07-25-13 | Blog Post
The healthcare field has become a target for cyber-criminals because of the wide array of sensitive data it protects. Organizations looking to protect that data should first turn to two-factor authentication, Duo Security Regional Director Zoe Lindsey said in a recent Online Tech-sponsored webinar.
“It’s the simplest and most cost-effective measure you can take to prevent attacker access before it happens,” Lindsey said in her 30-minute presentation, Achieving Cost-Effective, Scalable and Secure PHI Access Without Workflow Disruption.
Lindsey was joined on the webinar by Online Tech Director of Healthcare Vertical April Sage, who noted that the leader in secure, compliant hosting services uses Duo products in-house and that a vast majority of its healthcare clients use Duo for secure VPN (Virtual Private Network) connections to their servers, as well.
“We don’t receive remuneration, but we sure do recommend that anyone that needs to mitigate password and protect PHI uses some form of two-factor authentication,” Sage said. “And we know that the simplicity of setup we see with Duo is far and beyond anything else we’ve seen.”
Lindsey started her presentation by stressing the importance of a strong first line of defense when you’re talking about protecting protected health information (PHI).
“There really is no such thing as a data breach that, at some level, does not involve stolen credentials,” she said. “Whether it’s stealing an active session on a user system, stealing a username and password, stealing a cookie for logging in, etc. One way or another, a breach is going to occur after a hacker has obtained a user’s credentials.
“And the truth is, there is no better protection from that type of compromise than two-factor authentication.”
While healthcare organizations strive to remain HIPAA compliant, Lindsey pointed out that the fees associated with failure to comply with those regulations are not even the biggest financial risk facing the industry.
In 2011, she said, there was $30.9 billion in losses as a result of medical identity theft.
“It’s a one-stop shop for attackers,” she said, adding that within PHI records hackers can gain access to social security numbers, credit card information from prior payments, information on family and emergency contacts that can be used for identity theft and more sensitive data. “It doesn’t take very many of those records to be exposed before the cost of the attack is less than the benefit they would gain by getting access to that information.”
Lindsey said barriers for two-factor authentication “made it a tough pill to swallow in the past.” Challenges included a complex user enrollment and user management; a complex deployment and administration; a terrible end-user experience, a lack of second-factor authentication options and a high cost.
She claims in her 30-minute presentation that Duo Security, the first company to bring a two-factor authentication solution using smartphones and tablets to market, mitigates each those challenges. The service is easy to deploy and is easily scalable, is easy to manage (users enroll themselves) and easy to use (smartphones hold the authentication key).
When Twitter was getting Duo deployed, it took their administrators 50 minutes to get the service set up and deployed in their production environment. All of its users were able to self-enroll within 48 hours with no further administrator access.
“Duo’s mission is to solve the biggest problems in security today: Prevent account takeover and online fraud before it happens,” Lindsey said. “We’re not a company that moved into information security. We’re a company with deep roots in information security that saw an opportunity to raise the bar for security in the market.”
Click here to watch a replay of the webinar or to access the slides from the presentation.
Keeping data stored in a HIPAA compliant data center with an audited HIPAA hosting provider monitoring and maintaining the facility can help prevent data breaches targeted at stored/archived data.
Read our HIPAA Compliant Hosting white paper as it explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
Sign up for our upcoming webinar, How to Achieve Maximum ROI and Patient Satisfaction via EMR, next Tuesday at 2PM ET, July 30. Join Sandy Vosk and Steven Caruso of ImageDoc USA for guidance on EMR implementation, intended to improve profitability and efficiency while reducing your risks before, during and after software adoption & implementation.