The Internet of Things (IoT) has transformed healthcare.
Hospitals and clinics rely on a wide range of connected devices on a daily basis, from patient monitors and wearable sensors to imaging systems and smart diagnostic equipment.
However, as the industry continues to innovate, growing cybersecurity challenges also arise.
Niall McConachie, regional director (UK & Ireland) at Yubico, explores the security impacts of an increasingly connected technological ecosystem and the risks of legacy authentication methods in keeping businesses secure from increasingly sophisticated threats like AI-driven phishing.
Healthcare institutions use countless connected devices. However, many of these devices are improperly secured, relying on outdated authentication methods like passwords.
What are the main security risks linked with relying on these security practices?
The risks are substantial. In fact, a report published earlier this year found that over a million medical devices connected to the internet were exposed online.
The core of this problem is a dangerous overreliance on outdated authentication methods ill-equipped for the modern threat landscape, such as passwords and one-time passwords (OTPs).
The use of passwords – the most basic and least secure form of authentication – to secure connected medical systems, leaves an open backdoor for cybercriminals to access and steal confidential medical records.
This reliance is frighteningly prevalent; a recent survey revealed that 62 per cent of organisations still rely primarily on username and password credentials, despite the overwhelming evidence of the vulnerabilities associated with this outdated technology.
Furthermore, many critical devices continue to use weak, factory-set passwords – a vulnerability that persists even after UK regulations were introduced to ban them.
This indicates a clear and worrying disconnect between security policies created to make IoT devices more secure and the operational choices of most device manufacturers.
Many hospitals and clinics enforce strong password policies and use multi-factor authentication (MFA). Isn’t that enough to keep patient data safe?
While these are a starting point for good cyber hygiene practices, they are no longer a sufficient defence against phishing attacks, which often result in patient data vulnerabilities.
Cyber criminals increasingly use artificial intelligence (AI) to craft targeted phishing emails that mimic communication and are almost indistinguishable from legitimate emails.
Niall McConachie
When staff are tricked into revealing their login details, even the strongest or most unique passwords offer no protection for healthcare IT systems, as AI-enhanced social engineering can bypass them entirely.
Once an attacker has a password, they can often circumvent traditional MFA methods like one-time passwords (OTPs).
Considering that a staggering 81 percent of hacking-related breaches are linked to weak or reused credentials, it’s evident that a security strategy that is solely built on better password habits is a failing one.
If passwords and even some types of MFA are no longer adequate, how can healthcare institutions truly protect themselves?
The clear successor to the password is the passkey, which is now the gold standard for secure, modern authentication in a digital world.
This shift is gaining momentum globally and is being embraced across industries, including in healthcare and the public sector.
For example, the UK Government is already in the process of adopting passkeys for its digital services, citing the superior security and protection they provide.
In its most secure form, a passkey is device-bound – it is not a secret that staff must remember (like a password), but a physical token they possess – such as a hardware security key.
The passkey is stored on the physical device and is resistant to phishing because it cannot be intercepted or stolen by remote attackers.
Instead of users entering characters that can be forgotten or phished, authentication depends on three elements: something the user has (the physical key), something they know (a PIN), and an action to verify their identity (a physical touch of the key).
How would a device-bound passkey work in a real-world clinical setting to prevent a cyberattack?
A device-bound passkey, like a physical security key, provides a powerful and practical line of defence against common social engineering attacks like phishing.
With a phishing attack taking place every 11 seconds, the threat to healthcare institutions is very real.
If a healthcare worker is tricked by one of these phishing attempts and clicks a link to a fraudulent login page, the physical hardware security key will prevent a security breach.
This is because when the user attempts to log in, the physical key will not authenticate the attempt because it is programmed to work only on verified and legitimate sites.
The login fails, which stops the phishing attempt in its tracks before any credentials or patient data can be compromised.
This simple but strong authentication process is highly user-friendly and, most importantly, can be the make-or-break factor between suffering a data breach and remaining protected.
What is the role of healthcare professionals in this transition to more secure authentication methods?
While the primary responsibility for building security into devices from the beginning lies with device manufacturers, an effective strategy requires a security-first mindset from everyone involved.
For healthcare professionals, this means being prepared to fully adopt and embrace these new technologies, using them to authenticate every single login.
A truly effective security strategy goes beyond just implementing the technology; it involves creating secure, phishing-resistant processes for setting up new devices and then continually using physical security keys for seamless and protected daily authentication.
By embracing phishing-resistant authentication methods like device-bound passkeys, the healthcare industry can better safeguard patients’ data and create a more secure foundation for the future of connected technology.
link