AI Fights Back Part 2: Battleground Protocols
In part 1 of the AI fights back series: Halt, Quo Vadis? (Who Goes There?) we examined vulnerabilities that allow nefarious hackers to penetrate healthcare institutions and the treasure troves of sensitive and broad clinical and financial patient data that they store. In part 2, we will explore battleground protocols and a new weapon (AI) to be used in the fight against hackers.
Acceptto CEO and founder Shahrokh Shahidzadeh, an Intel Corp 25-year veteran and cyber-security expert, notes that for six decades we have treated authentication as a binary event, with a start and an end. It is time for a paradigm shift, using a modern data science approach to passwordless authentication. Minimizing friction in the end-user experience allows us to serve both objectives of smooth IT Operations (service level and speed) and tight Risk Mitigation (confirming who has access to what). The first step in transforming enterprise security is ceasing to treat authentication as a single binary event with a simple yes or no, but instead recognizing that authentication is a continuum spanning the entire user experience.
Therein exists the fundamental issue, and opportunity. In a traditional authentication context, once an end-user has used legitimate credentials to access a system, they acquire unfettered access to any part of the system that is interconnected and accessible with those same credentials. This is an issue because unfettered access results in substantial vulnerability for the organization (people change jobs, get fired, credentials constantly change). This is also an opportunity because the same unfettered access can be examined and monitored over time, painting a picture of what constitutes “normal” behavior on the part of that specific user. This essentially amounts to “Augmented MFA.”
Antiquated Security Protocols
In Healthcare cyber security, IT professionals must now take into account the necessity to secure devices that were never conceived to operate outside of the relatively safe perimeter of a hospital: imaging devices communicate with each other over DICOM, a decades-old standard that does not include any security provision. EMRs and EHRs communicate over HL7, which is another equally antiquated and fragmented protocol that isn’t natively capable of connecting over encrypted channels. Although the latest DICOMweb and FHIR RESTful API standards help to alleviate this vulnerability by enabling DICOM and HL7 protocols over HTTPS or TLS, far too many Health IT vendors are lagging behind in their rate of adoption of RESTful APIs.
Mobile Devices in Clinical Context
iOS and Android devices – many of which are personal devices – are routinely used by clinicians to access patient records and to document encounters so they aren’t always tied to a desktop to perform their routine tasks. This is a prime example of user friction caused by the necessity to use specific terminals in a hospital in order to access EHR records, take notes, place orders or receive test results.
AI and ML Accessing Patient Records
In an effort to defragment patient records and reduce avoidable medical errors, AI companies are increasingly connecting new AI and ML microservices into EHRs and EMRs. Mobile devices are also being leveraged by AI companies to “interrogate” Enterprise Health Records and accelerate the analysis and correlation of key elements of a patient’s health records. While defragmenting patient records is inherently a good and desirable objective, the methods utilized to achieve aggregation of fragmented data are also creating more headaches for IT to maintain the integrity of their enterprise. AI and ML tend to be “black box” devices that are proprietary in nature, making it more difficult for IT professionals to vet or monitor.
Telemedicine In The Age of COVID
Although telemedicine was already beginning to make solid progress in healthcare services for the past decade, the advent of Covid has enabled telemedicine solutions to flourish and to break through many barriers. Logically and technologically, telemedicine has always made a lot of sense – except when it came to getting paid. Telemedicine has historically had difficulty becoming a routine part of healthcare workflows because it’s been unclear what kind of reimbursements could be tied with such services. Low and inconsistent pay has made it difficult for healthcare professionals to consider telemedicine as a serious path.
Covid has upended these arguments; the sudden necessity to support substantially more patient home care and remote monitoring have made telemedicine a natural evolution for providers, although making digital persona that much more fluid and challenging to control.
The gradual and rapid escalation of password protection and complexity are creating increasing friction for end-users, often to intolerable levels. Not only should passwords be strong (not easily guessed), they should contain alphanumeric as well as special characters; they should be a minimum length; they should not be one of the previous five passwords used; they should not contain sequential numbers; they should have at least one uppercase letter… The list of requirements is growing, and we have all found ourselves looking around for inspiration for a new unbeatable password to replace a previously perfect password we finally could remember.
Multi-factor authentication (MFA) and captcha hoops continue to add complexity and barriers to entry for hackers, but they also make it more and more painful for end-users to access and work with their own data. Working From Home (WFH) in the age of COVID-19 has further embattled IT professionals in that they are now also expected to secure the work environment of employees in their individual homes – yet another expansion of the end-user’s digital footprint, fostering more vulnerabilities.
Some companies thrived during COVID-19 stay at home orders. Zoom became a household name as the pandemic boosted its video conferencing business, and more than quadrupled its annual revenues from $622.7 million to $2.7 billion in the 12 months ending January 31, 2021. Many IT companies trusted Zoom’s security practices and their end-to-end encryption. We now know their claims were less than truthful and Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and shared user data to Facebook and Google without the consent of users. As cyber security threats multiply, “Fake it till you make it” won’t do.
According to Acceptto, “attackers regularly exploit weaknesses in SSO and MFA implementations. The severity of this problem has been drawn into sharp relief with the unprecedented scale of SolarWinds and Microsoft Exchange attacks in 2020-2021, both of which included attackers bypassing MFA. Assume all passwords have been hacked—or soon will be—regardless of how intricately and uniquely they have been devised. Cybercriminals have easy access to over 3 billion harvested credentials from digital consumers worldwide. Biometrics can be reduced to a few binary traits; while a fingerprint or facial scan appear to be distinctive and safe, they too can be spoofed when they exist in digital form outside of special hardware. Two-factor authentication can impose time limits on users at every log-in, producing friction and fatigue. And temporary codes over insecure channels can be intercepted during transmission. Traditional multi-factor authentication (MFA) security solutions lack context and rely on too few attributes. Without a change in approach, all enterprise data can be compromised.”
Password authentication, multi-factored or not, is ultimately a flawed approach to cyber security, although it is admittedly better than no protection at all. One of the reasons it is flawed is that it relies upon humans as the weakest link in the chain. As long as a human is expected to provide input, errors will be made and vulnerabilities will continue to proliferate. Which leads us to the concept of “passwordless continuous authentication.”
Passwordless Continuous Authentication
There is a lot to unpack in these three words. Let’s examine “passwordless” for instance. For most of us, the ability to access our various data sources without having to enter a password is a clear cognitive dissonance, as foreign a concept as flying on an airplane without a pilot. Yet pilotless flight is the inevitable future we are facing. It will take some getting used to, and initially airlines will continue to employ “baby-sitter” pilots who are strictly there to make the passengers feel better – notwithstanding the fact that AI will likely have a far better flight safety record than any human pilot.
When cell phone manufacturers started to produce units without an antenna, consumers would routinely opt for another unit that had a vestigial (nonfunctional) antenna. It was mostly due to our own misguided belief that a cell phone without an antenna couldn’t possibly be as functional as one with an antenna.
When shifting our thinking away from traditional (flawed) authentication methods, we free ourselves to accept a radically new approach, with superior safety for organizations and less friction for consumers. Ultimately passwordless continuous authentication will prove to be far safer than the obstinate use of ineffective passwords.
Shahrokh Shahidzadeh postulates that “authentication is best conceptualized not as a single event with a binary yes or no, but rather a continuum.”
To be scrutinized upon entry, whether online or in-person, is something we’ve all become accustomed to, especially in this post 9/11 era. To be continuously scrutinized is another matter altogether, a concept that many of us may balk at. However, let’s examine the virtues of such an approach:
A password can be equated to a single sentinel in front of your door. If someone can bypass this one sentinel, there is literally nothing standing in their way, and what was once yours is now theirs. Continuous authentication is equivalent to having multiple sentinels watching for suspicious behavior in front and back of every door, room and corridor, 100% of the time. Unless you have something to hide, there should be zero objection to this approach, especially when matters of physical safety, medical records, or financial security are at stake.
In our final installment of the AI Fights Back series, we will examine the cybersecurity adoption journey from the vantage point of the IT professionals who are expected to deploy AI while also preserving the integrity of the Enterprise.