Those based on legacy SMS systems have already failed spectacularly in recent incidents. The key is to avoid phishable passwords completely!

Research by some cybersecurity firms have indicated that the healthcare industry remains one of the most targeted industries by cybercriminals.

As Asia’s healthcare industry doubles down on its digital transformation and more sensitive data are stored online, there is an urgent need to address mounting cybersecurity risks, especially in the area of password hygiene.

When it comes to this aspect, Andrew Shikiar, Executive Director, FIDO Alliance, is well equipped with the statistics and anecdotal information to educate organizations about the over-reliance of passwords and push for tightened standards of authentication and device attestation. He shares his views with here.

Andrew Shikiar, Executive Director, FIDO Alliance

CybersecAsia: What are the latest cyber threats and trends affecting Asia’s healthcare industry? Besides password-linked infiltrations, what other methods can cybercriminals use to gain access to a network?

Andrew Shikiar (AS): The healthcare sector has long been plagued by data breaches, even before the pandemic. For example, in 2018, Singapore faced one of its worst data breach attacks.

More recently in January 2022, approximately 39m health records were reportedly stolen from a hospital in Thailand and offered for sale on the internet.

These cyberattacks on healthcare organizations come as no surprise, especially as more patients’ private health data are stored online amid burgeoning digital transformation.

To infiltrate healthcare systems, cybercriminals are also using any means necessary: from social engineering tactics like phishing, to exploiting unpatched vulnerabilities in networks. However, across the board, we see that compromised passwords are the most common method— representing up to 86% of hacking-related breaches in some studies.

CybersecAsia: Will enforcing strict password hygiene make the need for passwordless authentication less urgent?

AS: Enforcing strict password hygiene is not enough because even the savviest of users can be duped through a well-designed phishing attack.

In Asia, we are seeing a resurgence of phishing scams involving social engineering techniques to deceive and manipulate individuals into taking the desired action. For example, these scams are designed to prompt an urgent, emotional reaction, causing individuals to forego logic and overlook red flags, until they realize that they have been scammed. 

Healthcare organizations need to keep their corporate data secure. They have an even heavier responsibility to keep patient data safe, whether it is through strengthening their cybersecurity systems through use of phishing-resistant multi-factor authentication or moving away from passwords altogether.

Outside of the healthcare industry, the recent Twilio and Cloudflare phishing incidents where parts of the attack involving intercepting two-factor authentication time-based one-time passwords (OTP) were thwarted due to the use of FIDO-2-compliant security keys.

CybersecAsia: Are there AI and ML solutions to make the most of password-based authentication and privileged access network controls? What are the pros and cons of passwordless authentication?

AS: AI and ML models can certainly be utilized as part of a risk engine: they can examine an array of factors from a user’s sign-in to determine whether or not to grant access.

Such engines are more effective when coupled with usage of FIDO authenticators, which give enterprises much stronger signals on the integrity of attempted sign-ins.

However, employing passwordless authentication offers more benefits, and they generally fall into two categories: security and usability.  

  1. From a security standpoint, eliminating passwords greatly improves an organization’s security posture as it takes away the most common threat vector for remote attacks. 
  2. From a usability standpoint, consumers no longer need to remember new passwords for every app or learn to use a password manager. With the average user hassled by the need to manage nearly 200 pairs of usernames and passwords, going passwordless offers excellent convenience. This reduced friction brings benefits to organizations: as higher sign-in rates lead to higher service consumption, eliminating the need for password resets reduces help-desk costs. 

Initially, with any change there will be some user resistance. Those who are unfamiliar with passwordless logins would need to adapt. Additionally, as passwordless authentication is often tied to one’s device (a mobile phone, laptop, or security key), losing that device can take time for users to troubleshoot and get their accounts back.

Fortunately, innovations such as the passkey concept being supported by Apple, Google and Microsoft can help address some of the account recovery problems—by securely synching the user’s private key across OS cloud services.

CybersecAsia: Is there a one-size-fits-all solution that retains the use of passwords but still limits the cyber risks? 

AS: The path towards passwordless is a journey and not a sprint, it is expected that organizations will still use passwords as they migrate toward a password-free future. That being said, organizations should develop a concrete plan to reduce their reliance on passwords, starting with the most sensitive employees and customers. 

Where passwords are still utilized, I recommend organizations to use multi-factor authentication that is not phishable through social engineering or other techniques—such as use of FIDO-compliant security keys as a second factor.

Not all forms of MFA are created equal: legacy forms such as the use of one-time passwords sent by SMS are highly susceptible to remote attacks. OTPs share a common trait with passwords: they are human-readable, knowledge-based secrets that hackers can pry out of users’ hands.

The recent high-profile OCBC Bank phishing scam in Singapore exemplifies this: hackers were able to leverage SIM swapping techniques to divert the SMS OTP to their phones instead of the recipients’.

For healthcare providers and professionals to protect their organizations’ data with minimal disruption and investment immediately and in the longer term, they should:

  • start by setting strong and unique passwords backed by phishing-resistant MFA
  • develop a concrete plan to eliminate passwords and move toward multi-factor authentication that eliminates passwords
  • consider employing currently available passwordless standards and specifications that can be applied across all industries, including healthcare, with the least disruption
  • lower the barrier to transition by using possession-based authentication that is implemented in billions of devices and every leading browser and operating system. 

CybersecAsia thanks Andrew for guiding readers onto the path of passwordless security.