This month, we had an enlightening conversation with healthcare specialist, Joy Poletti, who’s worked as the VP of access and governance operations and program delivery. Joy brought over ten years of experience in access governance to the table, targeting healthcare sectors.
Joy’s counterpart is our very own Ryder Gaston, WinMagic’s Chief Revenue Officer. Ryder brings a wealth of product knowledge to the table, along with what it takes to go truly passwordless.
Our conversation with Joy brought to light many aspects of the medical sector and the pain points involved in user authentication. As she mentions in our conversation:
“Can you imagine having to stop in the middle of some kind of surgery or any kind of procedure to reset a password? There’s no time for that, that’s just not acceptable.”
What’s more, Ryder had a great solution on hand.
What is passwordless?
“Passwordless” is becoming a hype word. So much so that it’s being thrown around without many companies or individuals knowing exactly what the idea means. Early in our conversation, Ryder took a moment to iron out any confusion.
Passwords have been around since the 1970s. Over the years, they’ve become the most vulnerable security point for organizations. Passwords are susceptible to cyber-attacks, phishing scams, and other risks.
“Any kind of state agencies coming into organizations are really looking for compromising those credentials.” – Ryder Gaston
The notion of passwordless stems from the need to reduce the friction between passwords and the user — users forgetting passwords, writing them down, sharing them, and more — while also increasing security around authentication.
“Whether [authentication] was at the pre-boot of your disk encryption, sitting at your desktop, logging into your VPN, or just hitting a specific application that might still require credentials, it became very complex for the communication side of the house to really streamline.” – Ryder Gaston
In our post-pandemic world, more people are working remotely than ever before. Some people travel to and from the office, creating a risk factor and level of friction as they need to authenticate themselves from place to place. When users get locked out in remote conditions, it’s particularly difficult to get their account unlocked.
“What we’re hearing, in general, is users being locked out of their systems across the board. This is just resonating left and right. People not being able to do their jobs is very, very frustrating.” – Ryder Gaston
Now that remote work and network access are here to stay, the authentication industry is making a huge pivot, working to reduce user friction while increasing security at the same time. A frictionless experience has the potential to boost productivity by making sure users can reliably access the network and stay online.
“We’ve seen a massive uptick in productivity issues during COVID and post COVID, based upon this restriction of passwords.”
Healthcare pain points
Healthcare is incredibly focused on patient care, taking urgency to the next level when it comes to system availability. Health practitioners need a rapid authorization process to log onto their digital systems. The sector experiences pain points from both a functional standpoint and a security perspective. Caught in the moment, hurried healthcare workers will write their passwords down just to remember them. Or, they’ll share their password with a coworker, which is another blatant security risk.
Joy believes that the healthcare sector needs a different solution. One that enables physicians, nurses, and frontline workers to access confidential patient records on-the-go without having to remember a username and password.
“In health care, the patient care comes first. We’ve got to find a way to do better.” – Joy Poletti
Other pain points can be found in the merger and acquisition process that healthcare organizations frequently experience. When two groups come together, they each bring their own systems and software. As a result, there are multiple sets of credentials healthcare workers need to know.
“If a physician only needed to remember their login ID and didn’t have to worry about their password, that would be a huge satisfier. […] We wouldn’t be asking physicians to reset their login ID every 90 days.” – Joy Poletti
In part, due to these complex structures, physicians and specialists are driven to their “wit’s end.” Healthcare organizations end up losing their most valued employees who are on the frontline taking care of patients.
Other pain points
While the above pain points in healthcare can be extremely restrictive, Ryder shared his thoughts on how passwordless can help iron out the experience.
From working with multiple healthcare organizations over the years, the WinMagic team knows that any delays can cost lives. Going passwordless can reduce the friction of user authentication and let health practitioners focus on their jobs.
Another area of friction is the criteria for passwords. They need to be updated every 30, 60, or 90 days and must follow an unreasonable set of criteria for complexity.
“They tend to make those passwords something they can remember very easily. […] And they’ll continue to use the bare minimum of complexity.” – Ryder Gaston
More recently, NIST 800-63 guidelines are telling companies to not make their users change passwords regularly. Instead, complex passwords of 13 to 14 characters have proven to be secure. Well, NIST has addressed one problem, but there’s still the issue of passwords being too complex for most users to remember: “somebody is going to get compromised.”
In fact, “80 to 90% of all compromise is based upon a credential being taken over.” This statistic has been the same for the past decade without improvement. As Ryder asks, “why has this not changed yet?”
Now, with such a shift to remote and hybrid working, the world is starting to transition. Organizations are focusing on security and getting rid of passwords: one of the most prominent security risks. Unfortunately, the shift won’t be easy.
While many leading software providers are looking at passwordless authentication, legacy software will still require usernames and passwords for years to come. So, as Ryder articulates, “the way you start looking at what password is: How do you give all these values that we’re talking about this reduction of friction — this increased security?”
Passwordless is a framework that allows users to orchestrate communication between devices to authenticate themselves. Ultimately, the password is “the framework conversation on the path of zero trust.”
One often-overlooked aspect is the pre-boot side of user authentication. Nearly all disk encryption solutions require a username and password to authenticate. So, if a third party were to compromise your system and had your username and password, they could log into the system and pull data, even cached content, and potentially compromise your network credentials.
Taking the password out of your OS experience, whether with Linux or Windows, all the way into your applications, can bolster security.
A perfect healthcare world
Joy believes that, in a perfect scenario with single sign-on (SSO), the user should have just one set of credentials. However, particularly in the healthcare sector, people are faced with mergers and acquisitions that bring ancillary systems without SSO configured.
“It’s one thing when you’re asking your IT staff to understand that and remember multiple credentials, but when you’ve got physicians, nursing staff, and healthcare workers on the front line who are going a million miles an hour from patient to patient — time is money.” – Joy Poletti
Aside from money, there’s the factor of urgency based on a patient’s situation. The concern “really takes the whole ‘not being able to log in’ to the next level.” Now that passwordless is a possibility, healthcare institutions are looking for a solution that shifts the authentication responsibility away from the physicians to a trusted device instead. This shift would allow specialists to do their job in a timely matter without the hassle of calling the service desk every time they have trouble logging into the system.
Service desk queries can get bottlenecked. Either the service desk personnel don’t have ready answers, or they’re juggling too many service calls. This challenge creates frustration throughout the system and delays patient care, which is unacceptable in healthcare.
Considering costs, “think about the money you would save, if you cut off all those calls to the service desk for password resets and unlocks.” For the health sector, Joy would love to see the responsibility of authentication alleviated from the front line and in the hands of a solution that offers the right amount of security.
“You really have to look at that risk and cost in that full picture of what you’re signing up for.” – Joy Poletti
With a new world of authentication on the horizon, there’ve been many conversations about the differences between authentication, verification, and how they interact with each other. By authenticating a verified device and user, the device will be authorized to access your applications based on the roles the user has inside the organization. This factor is critical for a secure, passwordless experience because you’ve coupled one verified user with a verified device to access applications securely.
This setup will break any communication from side channels and prevent external scammers and security risks. Additionally, a fluid device-user authentication setup eliminates user friction. Every time the user accesses the application, the authorization is verified back to the device with no or minimal user action.
In the end, any good decision made by an organization needs to have a positive ROI. Through working with leading analysts, WinMagic now offers an ROI calculator right on our website. This calculator helps organizations understand how much they stand to save by going passwordless.
Where organizations see the biggest savings is regarding downtime. Every time people on the job experience downtime, it costs the organization money: “If you’re offline, you’re losing money, you’re not able to do your job.”
“It’s something organizations should really take a strong look at to understand just how much the password is truly costing your day-to-day operations.” – Ryder Gaston
Why go passwordless?
Rather than asking passwordless experts, we shot this question over to Joy. In her eyes, the main reason to go passwordless comes down to cybersecurity. The healthcare industry has an undeniable problem in this area and is actively looking for the right solution.
“We need to be offering solutions. We need to be able to go back and say what can we do so physicians are not impeded from making the patient experience the best it can be.” – Joy Poletti
Cumbersome authentication not only impacts healthcare providers, but it’s the patients who take the brunt of the system. Joy believes strongly in covering the bases and doing our due diligence to bring in “a solution that offers the right level of patient care and really supports the business” but also offers rigorous security measures.
When implementing a passwordless configuration, Joy recommends beginning with a small pilot group. As the group tests and experiences the solution, the higher-ups need to consider: “Who would benefit most and how can we make this happen?”
Where to begin?
There are dozens of authentication solutions in the world today. So, how do you choose one? You have to make sure you’re ready to start your passwordless journey. There’s no instantaneous switch that makes your entire organization passwordless. The journey is going to be frustrating and troublesome. There’s a lot of change that needs to happen to get the biggest bang for your buck.
The first step is to analyze where the most authentication-based friction occurs within the company. Are users experiencing a high rate of password resets? Who would win from going passwordless? Where are you losing your top talent?
Lastly, diagnose your highest security risk with identities and passwords. What identities within your organization have the highest security risk if compromised? These are the high-level areas of pain points you’ll need to consider.
Crawl, walk and run
The passwordless journey is a long, thought-out process. To address unique pain points, organizations need to follow a crawl, walk, run approach.” To summarize, here are the first steps of the journey:
- Identify who would benefit the most
- Analyze your unique pain points (user friction, security risks, etc.)
- Determine cost savings and ROI
“To implement something like this, you really can’t do it in a silo. Cybersecurity needs to reach out and bring the right business players into this and really take a task force approach. You’re going to need legal privacy, cyber, the business, you’re going to need to bring physicians in, those that are on the front line, and really hear those use cases. So, make sure you really take that team approach and you really consider all the necessary sides of it.” – Joy Poletti
In conclusion, going passwordless is a journey. The transition will require entire organizations to be onboard and have conversations to really understand how the shift will impact the business.
Looking at the many solutions on the market, Ryder says:
“Don’t fall for marketecture. You could go to any conference today and throw a stick and hit 15 passwordless authentication companies. You want to really make sure you do your due diligence. And, don’t just look at what you’re trying to solve today — make the password go away — you need to understand how that’s going to impact you 3, 5, or 7 years from now. Really look at what the roadmap of that organization is, how they’re approaching the space, and make sure they’re considering announcements coming from big vendors like Microsoft.”