Stimulating Strong Authentication

David Ting
Feb 03, 2012

The stimulus package recently signed by President Obama has been the cause for vigorous debate. One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's. An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.

So where do we start? From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance, as well as from other countries that have embraced a similar approach to digital medical records.

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry. OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy. Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password.

Controlling the access is only part of the equation. Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted. While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position? And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.

What are your thoughts? Email me and let me know.