The State of Trusted Access in Healthcare
Healthcare organizations face a dilemma: their work inherently relies on speed and efficiency to ensure patients are cared for, yet they deal in volumes of confidential data and must comply with a host of data regulations to ensure that data is protected.
The challenge arises when introducing security solutions to ensure the people accessing that sensitive data are who they say they are and are accessing it from a device that is up-to-date, healthy and secure. And all of this must be done with minimal friction and without interrupting or impeding physician and practitioner workflows – any disruption could affect patient care.
As one security director for an enterprise healthcare network said: “Our care providers are taking care of people, which should be front and center, they shouldn’t be burdened by security solutions that impede their ability to do their job.”
Meanwhile, healthcare organizations want to provide their staff with the access they need while reducing the risk of stolen credentials and patient information and other sensitive data.
Take, for example, one enterprise healthcare system. While looking for a solution to secure patient data while enabling flexible, anywhere access from any device, this organization discovered roughly 30,000 more mobile devices than they had previously thought were accessing their environment. These 30,000 devices, which comprised more than half if its entire device fleet, had been accessing applications containing patient data and were going largely unchecked. This discovery, and insight into those 30,000 once-unchecked devices, immediately improved the healthcare organization’s security posture.
While this is just one example, it’s a common symptom across an industry that by its nature – handling mountains of confidential and sensitive data – needs control over who can access what, when and how. And with health records fetching an estimated eight to 10 times the price of a credit card on the black market and 91 percent of healthcare organizations reporting at least one data breach in the last two years, protecting that data is imperative.
The current state of trusted access in healthcare is both good and bad – good in that healthcare organizations that use Duo are implementing security and access policies at a rate higher than other industries; bad in that they lag behind in terms of device-level security.
Here, we’ll take a look at the state of trusted access in healthcare and how it compares to other industries.
Policy Enforcement Rising
The good news is that across Duo’s customer base, healthcare is beating out other industries in its use and enforcement of strong secure access policies. Based on authentication data from the 12-month period between December 2017 and November 2018, healthcare customers set stricter access policies, such are requiring encryption.
For example, for access from anonymous IP addresses, 18.3 percent of healthcare customers deny access, where only 8 percent across all industries deny access from anonymous IP addresses. Meanwhile, 11.4 percent of healthcare customers require 2FA from anonymous IP addresses while only 8 percent across all industries require it.
Meanwhile, 10.6 percent of healthcare customers require encryption compared to 6.3 percent of all industries; and 26.4 percent require a device lock to be on, compared to 18.6 percent across all industries.
And when it comes to rooted devices - or devices that users have root access privileges to – 38 percent of healthcare customers have a policy disallowing rooted devices, while 23.5 percent of customers across all industries leverage that policy.
Device-Level Security Lackluster
Where healthcare companies excel at leveraging and enforcing strong access policies when compared to other industries, their use of device-level security paints a less rosy picture, our data found.
In healthcare, failed authentications occur with more frequency than the average rate across all industries.
For example, authentications fail in healthcare due to devices not having disk encryption more than 10 times as often as the average across the other industries.
Authentication attempts fail more often in healthcare based on myriad other reasons, including:
- The use of a restricted platform (4.30 times as often)
- Attempting to authentication from an anonymous IP (3.83 times as often)
- Attempted access by an unenrolled user (2.29 times as often)
- The use of an invalid device (2.09 times as often)
- Lack of a screen lock (1.88 times as often)
This data shows that healthcare is making strides in ensuring trusted and secure access, with stronger enforcement of policies across their user-bases, but that there is room for improvement when it comes to device level security, as evidenced by above-average failed authentications in many major categories.