skip navigation
Tag Cloud
emr, medical_records, healthcare strong_authentication,hipaa_compliance, strong_authentication password_management authentication_management finger_biometrics user_ security authentication data healthcare_single_sign-on data_security healthcare_single_sign_on healthcare_access_management himss_09 single_sign-on identity_management two_factor_authentication physical_and_logical_convergence fingerprint_biometrics biometric_identification insider_threat events user_provisioning passwords electronic_transactions hipaa_compliance access_management physical-logical_convergence identity_and_access_management physical_logical_security biometrics two-factor_authentication esso simple_sign-on sso_appliance sso summit keystone 2008 authentication_and_access_management physical_and_logical_access convergence physical/logical asis mckesson insight conference access_and_authentication strong_passwords physical_security compliance security_breaches enterprise_security biometric_authentication security_risk security_breach secure_access single_sign_on sign-on


Archive
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
David Ting
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Medical ID Theft and Tying Patients to Electronic Records with Strong Authentication
Strong Authentication Best Practices for Success Webinar with Forrester Research
Five Things to do in Identity Management this Summer
Access Management Questions to Ponder
What NIST Missed: The value of password management + SSO + strong authentication


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



Medical ID Theft and Tying Patients to Electronic Records with Strong Authentication

June 26, 2009 at 7:15 AM by David Ting

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.

Medical ID theft is an issue that can impact anyone. From a financial standpoint, if your identity is stolen and then used to receive emergency care, the insurance payments and collections can follow you around for years – without the victim even knowing it. This can destroy credit ratings or create a situation where insurance benefits limits are exceeded at a time when a legitimate claim is made.

More important than the financial impact is the potential impact on the healthcare or treatment a victim receives. Once a medical ID is stolen and used to receive treatment, the medical records can now contain erroneous medical history information. This can lead to a fatal mistake in an emergency care situation.

I’ve blogged about some of the data security and strong authentication concerns that come with accessing electronic patient records from the clinician point of view. Some healthcare providers I’ve spoken to are looking to strong authentication to solve the medical ID theft problem as well, using technologies like biometric authentication to securely and uniquely tie patients to their records.

This would create a seamless environment where clinicians are authenticated for access to applications and information, while the patients are authenticated to their medical records. This will be a critical component of the success of EMRs as these systems begin sharing information between healthcare providers. Strong authentication will be critical not only from a data security perspective, but could also prevent a situation where a patient receives improper care.

Tagsmedical_records, healthcare strong_authentication,HIPAA_compliance, EMR,

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Strong Authentication Best Practices for Success Webinar with Forrester Research

June 18, 2009 at 1:07 PM by David Ting

Join us for an informative session on the “Do’s and Don’ts” of employee access management next Wednesday, June 24. Forrester Research’s Bill Nagel will lead the discussion on what organizations should do to improve security with strong authentication.

In addition, the session will discuss the pros and cons of various strong authentication methods, explain why a single point of authentication to the network is key to employee access and provide examples of a wide range of implementations via real-world case studies.

Register for the event today and join us on the 24th at 11:00am ET to hear from a leading analyst on useful advice for implementing strong authentication in your environment.

Tagsstrong_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Five Things to do in Identity Management this Summer

June 15, 2009 at 8:20 AM by David Ting

Theoretically, as employees go on vacation during the summer months, there will be fewer demands on your IT team. Realistically, we know that’s not true and it seems like there is actually more to do. However, summer can provide the opportunity to step back and evaluate the state of your identity and authentication management infrastructure and policies. Here are five things that are easy to overlook throughout the year that you should consider doing this summer:

1. Check for Ghost and Orphaned Accounts: user provisioning and de-provisioning of accounts can happen in a flurry of activity, especially during times like these with turnover in the workforce being common. In the haste to move through the termination process, accounts are left open or missed – even those organizations with the tightest policies and procedures. Often a user’s primary network credentials are locked but what about remote access accounts or critical applications accounts. Use this time to eliminate any that may be in question.

2. Map the Apps: Take an inventory of what apps are running in your environment. Are they all approved? Any that are ‘rogue’? Are any being used that are not tied to identities at your organization? Getting a clear view of the application population can help ensure holes are plugged, policies followed and data security is optimal. This gets much harder to do as organizations increasingly subscribe to services that are not managed by IT. Getting a handle on those accounts will become even more important as we rely more on applications delivered by service providers.

3. Cut Costs by Weeding Out Unused Application Licenses: While you’re mapping what apps are in your environment, cross examine their usage by analyzing the activity logs of your employees’ identities. Are there shared accounts and passwords being used inappropriately? Are there under-utilized applications? Are you paying for more licenses than you need for an application? There’s a treasure trove of cost savings to be found if you take the time to dig in to your identity and application logs. If you can squeeze savings out of somewhere unexpectedly, your CFO will love you.

4. Let Your Fingers do the Walking: If you’re not using finger biometrics or proximity cards, give these user authentication technologies a try. They are relatively inexpensive and can easily integrate into most identity management systems nowadays. Pull in a small focus group to try them out, and see how they can improve employee productivity while strengthening security… and minimizing password management help desk calls to your team.

5. Reconnect with your customer: Review the identity policies and procedures you’ve set forth for your organization -- when were they originally created? Has anything changed? New industry regulations your organization must adhere to? Examine user authentication requirements, strong authentication modalities that are available to your employees and password management parameters to follow. Update, distribute and schedule a series of brief sessions to educate your user base on security best practices to follow. Remember your customer base is everyone that interacts with or uses the IT system.

What else are you doing during these summer months? Any best practices to share? We’d love to hear them.
--David

Tagsfinger_biometrics user_ strong_authentication authentication_management password_management security data authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Access Management Questions to Ponder

June 4, 2009 at 6:07 PM by David Ting

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.

Tags

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
 1 | 2 | 3 | 4 | 5 ... 11   Next >>
© 2009 Imprivata, Inc. all rights reserved