat Horizons Report from Google concludes that 86% of security breaches for web applications are tied to compromised user credentials, and credential issues account for over 60% of compromise factors across all platforms and applications.
Why MFA Is Not Enough
Most healthcare organizations still rely on usernames and passwords as the primary authentication method for login to computers. Password-based user credentials are easily compromised through data theft, hacking (e.g., brute force attacks to guess username and password combinations) or phishing. Phishing and social engineering attacks—in which users are tricked into divulging their credentials or entering them into a fraudulent login screen—are on the rise in every sector and becoming increasingly sophisticated.
Because of the sensitive and protected nature of the data they deal with and their importance as part of our nation’s critical infrastructure, healthcare organizations are expected to comply with stringent cybersecurity standards, such as ISO/IEC 27001, the NIST Cybersecurity Framework, and standards set by the Cybersecurity & Infrastructure Security Agency (CISA). Strong user authentication is one of the pillars of modern cybersecurity standards. Multifactor authentication (MFA) is increasingly recommended for all applications involving sensitive data or systems.
MFA requires multiple forms of authentication, typically “something you know” (such as a password or PIN), “something you have” (such as a phone or security hardware key), and/or “something you are” (a biometric factor, such as a fingerprint or facial recognition). The most common forms of MFA are:
- One-time codes: Codes sent to the user via email or SMS text or generated by an authenticator app on the smartphone, such as Google Authenticator.
- Push notifications: A notification sent to a trusted device (usually their smartphone) that requires the user to accept or deny a login attempt on another device.
While easy to implement, both of these forms of MFA are vulnerable to phishing, social engineering and other forms of attack. In fact, a whole industry has arisen specifically to help cyber attackers bypass these forms of MFA, such as the EvilProxy MFA-bypass framework.
One-time codes, in addition to being highly time-consuming and cumbersome for users, are vulnerable to phishing as well as other types of attacks.
- Users can be easily deceived into providing both their login credentials and the one-time code on a fake website or revealing the code to an attacker impersonating a trusted entity via phone or text. While codes do expire, it only takes moments for an attacker to take control of the account.
- One-time codes sent via SMS can be intercepted by exploiting weaknesses in the communication infrastructure (known as SS7 protocol vulnerabilities) or through SIM swap attacks, where attackers manipulate cellular carriers to transfer the victim’s phone number to a SIM card they control.
Push notifications, though user-friendly, are also susceptible to attacks, including:
- Phishing and social engineering attacks (“When you see the notification on your phone, click accept…”).
- Push bombing attacks, in which users are bombarded with repeated push notifications until they eventually hit accept, either accidentally or out of sheer frustration.
What Makes MFA Phishing-Resistant?
That’s why the CISA recommends phishing-resistant forms of MFA for maximum security. Phishing-resistant MFA methods reduce vulnerability by removing the most vulnerable part of the equation: the username and password. Instead, user credentials are stored on a card, hardware token or smartphone. The second form of authentication can be a simple user PIN or biometric factor.
Phishing-resistant forms of MFA include:
- FIDO2 Security Keys: FIDO (Fast Identity Online) is an open standard for passwordless authentication. It enables users to easily and securely access their online services from a known device using biometrics, security keys (e.g., a physical token) or a PIN instead of entering a password for a website or application. Users must physically interact with the device during authentication, and their authentication data is stored locally on the device, so login credentials can’t be intercepted and used from a different device.
- RFID/NFC with PIN: This method uses a physical RFID/NFC card (such as an employee ID badge) or a mobile credential stored on a smartphone, which is used in conjunction with a PIN for MFA. The user must have the card or phone and know the PIN to authenticate. Without the card or mobile credential, any intercepted PIN is useless.
Phishing-resistant MFA aligns with modern cybersecurity standards for information, network and cloud security. It is an essential component of a secure zero-trust system, ensuring that only authorized users can access sensitive data and systems.
Phishing-Resistant MFA with RFID/NFC+PIN
RFID-based MFA is a simple way for healthcare institutions to transition to phishing-resistant MFA. Many hospitals and other businesses in the healthcare sector already issue RFID badges or mobile credentials to staff for building access, which can be easily leveraged for secure MFA access to computers, printers and networks. RFID- or NFC-based MFA offers a robust solution that is resistant to phishing and other forms of cyberattacks, such as push bombing, SIM swaps, and SS7 protocol attacks.
- Authentication occurs locally between the physical RFID card, fob, or smartphone and a reader embedded in or attached to the device. This local interaction ensures that user credentials cannot be intercepted by distant threat actors.
- The secure user authentication key is not known to the user, which means they cannot be tricked or coerced into revealing it to an attacker.
- The secondary form of authentication, typically a user PIN, can only be utilized by someone who also possesses the physical card or smartphone. This dual-factor requirement significantly enhances security. Biometrics can be used as the second form of authentication for even higher security.
In the wake of high-profile breaches like the Change Healthcare attack, the industry can expect to see greater emphasis on cybersecurity, including user authentication. Phishing-resistant MFA can help healthcare organizations minimize their cyber risks and exposures now and prepare for changing data security requirements in the future.
Transitioning to RFID-based MFA is likely simpler than you think. Many healthcare organizations already have the necessary infrastructure in place, making it a straightforward upgrade to enhance your cybersecurity posture. This investment in data security is crucial for protecting your organization from potential breaches and ensuring compliance with healthcare data privacy regulations.
About Mike Harris
Mike Harris serves as the senior manager of business development for ELATEC Inc. in Palm City, Florida. In his position, Mike is responsible for connecting ELATEC market needs and its internal teams, including Product Development, Engineering, and Sales. He has a Master of Science in Physics from Southern Methodist University and held global product management positions at Elo Touch Solutions and Ocular LCD Inc. before joining ELATEC.