Healthcare suffering identity headaches; providers prescribe fewer passwords

Health information is some of the most sensitive data – and some of the most sought-after by data thieves. Now, it appears to be under attack, as fraudsters target the purgatory of passwords for phishing attacks.

The American Hospital Association (AMA) advises that Microsoft Threat Intelligence is warning a large-scale, multistage phishing campaign “disproportionately targeted the health care sector, sending ‘code of conduct’ themed emails to lure users into credential theft and token compromise.”

Microsoft says the campaign reached more than 35,000 users across over 13,000 organizations, mostly in the U.S., leveraging “adversary-in-the-middle” techniques to intercept authentication tokens in real time. “The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications.”

“Phishing attacks are the most frequent and most effective methods of attacking the health care sector,” says Scott Gee, AHA deputy national director for cybersecurity and risk, in a release. “Training and vigilance are the keys to preventing these attacks. That training should also emphasize the ‘why.’ It’s not just about loss of protected health information, but the potential for shutting down critical systems and impacting patient care and safety.”

Healthcare provider data exposed in CMS database

Speaking of critical systems, a publicly accessible Medicare portal database exposed Social Security numbers linked to health care providers, according to a new report by the Washington Post.

The database, which has since been taken offline, supported a national provider directory created by the Centers for Medicare and Medicaid Services (CMS), enabling Medicare beneficiaries to search for doctors and other providers. However, only data from providers, not beneficiaries, was exposed.

Ping Identity partners with Oloid to try and cure password problem

The healthcare industry clearly needs some help shaking off its password problem. Passkeys are making inroads in enterprise environments like healthcare, with the FIDO Alliance counting 5 billion in global use between consumers and the workforce. But passwords continue to stick around, waiting for the right solution to dislodge them from the grim nook in which they huddle, wretched and obstinate.

Options continue to emerge. Ping Identity has announced a partnership with Oloid to deliver a passwordless, Verified Trust identity solution for the U.S. clinical healthcare workforce. A release says a rise in credential-based attacks is increasing pressure to eliminate passwords, prompting the development of a joint solution to modernize clinical workforce identity and access management (AM) for an environment heavily reliant on shared devices, workstations and EHR systems.

The product introduces a passwordless, Verified Trust model that performs continuous identity verification through credentials and adaptive assurance. More than a secure login tool, it supports verified onboarding and issuance of reusable verifiable credentials; seamless Tap-and-Login access for workstations, shared accounts, and VDI-hosted EHRs; and fast, high-assurance recovery for lost badges and locked accounts using. Clinicians can present their credentials in a mobile wallet, including Apple Wallet and Google Wallet.

The fully cloud-native SaaS product is designed to mitigate unsafe workarounds and introduce adaptive assurance,  helping healthcare organizations reduce clinician downtime, improve productivity and strengthen defense against credential-based attacks.

Per the release, Ping provides the identity verification and trust layer with its PingOne Verify tool, while Oloid delivers seamless Tap-and-Login access across clinical environments. Ping’s identity verification applies minimal data collection and rap[id data deletion policies, and biometric verification is performed using a one-second passive liveness check at the edge, helping protect against deepfakes while preserving user privacy.

“Healthcare organizations must balance speed of care with high-assurance security,” says Gaurav Sharma, VP of product strategy for workforce at Ping Identity. “By combining verified onboarding, seamless Tap-and-Login, and secure recovery, we’re reducing access friction while strengthening protection against credential fraud.”

TruMerit, Credivera issue first digital credentials to healthcare workers

An announcement from TruMerit, a healthcare workforce development and credential evaluation firm, says it has issued its first verifiable digital credentials to healthcare professionals through a new partnership with Calgary-based Credivera.

According to a release, the first digital credentials have been awarded to nurses and other healthcare professionals who successfully passed TruMerit’s global certification examinations over the last year. Digital credentials include the Certified Global Nurse credential and others tailored for nurses and  healthcare workers specializing in rehabilitation care.

Credivera’s secure credential exchange platform issues TruMerit credentials in encrypted, tamper-proof digital formats aligned with globally recognized verification standards.

“Professional credentials are increasingly becoming part of a person’s digital identity,” says Dan Giurescu, CEO of Credivera. “Our platform allows trusted organizations like TruMerit to issue secure, verifiable credentials that professionals can control and share anywhere in the world. Together we are helping create a more transparent and trusted system for verifying healthcare qualifications.”

Article Topics

biometrics  |  continuous verification  |  Credivera  |  healthcare  |  identity verification  |  Oloid  |  passwordless authentication  |  patient identification  |  Ping Identity