» authentication

Improving Authentication for Online Services

Posted on July 10, 2011 by John Abraham in Main | Leave a comment

The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into their online account.

First, it’s important to understand why the FFIEC issued the new guidance. They make that very clear: current authentication strategies are not working. The FFIEC cites the loss of “hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers” based on the government’s IC3 Annual Internet Crime Reports. With our extensive experience in the financial services industry we can vouch for the losses incurred by the industry due to online account takeovers.

The FFIEC guidance essentially breaks down to three primary recommendations or activities:

  1. Periodic risk assessments (“prior to implementing new electronic financial services, or at least every twelve months“)
  2. Layered security
  3. Customer awareness and education

In the FFIEC’s press release, (July 28, 2011), it states that regulatory examiners will be focused on this issue starting next year: “The FFIEC member agencies [FDIC, NCUA, OCC, OTS] will continue to work closely with financial institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012“. This means that banking industry players should expect to present to examiners that they’ve taken some action in this regard by the time of their 2012 regulatory examinations. While healthcare organizations are not regulated by the FFIEC member agencies, this guidance provides a practical approach to managing risk in an increasingly risky online environment.

We strongly urge any organization that requires user authentication for sensitive online transactions to evaluate the guidance - Authentication in an Internet Banking Environment - and ensure that your controls are evolving commensurate with the nature of the online transactions you provide your customers as well as evolving nature of the risk.

Furthermore, because so many banks and healthcare organizations (both providers and payers) are relying on third-party software for their online services, we recommend that you push your vendors for better controls. While some of the smaller upstarts (such as online banking service providers and new EMR vendors) are agile and aggressively pushing new controls for differentiation, some of the more established players can be slower to react to the dynamic nature of security threats. Given how difficult it can be to move to a new system there is not always much leverage for service providers to aggressively improve their offerings. Nonetheless, I urge both banks and healthcare organizations to push hard for improved controls.

Healthcare IT – Key Security Areas to Get Right

Posted on April 6, 2010 by John Reno in Main | Leave a comment

According to the datalossDB.org, over 110 healthcare organizations have reported the loss of sensitive PHI and/or PII data affecting 5,306,000 people since January 1998. Over 40 percent of the losses were related to theft of laptops, tapes or other media. Another 27 percent were the result of loss or negligence by staff or third parties. Malicious insiders were responsible for 20 percent and 9 percent were related to external attacks, with the remaining 2% unknown. Given that the problem is highly likely to grow with the advent of greater information sharing through systems such as healthcare information exchanges (HIE), it is critical to apply security resources effectively and efficiently.

While external attacks often get the headlines, clearly the data shows it is only a small part of the problem. Outlined below are a few recommendations associated with key security areas to get right. Focus on these areas will help prevent data loss, save money in terms of compliance violations and in the end create value through systems that securely support the mission of the organization.

• Policy – Invest up front in analysis of policy requirements. Ensure the policies support both security and business goals. Guard against policies that are not enforceable. Complete a review of the policies with a trusted security assessment firm. Budget for training and awareness when rolling out the policies.

• Encryption – Use it with all PII and PHI data. Do not “roll your own”. Build on the wisdom of others and the vendor community. Spend time to architect and review your key management scheme. Make sure it is supported across the entire lifecycle of the data.

• Authentication and authorization – This provides a critical defense layer against attackers and malicious insiders as well as provides a critical mechanism that drives ease of use (and thus productivity). As with encryption don’t to be tempted to roll your own because you have “special needs”. Use vendor solutions that have been well tested or open standards from organizations such as OWASP (ESAPI).

• Third party assessment of the overall system – Invest in an information security assessment from a trusted vendor with healthcare domain expertise. The investment will pay back in terms of reduced cost of compliance, data breach penalties avoided, and value delivered to the users of the system.

• Change management – Ensure the change management process is well understood. Functional testing is a given, but security controls and policies must be thoroughly checked with each release (whether major or minor).

Clearly, there are many additional security concerns, but focus on these areas should yield high return in terms of the value of your system and the protection of your data.