The pressing need for healthcare cybersecurity standards and advancement to passwordless authentication

We’re digging into the importance of establishing minimum healthcare cybersecurity standards, as well as advancement to passwordless authentication benefiting security and user efficiency.

Healthcare has always been a part of Imprivata’s DNA. And that’s why our deep passion for helping our customers in healthcare is such a palpable force and agent for collaboration. Sharing what we know with you and finding new ways to advance together is an important part of that.

Over the last few months, we’ve focused our Imprivata Live series on cybersecurity standards and passwordless authentication. We’ll be diving into two discussions — both hosted by Fran Rosch, CEO — featuring Dr. Sean Kelly, Chief Medical Officer and practicing ER doctor, and Joel Burleson-Davis, SVP of Engineering, Cyber.

If you missed the conversations when they were live (or just want to be reminded of what you heard), here are some recaps of the two sessions.

A call for healthcare cybersecurity standards

Healthcare cybersecurity challenges chiefly revolve around three fundamental — and disconcerting — realities:

1. Patient information remains a highly coveted target for cybercriminals
2. The tools and techniques leveraged by attackers have continued to evolve at an alarming rate
3. Handcuffed by budget and resource constraints, many healthcare organizations lack adequate controls to combat these advanced tactics

The impacts of this threat landscape are far-reaching, affecting patient safety, providers’ ability to deliver care, and healthcare organizations’ sustainability.

The remedy to bolster healthcare cybersecurity calls for a well-coordinated effort between healthcare providers, policymakers, and software vendors. That initiative needs to center on the creation of legislative mandates for minimum security standards supported by compliance incentive funding. And the approach must be realistic, especially for healthcare organizations with fewer dollars to invest in tech.

What does that look like? It starts with crucial basics, including sufficient recovery and backup systems, plus dedicated use of multifactor authentication. And, it should include a solution to manage third-party vendor access risks, which are often underestimated but have disrupted over half of all organizations. Solutions should also meet security and access needs. As Dr. Kelly emphasized, “Effective cybersecurity solutions must simultaneously offer robust security, ease of use, and efficient workflows, so they don’t become onerous for providers.”

This was an incredibly insightful discussion, so if you missed it, please go check it out.

Effective cybersecurity solutions must simultaneously offer robust security, ease of use, and efficient workflows, so they don’t become onerous for providers.

Advancing to passwordless

Because of their privileged systems and the highly sensitive data they hold, healthcare organizations are a big security target, and the number one breach vector is passwords. In today’s complex, fractured healthcare tech stack, moving away from a password-driven access environment brings transformative benefits including stronger security, enhanced clinical workflows, and improved operational efficiencies. From a security standpoint, passwordless means there are no credentials to be stolen. It also means eliminating clinician access friction resulting from repeatedly entering 16-character passwords some 80 times per shift, which leads to risky workarounds including sharing credentials and scribbling them on sticky notes.

An example of these password challenges is highlighted in the recent experience of a large Midwest health system. Driven by its complex access procedures, the organization wrestled with security risks including generic logins and shared passwords. Those issues also brought delays and inefficiencies in patient care, plus patient anxiety resulting from system failures. With the help of Imprivata Enterprise Access Management (formerly Imprivata OneSign®), the organization advanced from an unwieldly, high-risk, operationally inefficient environment to a significantly streamlined, more secure approach. In addition to single sign-on and multifactor authentication capabilities that help ensure simple, secure access, many organizations are enabling convenient, flexible approaches including facial biometrics, while also leveraging FIDO passkeys and cryptographic keys.  

Getting to passwordless starts by determining where you currently stand and what your priorities are, based on the opportunity for the greatest benefits, as well as budget and resource considerations. The Imprivata passwordless maturity model provides a framework to help assess your current status, ranging from a fully password-driven environment to one where passwords are removed from all systems. As Joel Burleson-Davis noted during the LinkedIn Live discussion, “While it may seem daunting, it’s important to keep in mind that getting to passwordless is a journey that takes time and patience. But you can get there — and now’s a great time to start on your path.”

While it may seem daunting, it’s important to keep in mind that getting to passwordless is a journey that takes time and patience. But you can get there — and now’s a great time to start on your path.

There really hasn’t been a better time to start figuring out what passwordless means for you. If you missed the discussion, check it out here. You can also check out our whitepaper, “The journey to passwordless for healthcare.”