When it comes to hosting data under the purview of the Health Insurance Portability and Accountability Act of 1996 (otherwise known as HIPAA), the Technical Safeguards required by the HIPAA Security Rule are some of the most foreign to those that are new to these regulations. However, the technical safeguards are some of the most important aspects of the HIPAA law when it comes to keeping protected health information (PHI) private and inaccessible to an attacker. For example, HIPAA calls for multifactor authentication to access devices containing PHI. Oftentimes, the presence of this type of authentication can mean life-and-death in terms of a security breach.
So what exactly is multifactor authentication? Essentially, it is a method of requiring two or more things, rather than just one, in order to gain access. Most people are familiar with the idea of passwords, and the importance of using strong ones. However, what many people don’t know is that there’s no such thing as an uncrackable password. With proper resources and time, an attacker can crack any password by means of brute force (trying every permutation in a given table). With this in mind, multifactor authentication calls for items such as something you know (password), something you have (authentication key), or something you are (fingerprint). Many services such as Google and LastPass offer the use of multifactor authentication for day-to-day use, but HIPAA explicitly requires it. Without both the password and the correct key (generated randomly on-demand), access will not be granted.
On June 17th, attackers targeted a well-known cloud service known as Code Spaces with a Distributed Denial of Service (DDoS) attack. According to the company’s website, this is a fairly common occurrence (indeed, it is common for many popular websites), but this one was different since the attacker also had gained access to the Amazon Elastic Cloud 2 (EC2) web services control panel. This is the virtualization console offered by Amazon Web Services (AWS) to control server usage for their virtualized servers. The attacker left a message in the control panel demanding a ransom. When the demands were not met, and the users were attempting to change the login credentials, the attacker deleted all of the company’s data and backups as a retaliation effort. Since Code Spaces only hosted data in this single cloud provider, this was a critical hit to their company’s infrastructure. This single event was too costly to repair and single-handedly ended the company. Code Spaces focused from that point forward in helping users recover their data before folding the company completely.
So what went wrong with Code Spaces? In short, many things: Specifically, one user was given too much unfettered access to the company’s data, and this user’s account was not secure. Security professionals have proposed that the login credentials were gleaned from a simple phishing email. Additionally, even if this user were to set their password to “password” and username to firstname.lastname@example.org, the company still would not have been in such a predicament if multifactor authentication had been enabled and in-use. Why wouldn’t users implement such an easy fix to lock down their security – Simply, security is often compromised at the risk of convenience. Users don’t like having to have their phone to log into their daily tasks when it seems to them that their data is secure with a password protection. Some have proposed that Amazon and Microsoft, a cloud competitor, are not pushing multi-factor authentication to their customers because adding cost or complexity is correlated with driving down sales. The philosophy is if it’s harder to gain access, then many users won’t utilize their services.
Part of the reason the HIPAA Security Rule requires multifactor authentication is because it is both simple to implement and increases security of a system exponentially. It is simple to enable on all of the major cloud hosting environments, and would have been enough to prevent Code Spaces demise. When looking for HIPAA Compliant hosting, be sure to double-check that the environment is equipped with multifactor authentication to easily cover this requirement of the Security Rule and ensure the safety and protection of the information.