Block Medical Identity Thieves with Cyber Hygiene

Cybersecurity attacks increased in number and sophistication in 2017. But the Online Trust Alliance (OTA), a global nonprofit dedicated to promoting online innovation and trust, found that 93% of breaches through Q3 could have been prevented. Only 52% of those breaches were caused by actual hacks. Internal issues that resulted in accidental or malicious events instigated by employees accounted for another 11%.

This is good news for healthcare organizations charged with protecting large quantities of personal health information (PHI) attracting data thieves.

Medical identity theft brings more than standard identity theft horrors. It allows criminals to pose as patients, securing prescription drugs or even medical treatment.

Victims of medical identity theft can even find themselves paying the thieves’ deductibles. An Accenture study found half of U.S. victims were stuck with an average of $2,500 in out-of-pocket costs after an attack. Plus they have to clean up a medical history that can lead to serious treatment errors.

That kind of patient experience can send a customer doctor shopping. A 2018 PwC report noted that 26% of consumers would change doctors, hospitals, insurers, or medical organizations after a hack.

"26% of consumers said they would change healthcare providers after a hack. Cyberattacks may be rising, but 93% of hacks are preventable. Auth0 offers concrete ways to keep your patients safe."

"Healthcare organizations are just starting to realize that cybersecurity is not a cost center,” says Auth0 CISO Joan Pepin, speaking from more than twenty years experience handling cybersecurity, “It's actually adding value by placing the focus on the well-being of their end customers."

"Healthcare organizations are just starting to realize that cybersecurity is adding value by placing the focus on the well-being of their end customers. —Auth0 CISO Joan Pepin"

And 2018 is already laying out challenges and consequences. Half of Norway’s entire population — 3 million people — was already exposed in a professional healthcare hack in January. Although swift by current standards, breach notification fell well outside GDPR’s 72-hour requirement. After May, that lag will mean stiff fines.

Even outside the EU, breaches can have expensive consequences. Last year U.S. health insurer Anthem paid a $115 million settlement on over 100 consolidated lawsuits due to a 2015 cyber attack.

Healthcare cybersecurity

Creating Your Cyber Hygiene Protocol

There is no such thing as a 100% vaccination against cyber attacks, but there are several steps you can take to protect your patients and your organization.

Pepin often mentions the protective strength of regular cyber hygiene. Like asking healthcare professionals and visitors to scrub in before visiting intensive care units, regularly following a set of logical protocols and actions can reduce cyber-attack risk.

1. Backup and Patch

Backups, regular patching, and third-party risk assessments can provide insights into areas in need of attention.

2. Instill Screen Locking

For situations where patients could access monitors, its best for healthcare professionals to follow the practice of locking the screen whenever they need to leave the room.

3. Retire Unsupported Devices and Applications

Making the argument to retire an older device can be challenging, especially when the device appears fully functional, but a device that runs on software that’s no longer updated leaves your entire network open to attack.

Unsupported applications and operating systems offer similar points of entry for hackers. Part of good cyber hygiene is putting together an end-of-life plan for these devices and applications.

4. Educate Your Staff In Social Engineering

Educating staff to recognize increasingly sophisticated spoofing, spear-phishing, and malware attempts can help stave off ransomware attacks and their potential economic impacts. The FBI rates Business-Email Compromise (BEC) attacks as a “serious threat on a global scale.” Since 2015, the FBI’s Internet Complaint Center (IC3) has seen a 1,300% increase in identified exposed losses totalling more than $3 billion.

Pepin points out the need for regular maintenance and backups so you have the option of rebuildingand restoring rather than suffering a cessation of services in the case of a ransomware attack — and it means you retain access to your data. As one in three Australian companies surveyed by Telestra in 2017 discovered, paying the ransom doesn’t automatically get it back.

5. IoHT Devices: Inventory, Authorize, and Authenticate

Thousands of internet of health things (IoHT) devices are already in use in the form of patient monitors, imaging and x-ray devices.

Part of the draw is a large ROI. According to Aruba’s 2017 State of IoT study, healthcare organizations expect to a see a 40% ROI on the devices, despite the fact that 89% say they’ve already experienced a breach because of an IoT device.

But that ROI could be at risk. Reported medical device cybersecurity vulnerabilities in the U.S. climbed by 525% in 2017 according to PwC. Increasing vulnerabilities combined with heavy adoption rates has IDC expecting the world’s first USD $100 million lawsuit as the result of a cyber security attack on a medical device by 2021. Given regulatory trends like GDPR that lay responsibility for third-party vendor compliance at the feet of hiring organizations, the device manufacturer wouldn’t be the only one facing fines and possible lawsuits.

In an effort to reduce vulnerabilities, regulatory organizations like the FDA and ENISA are offering guidelines, hoping to increase interoperability, but the truth is that decreasing manufacturing costs have already lead to a proliferation of IoHT devices running on different protocols. It’s not unlikely that a single hospital must manage hundreds of varying protocols from its IoHT devices.

Inventorying devices in use makes it easier to recognize what to keep and what to retire, especially since most older IoHT devices lack the ability to be patched.

According to Component’s healthcare forecast, the IoHT global market is expected to grow from $41.22 billion to $158.07 billion by 2022, which means more devices will come online. Getting a handle on what you have in place and understanding security vulnerabilities now will save on headaches later. Auth0 offers secure IoHT authentication and authorization protocols that can further secure vulnerable PHI and protect the rest of your system.

6. Eliminate System Siloes with a 360 Degree Patient View

Siloed systems provide hackers with multiple points of entry and make it harder to manage cyber-hygiene updates. Consolidating databases also makes it easier to identify care gaps and limit avoidable care errors. Auth0’s consolidated patient view means you can quickly authenticate and authorize patient access, understand if your patient is interacting with IoHT devices, and take advantage of API security — all of which reduces user friction, improving your patient’s overall experience and reducing risk.

7. Step-Up Authentication

One of your best deterrents is making sure your patients are who they say they are. Authenticating identity often happens only at login. Auth0 gives you the opportunity to add step-up authentication at any time during the patient journey. For example, if your patient normally logs in from his or her home address, but suddenly logs in from a different country, the patient might be traveling. Or they might be a hacker. Activating Auth0’s step-up authentication allows you to push out a request for additional information to a sanctioned device, like your patient’s phone. In a well-designed flow, this is handled easily, without disrupting your patient’s journey, ensuring the security of your patient and your system.

8. Perform Reasonable Triage

Despite the real threats, you can’t do all of these things at once. Identifying your areas of greatest risk can help you recognize which tasks to handle in-house and which are best handled by a trusted-third party vendor.

Cybersecurity can be easy to get wrong. In 2017, Molina Healthcare, a major Medicaid and Affordable Care Act provider, was forced to shut down its patient portal after discovering a “security 101” flaw, impacting 4.8 million patients.

If cyber-security is not your IT team’s area of expertise, it could be time to hire expert help. Auth0 authenticates and secures more than 50 million logins each day for customers in 70+ countries. Sophisticated data encryption algorithms are best left in the hands of those who regularly beat hackers and assume responsibility for upgrades and maintenance.

Find Out How Auth0 Can Help Healthcare Organizations

Auth0 is trusted by healthcare organizations like Healthgrades, Clinica Alemana, Green Cross Health, IntegraMed, the Seattle Cancer Care Alliance and more. If you’d like to learn more about how Auth0 can help you securely put your patients at the center of their healthcare experience, reach out to