Bad Reputation: the Lasting Impact of Data Breaches in Healthcare and Beyond
On February 21, Change Healthcare, a unit of the UnitedHealth Group, said in a statement that it was “experiencing a network interruption related to a cyber security issue.” It was under cyberattack by the well-known ransomware group, ALPHV/Blackcat. Despite the fact that UnitedHealth Group paid a $22 million ransom, CBS reported that ALPHV/Blackcat claimed to have stolen more than six terabytes of information, including sensitive medical records.
Change Healthcare is the largest U.S. clearinghouse for medical insurance claims, processing more than 15 billion medical transactions annually. One in three U.S. patient records pass through its systems.
Rick Pollack, President of the American Hospital Association, called this attack “the most substantial and consequential incident of its kind against the U.S. health care system in history.” The attack brought the American healthcare system to its knees, shutting down operations at hospitals, individual practices, and pharmacies in its immediate aftermath.
The repercussions are still being felt. In a survey conducted on April 29, the American Medical Association found that of its respondents, “60% continue to face challenges in verifying patient eligibility; 75% still face barriers with claim submission; 79% still cannot receive electronic remittance advice; and 85% continue to experience disruptions in claim payments.”
For millions of Americans, the impact is even more personal. In a press release, UnitedHealth said 22 screenshots that were allegedly from the stolen files – some containing personal health information (PHI) and personally identifiable information (PII) – were posted for about one week on the dark web. In testimony before U.S. Congress on May 1, UnitedHealth Group CEO, Andrew Witty, estimated that one-third of Americans could have been affected in the cyberattack.
The company said: “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”
Many Americans aren’t willing to wait. As of early April, 24 class action lawsuits had been filed against UnitedHealth, including one that alleges that Change Healthcare failed to “take reasonable security measures to protect the confidential health and personal information of millions of Americans.”
The saddest part of this story is that it could easily have been avoided with some simple, everyday security diligence. The attackers got in using a stolen password on a server that lacked multi-factor authentication.
As Oregon Senator Ron Wyden told Witty, “This attack could have been stopped with cybersecurity 101.”
Taking care of the basics
Passwords are still the most commonly used way to secure personal and business accounts. Our recent study found that even for financial accounts containing highly sensitive information, 54% of respondents still relied on passwords for access.
The continued use of passwords is a conundrum; they aren’t convenient for users, they’re a headache for businesses and individuals to manage, and they aren’t very secure – so, why are they so prolific?
According to Keeper Security, “Weak passwords can lead to ransomware attacks because they can be easily compromised through password-cracking techniques.” Hive Systems estimates that a simple, 8-character password can be cracked in 37 seconds.
People like to keep passwords simple. Their constant use and the mental toll of remembering them leads to password reuse, the loss of passwords, and expensive resets that service providers who rely on passwords must account for. And, of course, nobody has just one account; in fact, the proliferation of online applications and services has created enormous growth in the number of passwords every person uses. Nordpass reports that the average number of passwords used for personal purposes has grown 70% over the past three years, from 100 to 168. Add in business passwords (such as the one used to access the server at Change Health), which Nordpass reports averages another 87 credentials per person, and it’s clear how overwhelming password reliance can be.
That’s why people re-use their favorite passwords. Tech Report writes that 52% of users leverage the same password for multiple accounts and 13% use the same password for all of their accounts. This is also true for employer accounts. A Bitwarden survey found that 48% of respondents across workplace platforms or accounts “frequently” or “rather frequently.” LastPass has reported that, while 89% of survey participants know that reused or similar passwords are a security risk, only 12% admitted to always using unique passwords.
Some businesses increase their security by requiring customers and employees to use multi-factor authentication. Most typically, this involves sending a four- or six-digit one-time password (OTP) to a person via email or text on their mobile device after they have entered their username and password, requiring them to enter the OTP before access will be granted.
Having these OTPs sent to another device increases security by incorporating something the person possesses (possession or device-based authentication), which increases the likelihood that the person trying to access the account is the legitimate user.
While these OTPs are uniquely generated and only valid for a limited time, they suffer from some of the same security problems that plague regular passwords. Criminals have also found ways to mitigate the security increase of incorporating an additional device or factor. Bots have been developed for the express purpose of stealing OTPs – and fraudsters regularly take over mobile devices through SIM-swapping schemes that can potentially grant them access to all of a user’s accounts.
The fundamental problem with any type of password is that it’s something that’s known (knowledge-based authentication), and anything that’s known can be shared, stolen, and hacked. The best way to overcome this challenge and increase the security of multi-factor authentication is to incorporate biometrics.
How biometrics increases protection against data breaches
Biometrics replaces factors people know or possess with something they are – a physical or behavioral factor like a fingerprint, facial scan, voiceprint, or how they use their device (typing, swiping, dwell time). These elements are difficult to steal or duplicate, and they can’t be shared or stolen.
Unlike passwords, they are convenient for users because there’s nothing to remember, find, or reset. Authentication is as simple as the user placing their finger on a key, taking a selfie, speaking, moving a mouse, or swiping between screens.
Biometrics also reduces overhead management for businesses. According to Forbes, “Forrester researchers found that the cost of a single password reset is $70, with the average large enterprise allocating over $1 million annually to password-related support costs.”
Biometric MFA makes it much harder for criminals to get in the way. When a customer opens an account, and they present, for example, their face (by taking a selfie), it is tested for liveness to prove it’s not a still image, video, or synthetically generated content. A template is created from their facial scan that contains only enough information to authenticate the user when they present the live element.
Stealing these templates in a data breach isn’t like stealing passwords, because these templates are useless without the actual presence of the person’s finger, face, or voice.
Even with the advances in AI, biometrics provides stronger protection than passwords and OTPs. The latest biometric authentication solutions use AI to fight against technologically advanced attacks. For example, these solutions can instantly detect deepfake and other digital images, videos, and injection attacks that occur during authentication. They can identify a synthetically generated voice and stop criminals from setting up fake accounts that they can use to access a company’s data, network, and systems by detecting synthetic images and documents when the fraudster attempts to onboard.
Gartner estimates that global spending on security and risk management will reach $215 billion this year. Infosecurity Europe found that 69% of IT security decision-makers reported an increase in cybersecurity budgets for 2024, with some increases as high as 100%. In CIO’s article on top priorities for CIOs in 2024, #3 is “double-down on cybersecurity.” Yet, with all the focus on improving cybersecurity, the simplest measures are often overlooked.
Nobody wants to be “that” business
No one wants to be the company that brings down the American healthcare system and exposes the information of millions of Americans. Or the company that shuts down nearly half the gasoline and jet fuel supply to the Eastern U.S., or the company that exposes the data, network, and systems of 30,000 public and government organizations to hackers. From the Colonial Pipeline to Solar Winds to UnitedHealth, stolen or weak passwords coupled with non-existent or easily bypassed MFA have led to headlines that impact brand and reputation – not to mention, and most importantly, real people – for years.
Passwords without MFA are responsible for everyday breaches that may not have headline-grabbing statistics but are just as devastating to businesses, large and small. Customers whose information is exposed are vulnerable to having their identity stolen and being forced to spend the time and money to recover from this kind of theft. Given a choice, they are likely to stop doing business with any company that exposes them to fraudulent risk.
As we’ve seen, even MFA that relies on OTPs is increasingly vulnerable to hackers. No company can afford to leave itself exposed when simply incorporating biometric MFA can significantly increase its defense against cyberattacks. See how Daon’s biometric authentication solutions close the gap opened by passwords and OTPs.