skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: two-factor authentication

Five Security Considerations when Deploying EMR

November 17, 2009 at 8:22 AM by David Ting

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authenticationits role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

TagsFingerprint_biometrics secure_authentication healthcare_access_management two-factor_authentication strong_authentication password_sharing data_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

OneSign Customers Talk Shop: Fingerprint Biometric Security, Password Management and Security Risk

March 11, 2009 at 7:43 pm by David Ting

We've found that the best resource for better understanding how to solve employee access management are our customers.  So over the past week or so, as a few of our customers have shared details of their OneSign experiences, I thought you may want to hear what some of them are saying and doing.

CSOonline.com's Joan Goodchild created a cool video-based interview with Bill McQuaid on how Parkview Adventist combined OneSign with fingerprint biometrics to improve productivity, streamline operations and minimize security risk.  Check it out here.  Key take-aways from Bill when deploying systems are:

1. Test, test and test again: with physicians and nurses you only get once chance to get them to buy in (which they did at Parkview)

2. Have a comprehensive training program: training up-front minimizes helpdesk calls later

3. Have a back-up plan: at Parkview, employees have several fingers scanned in case the biometric doesn't scan properly

Over at SearchCIO.com, Linda Tucci chatted with Chuck Christian about Good Samaritan Hospital's single sign-on deployment, capturing the hospital's experience using OneSign for the past four years.  Chuck shares advice on how he evaluated SSO solutions, how he got executive buy-in early on, and once installed, his ability to quickly change employee access (including complete shut-off) and how he deters bad security behavior by ensuring everyone is clearly aware of audit features.  The full story is here, and his advice is worth reading.

Anne Gabriel talks with OneAmerica's Jeff Hornung about the intersection of employee productivity, SSO and security for a story in Insurance & Technology.  Jeff explains his experience rolling out SSO to 1,500 users, and how that has translated into a 15 percent drop in help desk calls (and 50 percent for one specific application!) and enhanced employee productivity.  Next up for OneAmerica?  The life insurer will "leverage Imprivata's two-factor authentication and biometric device capabilities to meet changing needs and regulations" according to the article.

Tell us how you're using OneSign, and what's working for you.  We'd love to hear it.

David

TagsSSO security_risk Fingerprint_biometrics password_management two-factor_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

New York Times article on Single Sign-on: Cryptography vs. Passwords?

August 21, 2008 at 12:00 pm by David Ting

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences.  The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor.  The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other.  Reality: this won't happen unless everyone makes the big switch.  Unfortunately major upheavals like this take tremendous investment.  Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the "last mile problem" - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon.  Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics [check out my post last week] to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about? 

-David
Tagstwo-factor_authentication biometrics ESSO strong_authentication password_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Putting my finger on the state of biometrics

August 14, 2008 at 1:30 pm by David Ting

Dave Kearns recently posted an article from an interview with Upek on the state of things in the world of biometrics, talking how fingerprint readers are now being built into laptops, keyboards and all types of devices at a dizzying pace. [disclosure: Imprivata partners with Upek]  It was nice to see Dave addressing the topic of biometrics adoption.

Let's be honest, I spend a good deal of time collecting and vetting these amazing little biometric devices that have proven so valuable to our customers.  Years ago working on civil biometrics programs we had large fingerprint scanners that were nothing more than video cameras that used mirrors, prisms and lenses to obtain an image of a fingerprint.  Today's sensors that are mounted on keyboards, notebooks, electronic door locks and safes are often direct imaging silicon, low-cost sensors capable of producing high quality images with a very small footprint.  Combining biometrics with single sign-on has a strong value prop, as more and more industry and government regulations require two-factor authentication and audit trails for access reporting.  Clearly, this last bit is self-promotional as biometrics is right in Imprivata's sweet spot.  You have to admit the convenience of using a simple finger swipe or touch to access all the applications you need on a daily basis is huge - especially if you have to repeatedly logon and logoff. And hopefully you always bring your fingerprint with you, unless you're having a very bad day.

Seriously though, the combination of biometrics and single sign-on has a natural synergy.  I'll have some more news shortly on the strong authentication front, but in the meantime when you're thinking of using biometrics and SSO, it's important to take into considerations a few things:

  • Ensure high-end image processing technology is embedded into the commercial product you are looking at - there are many solutions out there, and some cost more than they should, so keep an eye out for the balance between cost and system capabilities
  • Look for solutions that limit failure rate, or "False Accepts" and "False Rejects." While it is impossible to guarantee that there won't ever be a false accept, keeping the rate better than 1 in 1 million is important.
  • For most end-users, authentication is something they want to get done quickly so they can get their job done, so identification or authentication speed is paramount. Acceptable time for authentication (where you enter a user name) should be within a second and identification (where you don't enter a username), within 2-3 seconds. Consider the verification speeds of integrated ESSO-biometrics solutions and do head-to-head comparison of the best alternatives
  • Focus on solutions that can handle a wide range of finger image presentation with higher accuracy. Users don't put their fingers at the same angle, position within the senor or swipe the same way as they did during enrollment so having a robust solution that can handle variability ensures user adoption. Test the system to see what finger placements are allowed to gauge the user experience - try placing the finger at a different angle or swipe at different speeds. Test with dry, moist, dirty, or oily fingers (right after you've had that French fry) and above all, try using it by touch alone with your eyes closed.

What do you think about biometrics? Are you using it in your environments?  Is it tied to your SSO system?  What type of biometrics are you using?

-David
TagsSSO biometrics ESSO strong_authentication two-factor_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Strong Authentication at the Point of Transaction

August 7, 2008 at 3:07 pm by David Ting

As more and more industries shift towards paperless transactions, organizations are realizing that identity-based regulations are becoming more common and stringent across various industries. As a result, transaction-level authentication will be the norm in any situation where a person's identity is an important element of the transaction.

Recently, according to a Federal Computer Week article, the Drug Enforcement Administration proposed rules to allow e-prescribing of controlled substances, such as painkillers and stimulants. The proposed rules require doctors to use two forms of identification for each transmission of e-prescriptions for controlled substances in addition to an annual audit of each system by a certified public accountancy. Under current rules, doctors may use e-prescribing for most prescriptions but must sign a written prescription for Schedule II controlled substances, such as Nembutal, OxyContin and opium. The DEA rule, if it becomes final, would allow doctors to use the same system for generating and transmitting all prescriptions.

In addition, other industries are keenly exploring transaction-level security. Wherever there is a need for an absolute audit trail, wherever there is strict regulation like GLBA, HIPAA and PCI -- whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Here is a snapshot of notable industries and the activities that are sparking interest in transaction-level security:
  • Healthcare: electronic pharmacy transactions involving either high-value or high-volume purchases of prescription drugs
  • Banking: electronic funds transfers where cash is moved in and out of accounts
  • Legal: document and transaction tracking is key to ensuring a deal is legitimate and authorized
  • Pharmaceutical: adding or updating testing data
  • Manufacturing/logistics: controlling inventory

I believe that these instances of positive identification authentication requirements are just the tip of the regulation iceberg. Whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Moreover, the business case for transactional strong authentication is very appealing, as authenticated electronic transactions can ensure a more efficient and accountable order system.

Are you about to embark on a paperless journey? How are you dealing with strong authentication with your transactions? I'd love to hear your stories.

-David

Tagsstrong_authentication two-factor_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Where’s your Remote Control?

July 17, 2008 at 3:05 pm by David Ting

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

  • 33 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family
  • Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files

So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down.  And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.

Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials.  This makes it impossible to trace any action back to an individual.

I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!).  In many cases, consultants can still access files/networks from old engagements.  Think of the Lending Tree debacle from earlier this year.  Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue.  How many of us know people who claim they can still log in remotely to their former accounts?

Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open.  This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process. 

I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged.  The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open.  Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off.  Good, bad or ugly, how do you manage your remote access?

-David Ting

TagsESSO simple_sign-on physical-logical_convergence two-factor_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Drowning in Security: Keeping Security Transparent from Users

July 3, 2008 at 10:00 am by David Ting

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.'  Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC?  The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver.  What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?

People are resourceful.  They'll find ways over, under, around or through security if it is inconvenient or disrupts their workflows or daily behaviors.  Sharing passwords among colleagues became standard practice in hospitals because it took too long to log in and out of each application and workstation, until a combo of finger biometrics and single sign-on made it less a chore to access.  The more we can make security invisible to the end user and easy to embrace, the more secure we'll be.

What do you think? Are you drowning in security?

-David

Tagsaccess_management ESSO two-factor_authentication Single_Sign-On

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

One Small Step for E-Prescriptions, One Giant Leap for Healthcare

July 2, 2008 at 3:15 pm by David Ting

The merger between RxHub and SureScripts has garnered extensive coverage - here, here and here, among others.  This is a huge step forward for standardizing on, and speeding the adoption of, electronic prescriptions.  It is significant progress, and the latest of many advancements the healthcare sector is driving forward.  There is one area of the electronic prescriptions story though that is missing from all of the stories around the RxHub/SureScripts merger, though it's an important piece of the equation - authenticating that the prescription drug order is legitimate, and truly from an approved physician.  Electronic transactions are easier and quicker, sure, but so is the potential for misuse and fraud.

The Ohio State Board of Pharmacy is on the mark with the requirements calling for "positive identification" for the prescriber with online prescription orders to use "a method that may not rely solely on the use of a private personal identifier such as a password, but also include a secure means of identification such as the following:" including biometrics or proximity badges (Part N in the mandate). 

OhioHealth, on the cutting edge with opening an entirely paperless facility (which the WSJ Health blog covered earlier this year) has also taken a significant step in deploying a strong authentication solution to help its physicians and clinicians embrace electronic prescriptions while adhering to the state's mandates surrounding them.  Now many other states are following suit requiring positive identification and strong authentication for these online orders.  [Disclosure: OhioHealth is using Imprivata technology].  However, we've been quite involved in the area of transactional strong authentication, especially in the area of e-prescription authentication, and it a crucial component of the online prescription drug order process - as noted in Network World

The RxHub/SureScripts merger is a big step forward in the industry more broadly realizing the benefits of e-prescriptions, but the role of positive identification in the electronic prescription drug order process cannot be overlooked.  If you think otherwise, just look at how state mandates are driving technology policy at hospitals nationwide - Ohio is just one of many states that are in tune with these issues. 

-David

Tagstwo-factor_authentication biometrics ESSO strong_authentication password_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap