• Home
• About Gemalto
  • Our Company
  • Corporate Governance
  • Sustainability
  • Investors
  • Partners
  • Office Locations
• Products & Solutions
  • Telecommunications
  • Financial Services & Retail
  • Enterprise
  • Government
  • Transport
  • Training
  • Buy On-Line
• Contact Us
  • Office Locations
  • Jobs/Careers
  • Tech Support
  • Sales/Other
• Media Center
  • Media Contacts
  • Feature articles

Focus

Authentication weakness leaves gaps for medical identity theft

In addition, insider threat is a tremendous problem in medical identity theft. Healthcare workers have access to records with little or no controls or audit trails in place. As our nation moves from a paper-based record system to electronic health records, implementing strong authentication of those individuals requesting access to medical records is crucial to protecting privacy.

Today there are no policies and procedures in place to restore one's health information. Due to the sensitive nature of personal health information and electronic medical records increases the need for very high confidence in the accuracy of the asserted identity. If ones identity is compromised the breach is irreversible and the consequences can affect the victim for a lifetime.

To paraphrase Brookhaven National Laboratory, “Passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on passwords alone fails to provide adequate protection for network systems.” ¹

In July, Julie Boughn, chief information officer of the Centers for Medicare and Medicaid Services, said “Healthcare providers and businesses that plan to use the nationwide health information network need to strengthen their security and privacy measures to ensure healthcare transformation succeeds…The private sector should adopt many of the foundational information security practices that federal agencies are held to by the Federal Information Security Management Act (FISMA), or at least use it as a guide”.²

FISMA is a 2002 law requiring federal agencies to have security polices in place for their information systems, including those managed by contractors or external sources. FISMA set into motion a series of changes that continue to this day.

In March 2009 the National Health Information Security and Privacy Collaboration's (HISPC) Adoption of Standard Policies Collaborative (ASPC) presented its recommendations at the March 6, 2009 National Conference. ASPC's report to the Office of the National Coordinator for Health IT will establish the minimum requirements for authenticating users accessing electronic medical records.³ The current minimum requirements for identity assurance require that the person accessing the information is who they claim to be and they have a genuine need to view and access the record. The recommendation steps up the assurance level to medium (Level 2) assurance requiring a "strong" password. Very high assurance (Level 4) is for confidential information⁴. Level 4 assurance requires two-factor authentication.

References
1. Brookhaven National Laboratory, http://www.bnl.gov/cybersecurity/strong_auth.asp
2. Government Health IT, NHIN users will need tougher security, feds warn. July 1, 2009, http://www.govhealthit.com/newsitem.aspx?nid=71741
3. Health Information Security and Privacy Collaboration (HISPC), Guide to Adoption of Uniform Security Policy, March 2009
4. U.S. Office of Management and Budget, E-Authentication Guidance for Federal Agencies, [OMB 04-04], National Institute for Standards and Technology (NIST), Special Publication 800-63