MEDHOST Blue Logo

Let’s talk about your EHR needs: 1.800.383.6278  

Tuesday October 11, 2022  |  Michael Johnson, Chief Information Security Officer

Don’t be Fooled by Fake Login Pages: How Multi-Factor Authentication Protects Internet-Facing Servers

While the hybrid model has given us the freedom to choose whether we complete our work at home or off-site, anywhere access to enterprise systems has also made it harder than ever to protect sensitive data.

Recently, data architecture has emerged as a popular vector for attack. Malicious actors can take advantage of internet-facing servers that require a username and password by creating a clone of the server login page and tricking users into entering their credentials.

In this blog, we’ll outline how multi-factor authentication (MFA) can protect these systems as well as best practices that healthcare organizations can adopt to prevent criminals from using digital resources to compromise security.

What is Multi-Factor Authentication (MFA)?

MFA is an electronic verification method that uses two or more pieces of evidence (factors) to authenticate a user. These factors can include something only the user might know, a device only the user owns, or some other quality inherent to the authorized party. These measures work together to ensure that a single piece of information, such as a password, can’t be used to access protected data.

How Multi-Factor Authentication Protects Internet-Facing Servers

Threat actors can infiltrate servers through a sophisticated process that involves cloning a login page, using phishing emails to lure employees into visiting the cloned page, then stealing their credentials. If the target’s website is a single-factor access point, the hacker now has everything they need to gain control.

First, the attacker will compromise an unrelated website. The intent is to use this website as a staging ground. The attacker will allow the original website to operate as normal, and this server will be used later to capture credentials from the real target. We will now refer to this as the threat actor’s compromised website.

Next, the threat actor will identify its real target—in this instance, a hospital or health system. This target will have an Internet-facing server with username and password authentication. The threat actor will then clone the authentication page to the compromised website as an additional URL.

Finally, the threat actor will create a phishing campaign to target the real victim. All the attacker needs is one user to enter their login information on the fake web page.

Beefing up Your Cyber Protection

Companies must strongly consider what websites they allow to be externally facing. These public pages can be found by a search engine, which presents criminals with the opportunity to create clones that might fool unwitting users into giving up their login credentials.

For instance, we sometimes find a client has made their clinical software available on the internet. Usually, a physician has requested this for ease of use outside the facility.

Keep in mind: If content appears to have value, it will be targeted. For this reason, we strongly discourage attaching clinical software directly to the internet. Given the sensitivity of the data and the consequences of a breach in both regulatory fines and patient trust, we advise clients house this software behind a remote gateway. In creating this security apparatus, MFA is a must.

Furthermore, clients should have an asset inventory of what services and protocols are internet-facing. Website content should be analyzed for how much information is being exposed to an attacker. For example, the word “clinical” in the URL will get unwanted attention. A process should be established to approve all new websites prior to being enabled.

MEDHOST Information Security Services

MEDHOST Information Security Services can provide the expertise to help identify these and other threats to your organization. We can provide a comprehensive security review that includes identifying vulnerabilities, prioritization, remediation strategies, and preemptive measures to help manage risk and improve security and safety.

To learn more about how MEDHOST can help protect its customers from cyber threats and reduce their impact on operations, please reach out to us at inquiries@medhost.com or call 1.800.383.6278.

 

You may also be interested in:

MEDHOST Achieves HTI-1: DSI Criteria Certification
+