The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into their online account.
First, it’s important to understand why the FFIEC issued the new guidance. They make that very clear: current authentication strategies are not working. The FFIEC cites the loss of “hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers” based on the government’s IC3 Annual Internet Crime Reports. With our extensive experience in the financial services industry we can vouch for the losses incurred by the industry due to online account takeovers.
The FFIEC guidance essentially breaks down to three primary recommendations or activities:
- Periodic risk assessments (“prior to implementing new electronic financial services, or at least every twelve months“)
- Layered security
- Customer awareness and education
In the FFIEC’s press release, (July 28, 2011), it states that regulatory examiners will be focused on this issue starting next year: “The FFIEC member agencies [FDIC, NCUA, OCC, OTS] will continue to work closely with financial institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012“. This means that banking industry players should expect to present to examiners that they’ve taken some action in this regard by the time of their 2012 regulatory examinations. While healthcare organizations are not regulated by the FFIEC member agencies, this guidance provides a practical approach to managing risk in an increasingly risky online environment.
We strongly urge any organization that requires user authentication for sensitive online transactions to evaluate the guidance - Authentication in an Internet Banking Environment - and ensure that your controls are evolving commensurate with the nature of the online transactions you provide your customers as well as evolving nature of the risk.
Furthermore, because so many banks and healthcare organizations (both providers and payers) are relying on third-party software for their online services, we recommend that you push your vendors for better controls. While some of the smaller upstarts (such as online banking service providers and new EMR vendors) are agile and aggressively pushing new controls for differentiation, some of the more established players can be slower to react to the dynamic nature of security threats. Given how difficult it can be to move to a new system there is not always much leverage for service providers to aggressively improve their offerings. Nonetheless, I urge both banks and healthcare organizations to push hard for improved controls.