A Portal to Danger

It’s safe to say that healthcare changed forever. While many hospitals and healthcare facilities had previously been distant to overhaul their telehealth services, the need for locked-down health facilities quickly shifted priorities. Patient portals rapidly became more common as they serve as a way for patients to communicate with providers, receive health advice, and access their treatment-related documents while reducing the risks of exposure.

But as Mike Wilson points out for Forbes, there is a dangerous undercurrent running beneath many of the new healthcare-related technologies: cybercrime. Over the past decade, threat actors of many types have identified the healthcare industry as a treasure trove of valuable data, including personally identifiable information (PII). In 2020, ransomware attacks cost the industry over $20 billion just in downtime.

How did this happen so dramatically, and so quickly? The answer may be found in the now-numerous patient portals.

When the chaos of the pandemic spun healthcare facilities into overdrive, patient portals became a way to address the ongoing need for contactless communication—but because the adoption of systems was so fast, security was often an afterthought. With data being exchanged through personal devices and health networks, and the lack of security present in the new patient portal systems, threat actors latched on to the many vulnerabilities.

In many cases, attacks were easy because of the well-meaning design of the patient portals. Due to the desire to make access straightforward and friction-free for patients, the portals are most often only secured by a password, which as many industry experts will know is a vulnerability. When people use weak or compromised passwords, the system becomes a prime target for threat actors.

One of the most common techniques used is credential stuffing, where bots are programmed to use previously stolen credentials to try to access the system. The goal of these attacks is to harvest information—including more credentials, PII, financial records, and International Mobile Equipment Identity (IMEI) numbers, just to name a few. Often threat actors will use a software technique called data scraping to facilitate their theft.

Many pieces of stolen information can have massive chain reactions. For example, now that threat actors are harvesting IMEI numbers—which are linked to a specific user’s phone—this can result in the attacker gaining access to two-factor authentication methods. In these SIM-swapping attacks, the threat actors will be able to intercept one-time codes sent to the user’s device, meaning they can dive even deeper into their other accounts.

It’s clear that for everyone’s safety, from patients to providers, we need to revamp the security around telehealth and patient portals. Here are five steps to help defend against cyberattacks.

• Enforce Multifactor Authentication (MFA)
  Multifactor authentication (MFA) has been shown to reduce the number of successful attacks, but it also has a reputation for causing user friction. The percentage of users who will choose to employ MFA, even if they know it increases their security, is quite low. It’s time for healthcare providers to start adding layers of security, in addition to passwords, and making it mandatory for access to patient data across all systems. Sensitive data, like medication and treatment history, should require more than one password to access.

• Screen for compromised credentials
  When it comes to passwords, there are a few techniques cybersecurity analysts encourage to increase security, and a good starting place is the NIST guidelines. One of the most effective ways of increasing password security is to screen for compromised credentials. To be the most efficient, passwords—both new and in use—need to be screened against an ever-evolving database of compromised credentials. If a healthcare organization could eliminate the ability of bad actors to use previously stolen or easily guessed passwords, this would positively impact their overall security. With Enzoic, the screening process can be seamless for both IT teams monitoring work as well as for the front-end users, like patients. 

• Login monitoring
  Login monitoring refers to the process of automated and real-time recording of where and when login attempts happen. This tactic allows the system to track which device is being used and if it’s a recognized device for the associated patient. With device intelligence, the system can determine if the device in question is associated with previous attacks, or if it’s been used to access the details of any other patient accounts. If there is any suspicious activity—like an unrecognized device—the system can then require additional authentication.

• Shutdown after login attempt limit
  In a similar vein, unlimited attempts to log in to the same account should not be allowed. This is already more common than some of the other suggestions but is still a crucial security step. If a threat actor is trying to access an account that isn’t theirs, they will be deterred at least in part if there is a lockout limit. Shutting these attempts down for a period of time is a common way to guard against this.

• Implement CAPTCHA
  Lastly, though it may seem simple, requiring a CAPTCHA for riskier login attempts can be an excellent way of deterring bots from credential stuffing attacks. There are solutions available that, if there are multiple failed login attempts from the same IP address, will prompt the user to enter a CAPTCHA. This would be a useful process across all login forms.

Healthcare providers want their patients to be safe and healthy. But part of being safe and healthy is making sure that personal information is kept secure, and healthcare organizations are responsible for doing so. With e-health and patient portals becoming more ubiquitous, we must tackle the security vulnerabilities now. As healthcare providers will know, prevention is a better strategy than late treatment.