- NIST recently released updated digital identity guidelines for federal agencies looking to create a secure authentication process. While not designed for healthcare authentication specifically, the guidelines could help the industry ensure a more secure password process.
“Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity,” report authors explained. “Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate.”
“For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”
Report authors added that the technical guidelines do not address how to authenticate an individual for physical access, such as being able to enter into a building.
“The strength of an authentication transaction is characterized by an ordinal measurement known as the AAL,” the team stated. “Stronger authentication (a higher AAL) requires malicious actors to have better capabilities and expend greater resources in order to successfully subvert the authentication process. Authentication at higher AALs can effectively reduce the risk of attacks.”
Authenticator threats can be categorized by the compromising factors, according to NIST. For example, an attacker could guess “a memorized secret.”
“An attacker may observe the entry of a PIN or passcode, find a written record or journal entry of a PIN or passcode, or may install malicious software (e.g., a keyboard logger) to capture the secret,” the authors said. “Additionally, an attacker may determine the secret through offline attacks on a password database maintained by the verifier.”
The authentication process could also be compromised through an item being lost or stolen. If a laptop is lost, an attacker may be able to copy a software authenticator, NIST stated.
Authenticator replication is another possibility, which could involve an attacker gaining a copy of an individual’s fingerprint and then create a replica.
Eavesdropping, phishing, social engineering, online guessing, and endpoint compromise are also potential ways that the authentication process could be compromised.
NIST suggested several strategies to mitigate these potential threats, including but not limited to the following:
- Multiple factors make successful attacks more difficult to accomplish. If an attacker needs to both steal a cryptographic authenticator and guess a memorized secret, then the work to discover both factors may be too high.
- Physical security mechanisms may be employed to protect a stolen authenticator from duplication. Physical security mechanisms can provide tamper evidence, detection, and response.
- Requiring the use of long memorized secrets that don’t appear in common dictionaries may force attackers to try every possible value.
- System and network security controls may be employed to prevent an attacker from gaining access to a system or installing malicious software.
- Periodic training may be performed to ensure subscribers understand when and how to report compromise — or suspicion of compromise — or otherwise recognize patterns of behavior that may signify an attacker attempting to compromise the authentication process.
- Out of band techniques may be employed to verify proof of possession of registered devices (e.g., cell phones).
NIST also recommended that organizations implement a privacy risk assessment for records retention, and also implement unique privacy controls.
“CSPs should be able to reasonably justify any response they take to identified privacy risks, including accepting the risk, mitigating the risk, and sharing the risk,” the report authors explained. “The use of subscriber consent is a form of sharing the risk, and therefore appropriate for use only when a subscriber could reasonably be expected to have the capacity to assess and accept the shared risk.”
With healthcare authentication, organizations must ensure they review their authentication methods and implement the appropriate safeguards.
OCR stressed this in its November 2016 Cybersecurity Newsletter. Covered entities must consider their size, complexity, technical infrastructure, hardware, and software security capabilities when choosing authentication measures.
“The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed,” OCR stated.
A risk analysis will also help identify potential ePHI vulnerabilities or identify any vulnerabilities in current authentication methods and practices.
Entities can also consider single-factor authentication or multi-factor authentication. An example of single-factor is a physician using a password to sign on to a program. The password is something that physician knows, and is the only factor needed to gain access.
With multi-factor, one or two factors are required. This could include a smart card that needs a key to log on, followed by a fingerprint scan.
Healthcare is becoming an increasingly popular target for cyber attacks, and organizations cannot afford to have weak or lackluster security processes in place. Encouraging employees to employ more complicated passwords is an important step to take to help build a comprehensive cybersecurity approach.