Cyberattacks Are Targeting Healthcare Organizations. Federated Identity Can Keep Patient Data Safe.
Increased levels of cyberattacks are targeting healthcare organizations, putting millions of Americans’ personal health data at risk. From 2018 to 2023, healthcare organizations reported a 100% increase in large data breaches, and the number of individuals affected by these breaches skyrocketed by over 1000%.
Driving this alarming trend is a surge in hacking and ransomware attacks—a type of malware that locks users out of their systems until they pay a ransom. A ransomware attack on Ascension Health in May 2024 has compromised the data of nearly 5.6 million individuals, making it one of the largest cyberattacks of 2024. It took Ascension Health six weeks to restore normal operations.
Legacy identity verification processes are no longer effective. In fact, CISA advised people to stop using SMS as a second factor for authenticating online accounts. With major telecom breaches last year, bad actors can easily exploit unencrypted codes to gain access to sensitive patient data. According to federal regulators, many healthcare organizations underinvest in cybersecurity, and some HIPAA-covered entities fail to follow existing security rules.
The Department of Health and Human Services (HHS) has responded to these challenges by proposing the first update to the HIPAA Security Rule in over a decade. A key element of this proposal is the requirement for multi-factor authentication (MFA)—a process through which users verify their identity by providing more than one form of identification to gain access. This comes on the heels of last year’s massive Change Healthcare breach, which saw hackers use compromised login credentials to access sensitive personal data when MFA wasn’t enabled. HHS’ proposal is a good step toward protecting Americans from attacks like these.
However, to fully secure patient data and optimize operational efficiency, healthcare organizations cannot depend on MFA alone.
Instead, they should adopt federated identity systems, in which MFA is just one part of a broader solution. Federated identity systems link an individual’s digital identity, authentication and personal attributes across multiple websites and identity management systems, often in tandem with a Single Sign-on (SSO). Individuals use federated login for account creation and sign-in every time you click “Login with Google” or “Login with Facebook.” However, these social logins are not linked to a verified identity.
Here’s why federated identity systems are more effective than MFA alone in combatting cyberattacks:
- Scaling Security Across Platforms: The average user today manages 90 unique online accounts. Federated identity systems provide a unified and secure method for managing user identities across multiple platforms. By enabling SSO capabilities, they reduce vulnerabilities associated with disconnected authentication methods and allow users to access various healthcare services with one set of credentials, improving both efficiency and satisfaction.
- Addressing the Limitations of Component Identity A legacy identity solution is just one component that is purchased and managed by an organization, but then must integrate into multiple other systems during a login and authentication process. The proposed HIPAA updates include requirements for advanced identity verification and access controls. Federated identity systems offer Identity as a Service, ensuring compliance with these evolving standards, supporting end-users directly, and monitoring fraud across massive networks, ultimately offering a more reliable and scalable solution.
- Reducing Costs and Complexity: Federated identity simplifies administration by centralizing identity management. This reduces the resource-intensive burden of managing multiple authentication systems, freeing up healthcare organizations to focus on other critical priorities, such as patient care.
- Enhancing Incident Response: A centralized identity framework improves breach detection and response times. Federated identity systems provide better visibility and control, enabling quicker action when security threats arise and minimizing the potential damage from breaches.
- Future-Proofing Against Emerging Threats: As cyber threats evolve, federated identity systems are designed to adapt. Their scalable and flexible architecture allows healthcare organizations to stay resilient against new security challenges, ensuring long-term protection and reliability.
- Ensuring Regulatory Compliance: As the US standard for identity security, NIST 800-63-3 standards offer an approved approach to safeguarding patient data while ensuring compliance with evolving regulations, such as HHS’ proposed HIPAA updates. Federated identity providers that are Kantara certified at AAL2/IAL2 provide compliance at the highest level, enhancing operational efficiency and supporting healthcare organizations in meeting evolving industry standards.
The proposed updates to the HIPAA Security Rule mark a turning point for healthcare cybersecurity and interoperability – but healthcare organizations need to go one step further to keep Americans’ data safe. Adopting federated identity solutions will help ensure that sensitive patient information stays secure, even as cyber threats evolve.
