- The comment period recently closed on NIST special publications discussing digital identity guidelines, which could potentially impact healthcare organizations working to improve their healthcare data security measures.
“Identity proofing establishes that a subject is actually who they claim to be,” the guideline authors wrote. “Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.”
The guidelines also “provide mitigations of the negative impacts induced by an authentication error by separating the individual elements of identity assurance into discrete, component parts.”
Overall, NIST had opened discussion for four specific guidelines, each covering a slightly different aspect of digital authentication:
- Digital Identity Guidelines
- Enrollment and Identity Proofing
- Authentication and Lifecycle Management
- Federation and Assertions
NIST stressed the importance of risk management with regard to digital identity guidelines, stating that “by combining appropriate risk management for business, security, and privacy side-by-side with mission need,” organizations can select necessary Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) authentication.
IAL is the identity proofing process and binding between one or more authenticators, according to NIST. It also refers to the records pertaining to a specific subscriber. AAL is the authentication process itself.
There is also Federation Assurance Level (FAL), which is a protocol used in a federated environment for communicating authentication.
“Agencies may determine based on their risk analysis that additional measures are appropriate in certain contexts,” the guideline explained. “In particular, privacy requirements and legal risks may lead agencies to determine that additional authentication measures or other process safeguards are appropriate.”
Risk assessments also drive the identity proofing, authentication, and federation processes, NIST stated.
“These determinations drive the relevant choices of applicable technologies and mitigation strategies, rather than the desire for any given technology driving risk determinations,” the guideline authors wrote. “Once an agency has completed the overall risk assessment; selected individual assurance levels for identity proofing, authentication, and federation (if applicable); and determined the processes and technologies they will employ to meet each assurance level, agencies SHALL develop a ‘Digital Identity Acceptance Statement.’”
Agencies should implement identity services following the guideline requirements, NIST maintained, and are also “encouraged to consider additional techniques and technologies to further secure and privacy-enhance their services.”
“Agencies MAY determine to partially implement the NIST recommended guidance based on their mission risk tolerance, existing business processes, special considerations for certain populations, availability of data that provides similar mitigations to those described in this suite, or due to other capabilities that are unique to the agency,” the guideline said.
“Agencies SHALL demonstrate comparability of compensating controls when the complete set of applicable 800-63 requirements are not implemented. That said, agencies SHALL NOT alter the assessed value based on agency capabilities.”
Healthcare data security can greatly benefit from proper authentication measures, with OCR even urging providers to review their safeguards to ensure necessary authentication is being utilized.
OCR explained in its November 2016 cybersecurity newsletter that healthcare tends to “usually use login passwords or passphrases to access information on public or private networks, internet portals, computers, medical devices, servers, and software applications.”
Authentication criteria is usually based on specific criteria, such as passwords, a fingerprint or voiceprint, or a smart card.
“The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement reasonable and appropriate authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed,” OCR stated.
A comprehensive, accurate, and thorough risk analysis for the entire organization will help identify potential ePHI vulnerabilities, according to OCR. Additionally, it can aid in identifying vulnerabilities in current authentication methods and practices.
OCR also suggested healthcare organizations consider the NIST Electronic Authentication Guideline as a resource. That NIST guide also recommends a thorough risk assessment to find which safeguards will best assist an organization.
“After completing a risk assessment and mapping the identified risks to the required assurance level, agencies can select appropriate technology that, at a minimum, meets the technical requirements for the required level of assurance,” NIST stated.