Industry Insights with Michael Magrath

Authentication , Healthcare Information Exchange (HIE) , Multi-factor & Risk-based Authentication

Convenience Over Security Is Often Not the Best Policy

Now NIST says SMS authentication is a "no-go"
Convenience Over Security Is Often Not the Best Policy

Forget your password? No problem, just click "reset password" to receive a one-time code sent via SMS to your registered mobile phone. From there you can create a new password to access your account.

Inexpensive and Convenient? Absolutely!

There are so many affordable options available that balance security with usability that healthcare systems must take action and move off passwords and SMS to protect the sensitive, protected health information they store and access. 

Secure? Maybe.

Well, for federal agencies, "maybe" does not make the grade when it comes to security and the National Institute of Standards and Technology has stated in the DRAFT NIST Special Publication 800-63-B, "Digital Authentication Guideline." NIST's position supports what both security professionals and hackers alike have known for years: SMS is insecure, and is no longer suitable as a strong authentication mechanism.

Why? SMS messages are not protected from the wrong eyes seeing them, and there is no assurance that they will actually go to the intended recipient.

Although NIST's requirements apply to federal agencies, in reality, industry has traditionally followed suit. Healthcare is no exception. Since 2010, healthcare organizations deploying electronic prescribing of controlled substance (EPCS) solutions have had to comply with NIST's identity-proofing and two-factor authentication requirements defined in Special Publication 800-63.

Outside of EPCS, healthcare organizations have typically deployed low-cost and convenient authentication solutions. Too often healthcare organizations rely on static passwords to protect their own assets and protected heath information.

With a false sense of security, many healthcare organizations have deployed SMS notifications thinking they have significantly increased security when in reality they have not. SMS peddlers without suitable alternatives talked it up with various buzz phrases, like "out-of-band" and "step-up" authentication, but the reality now is that SMS does not deliver as a secure "second factor," as some may have claimed; attacks against SMS are no longer theoretical but widespread.

The federal government and healthcare organizations have one thing in common: Both are under constant attack in a never ending cyberwar. Google "healthcare breach," and it's easy to see that healthcare is losing. The entire industry - from large payers, to large and small hospitals to single physician practices - is under constant attack and has suffered far too many casualties.

It is critical that healthcare organizations take heed to NIST's draft recommendations. Relying upon obsolete security practices only makes them easy targets. Add SMS to the list that has been dominated by static passwords. In the light of the NIST draft recommendation, the recent announcement by Social Security Administration that it now requires two-factor authentication via SMS could not have been more ill-timed and made me chuckle. It is clear the interagency communications are severally lacking in Washington. Perhaps The Donald or Hillary will address that?

There are so many affordable options available that balance security with usability that healthcare systems must take action and move off passwords and SMS to protect the sensitive, protected health information they store and access.

For more information on VASCO security solutions for healthcare visit https://www.vasco.com/solutions/healthcare-information-security/index.html



About the Author

Michael Magrath

Michael Magrath

Director of Business Development, VASCO Data Security

Magrath is a nationally recognized leader in field of healthcare identity management. A frequent speaker and thought leader, he is an active member of the Identity Ecosystem Steering Group (IDESG) established in response to the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) and participates on IDESG's Healthcare Committee and is a member of HIMSS' Identity Management Task Force. He previously served as Chairman of the Smart Card Alliance's Health & Human Services Council from 2010-2014 where he spearheaded workgroup initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. Currently, Magrath leads the healthcare business group at VASCO Data Security. Prior to VASCO, he served as Director for Identity Solutions for DrFirst and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.