Creating a User Authentication StrategyWhy a Comprehensive Framework is Essential
Sam Curry, chief technologist at RSA, says healthcare organizations need to build a long-term user authentication strategy that creates a comprehensive framework.
"Establish a framework ... and make sure it's intelligence driven; make sure it has a risk engine behind it and make sure that it can learn patterns of behavior," he says in an interview with HealthcareInfoSecurity (transcript below). "That way, you're not just building something and standing up a wall for now; you're, in fact, building an infrastructure that can adapt to how you're going to authenticate people for the next 20 to 50 years."
The Healthcare Information Security Today survey, sponsored by RSA, shows that implementing multi-factor authentication is not one of the top five priorities for technology investments this year. In an interview about the survey results, Curry contends that if organizations shift from a narrow focus on compliance with regulatory requirements to a broader goal of building trust, authentication will become a higher priority.
In the interview, Curry:
- Notes that healthcare organizations can "learn lessons from what banking went through a decade ago" in adopting authentication strategies;
- Addresses the importance of monitoring access to patient information and then analyzing the access data to learn from patterns of behavior;
- Stresses the need to go beyond implementing role-based access controls to apply an expert system and big data tools "to start to monitor how roles shift;"
- Comments on the survey findings that nearly 60 percent of organizations are allowing clinicians to use personally owned mobile devices on the job, pointing to the need to accommodate BYOD to provide better care;
- Urges healthcare providers that have been slow to embrace cloud computing, as they survey confirms, to "put pressure on cloud providers to show you a roadmap" for addressing security.
In addition to serving as chief technologist at RSA, the Security Division of EMC, Curry is chief technology officer of RSA's identity and data protection business. He has more than 18 years of experience in security product management and development, marketing, engineering, quality assurance, customer support and sales. A cryptographer and researcher, he is a regular contributor to several journals.
HOWARD ANDERSON: Making sure that patient records are accessed appropriately is an essential component of any healthcare security strategy. Yet the survey shows that implementing multi-factor authentication ranks seventh on the list of top priorities for technology investments this year, and username and passwords remain the most common authentication method in use. Why isn't implementation of more sophisticated authentication a higher priority?
SAM CURRY: That's a very good question. I think it's a question of maturity for a lot of the organizations. In many instances, folks are having to come from a deficit with respect to security and have to build up their security expertise and maturity. And honestly, there's sort of a carrot-and-a-stick approach. On the one hand, I think we see some regulations that try to encourage the right behaviors early, and that's the carrot side. Then there's the stick side, which if you don't do it you're going to get fined.
In that kind of world, they're either trying to reach for the carrot or you're trying to avoid the stick, and it's very hard to back up and actually assess what would be the right move to do if we had a lot of time to plan this. You find that folks find regulations that act as a catalyst. They drive changes in behavior. But very often, if people were to step back and ask, "How do we increase trust explicitly in the system?" they might make some different moves.
For that reason, it looks logical to us. You should obviously put authentication at the top of the list. How do you really trust the people that you're dealing with are who they say they are? Yet, very often we're busy chasing the checklist to avoid the fines - the stick. I think that's going to shift in the coming years, but for now it seems obvious authentication should be higher and I think a lot of organizations would be well-advised to stick it on the agenda. Yet, they're still busy avoiding this notion of penalties and fines associated with a lot of the regulations, but they're driving the agenda and, frankly, the budget for now.
ANDERSON: The survey shows that 27 percent of organizations have a web portal that provides patients with some access to certain records, and about a third expect to have one in place soon. What steps should these organizations take to authenticate the identity of patients seeking online access to their records through these portals? And can they learn some lessons from online banking?
CURRY: What are the steps they can take to authenticate the identity of patients seeking access to online records? It's a world of cloud and it's a world of mobile devices, and there's a host of new tools available to identify people. You can start to tap into things like their velocity - their physical velocity and their geo-location. You can start to tap into biometrics and behavior metrics. How do they do things? You can start to pull this together to make decisions in a central place that gives you not just a, "Is this Sam or Howard, yes/no," kind of answer. Instead it gives you, "How much do I trust on a scale of zero to a thousand that this is, in fact, Howard Anderson that I'm speaking to, or that I'm doing a transaction with?" A lot of that has to be tapped into.
But I think the big thing will be to don't think about a widget. Don't think about this as the thing I'll use to authenticate. Instead, think of a framework that can adapt. The bad guys shift their behavior. They're going to learn how to use new tools to break what we thought was unbreakable. There are new technologies that are going to emerge. So instead, establish a framework that has ubiquity and that uses some of these latest technologies like cloud services that can tap into many things and make sure it's intelligence-driven. Make sure it's got a risk engine behind it. Make sure that it can learn patterns of behavior so that you're not just building something and standing up a wall for now; you're, in fact, building an infrastructure that can adapt to how you're going to authenticate people for the next 20 or 50 years.
As for online banking, I'm going to shift gears with that answer and say, perhaps, the first and most regulated place was in fact banking. The reason is it's that old Willy Sutton attribution, which I don't even think he really said: "Why does he rob banks? Because that's where the money is." The bad guys first went to the low-hanging fruit of going after the banks, and so the banks had the first toughest regulations, especially with things like FFIEC that came out and said, "You really have to make sure you're dealing with the right people." And it was painful. They did it and they started to build business processes that understand what security was and what the landscape of the bad guys were, and eventually they got past where the regulations were and they got quite mature perspectives on security and authentication in the business, not just the security people but in the business.
Healthcare is very much a similar state. Bad guys are now turning their eyes toward healthcare, and the availability of interconnectedness, a potential for privacy violations as opposed to just outright loss, is enormous in the healthcare space. I think there are a lot of lessons to be learned by looking at what banking went through almost a decade [ago]. Let's not learn those lessons the hard way. Let's instead build on those and get out ahead of it in our space as well.
ANDERSON: The most common way organizations monitor who accesses patient information is by using the audit functions within the applications, such as electronic health records. Is this the best approach to monitoring access?
CURRY: You have to do it. First, collect all the information and then put it in some kind of data structure. The second thing that you have to do is you have to start thinking, "How am I going to sift through it? How am I going to have alarms raised to me, and how am I going to establish patterns in there that are potentially significant and learn from them over time?" I don't just know if something is good or bad, but I know if something has implications from a regulatory perspective or might involve a subtle violation of privacy or patients' rights.
Obviously, monitoring is important. You both have to capture everything, but then you have to think about the taxonomy for what you have at the end and what kind of data structure you want to use with an eye to making intelligence-driven pattern-recognizing technologies able to apply to it in the future. Even if those technologies don't exist now, we can find parallels in things like network and systems management or security information management so that you can bring the right analytics to bear and you can have an intelligence-based way of generating predictive information about how bad guys are behaving, or even how subtle shades of gray, like privacy issues, might be popping out of your data from that pool. Monitor, but think now about the architecture and the data structures you want and the kinds of tools, like big data tools, that you might want to apply to it later.
Role-Based Access Management
ANDERSON: Should hospitals and others be moving toward role-based access management systems to help guard against inappropriate access to sensitive patient information?
CURRY: The role-based approach is one of those inarguable ones. RBAC as it's called - role-based access control - makes a lot of sense in a lot of spaces. But first, you have to try to set up what the policies are that we're going to apply. You really have to assess the kinds of roles that are going to go into this, and that's a difficult exercise. And then you have to be able to monitor, according to those roles, and then just as you did with the events and with the monitoring of what's happening in the environment, you can also start to build normative patterns for how people access information.
In the event that there's an emergency and somebody unexpectedly needs to have control transferred to them - like somebody goes into emergency surgery - you don't want to be sitting there having somebody denied access because you didn't explicitly think of the scenario that might have had them get past this to get this information through a new set of tools in a new location with the person's life in jeopardy. One of the things to do is to start to apply both the process to manage the evolution of the roles and how they access information, and then actually apply an intelligent system, or an expert system, on top and use big-data tools to start to monitor how to shift and how they're likely to shift in the future, especially given change in the technology landscape.
More people are connecting with more kinds of devices in more ways with more applications than ever before. That trend is only going to increase, so RBAC is a vital step. And just as with the monitoring, we want to try to apply the right kinds of intelligence and the right kinds of infrastructure and architecture to support how that will evolve in the future.
Mobile Devices and BYOD
ANDERSON: The survey shows about 58 percent of organizations are allowing clinicians to use personally owned mobile devices for work-related purposes, such as accessing patient records. The use of mobile devices, including the BYOD trend, ranks as the No. 1 perceived security threat. Given the growing use of personally owned tablets and smart phones in healthcare, what are the key security steps organizations need to take?
CURRY: ... Perceived opportunities for new ways to be productive and to be connected - they're both a huge blessing and a huge threat. If it was just a threat by itself, I think we would all be able to say, "No, sorry. You can't bring that here." But the doctors want to be able to have things like tablets with very rich information controls and visualization abilities that they can use on the fly. ... They want to have access and to get the technology almost out of the way between them and the data they're interacting with, and that's a huge, powerful initiative that could really revolutionize healthcare. But we have to take care of that threat. We have to take care of the concerns on the risk side of the equation as you mentioned.
What does a security organization do here? Well, they have to start to invest in some new, more advanced, technologies for being able to get hardware roots of trust on those mobile devices, and there are options for that. ... What I've seen a lot of organizations do is they pick a particular class or category of devices that they can work closely with vendors around. The real trouble comes when a new doctor comes in or a doctor with a new device comes in and says, "Here, add this to it." In that case, you're going to be very careful how you, in fact, incorporate those into the environment. Is it okay to do e-mail? If so, to what extent and how? What do you do in the event of somebody having inappropriate data? How do you pull the information? How do you poll those things? I think it requires an effort on the part of the security organization to really understand and come up with a set of tools that they're going to use and a set of standards and practices to keep it fresh.
It's amazing how fast the mobile space is changing, both the underlying platforms and the software layer, and the applications available from a security and other perspective. ... How are you going to benefit from BYOD to provide better healthcare and better services to patients, and better services to doctors and to medical practitioners? I think that requires its own initiative, because, frankly, it really can revolutionize things. ...
ANDERSON: A majority of organizations we surveyed say they're not using cloud computing, citing security as the top concern. Among those using cloud computing, about 40 percent are confident in the access controls for cloud-based applications. What specific steps can be taken to address security concerns in the cloud-computing arena?
CURRY: The cloud-computing arena is actually several arenas. I think the most important thing is for organizations to classify not just data, but also applications, and to really understand what cloud options are available to them. For instance, can they, in fact, move to a private cloud? Can they move not just to a public cloud? Could they look at things like community clouds for some things, or even hybrid clouds?
I don't like the word "cloud" in isolation. I feel it always has to have a qualifier in front of it. But it's important to understand that the real benefits associated with the cloud are around flexibility, performance, scalability and interoperability. If you're happily humming along with an application that works well - for instance, in your ER or your ICU - you may have no need to move it to the cloud. But you might be able to get some of those benefits from deploying a private cloud, either an internal or external private cloud.
Understand the applications, understand the data and understand the cloud options available. That's the key here. And put pressure on the public cloud providers to show you a roadmap for what they're going to do. Say, "These are the things that I actually need addressed from a security perspective." The Cloud Security Alliance actually has good publications on domains that you should be watching for. You should be enforcing things around them and ask the public cloud provider to give you their roadmap for these. When they actually can satisfy enough of the items on the list, then you can move to them. But I would advise that you always have the ability to make sure that your workloads and your applications can be moved away from any given provider. Make sure that they're effectively interchangeable to you, that way you can vote with your feet and you can say, "Show me the roadmap for how you're going to deliver future requirements and future security features." If they don't, you can take it back.
Data Protection Measures
ANDERSON: Finally, a majority of survey respondents cite encryption as critical to protecting patient data. Besides encryption, are there other alternatives that organizations should consider when it comes to strong data protection?
CURRY: Encryption can be scary, but it's not really the encryption that's hard in my opinion. It's really the key management that's hard, making sure that keys are properly protected, they're accessible only to authorized administrators, and that they're rotated on a periodic basis. That can be difficult. A strong key management product there can vastly help - or even key management services, in some cases.
Alternatively, newer technologies now exist that help remove the need for key management - things like tokenization. Sometimes it's called aliasing, and that's a form of data protection for fixed-format-type data, like account numbers, birth dates, and other types of personally identifiable or personal health information. Tokenization is like a bookmarking system. It masks sensitive data and does not really require the use of keys. You can get very fluid and, essentially, the data that's sensitive never exists in the environment; only that bookmark or that placeholder does.
When the actual information data has been exchanged with that broker, you first get the information, you get a place holder, you use that in all your systems, and then when you need the real information again you go back to the broker and get the final data. I don't think it's the encryption that's most difficult.
Think about the states of data in your organization. Do you really need the information? If so, could something that maybe is function-or-format preserving be sufficient? How can you actually remove the risk from the environment, the risk footprint, without having to go straight to encryption? When you do, do the key management correctly.