- Protecting patient privacy is an essential aspect to any healthcare organization’s data security plan. However, employees still need to be able to access that data. Being able to properly manage accounts can be critical to ensuring patient privacy, and a recent guide from The National Institute of Standards and Technology (NIST) could potentially affect that process.
NIST is seeking comments on a new project “focused on protecting privacy and security when reusing credentials at multiple online service providers.” The guide is titled Privacy-Enhanced Identity Brokers, and was written by The National Cybersecurity Center of Excellence (NCCoE), in partnership with the National Strategy for Trusted Identities in Cyberspace National Program Office.
“As enterprises move more services online, many have given customers the option to use third-party credentials to access their services, rather then asking them to create and manage a new accounts,” NCCoE explained in an executive summary. “For example, you can use your social media account login to access your fitness tracker account. In effect, the social media company is vouching that the same person is logging in each time they access the tracker website.”
NCCoE added that third-party credentials can benefit businesses because it can save time and resources when it comes to managing identities. Users can also benefit from not having to remember another username, password, or a second-factor credential, according to NCCoE.
As managing each third-party integration can be time consuming, the document explains the technical challenges of adding privacy-enhancing technologies to existing products or services. Moreover, it discusses the necessary technical controls to properly address the potential privacy risks.
Feedback will help in creating an 1800-series NIST Cybersecurity Practice Guide, NCCoE said in a statement. The guide “will demonstrate the example solution and provide all the information necessary to replicate the reference design.”
The dominant solution is a service called brokered identity management in which ‘identity brokers’ manage the integration relationships between organizations and credential providers. Organizations can use an identity broker to manage multiple third-party credentialing options instead of having to manage each separately. However, for users, there is a concern that these connections create the opportunity for a breach, or exposure of personal information, as well as for the broker to track a user’s online activity.
NIST has been working to ensure that organizations across numerous sectors - healthcare included - can benefit from assistance in online security options. As previously reported by HealthITSecurity.com, NIST recently released the Trust in Email guide, which describes ways to improve email security options.
“Following a description of the general email infrastructure and a threat analysis, these guidelines cluster into techniques for authenticating a sending domain, techniques for assuring email transmission security and those for assuring email content security,” NIST explained.
Authenticating sender domains is one of the primary methods for increasing email security, NIST said, as it protects against spoofing and phishing incidents because it provides the recipient with information regarding the sender.
“Email communications cannot be made trustworthy with a single package or application. It involves incremental additions to basic subsystems, with each technology adapted to a particular task,” the organization stated. “These can be implemented discretely or in aggregate, according to organizational needs.”