April 21, 2014
In my last blog, I discussed the nature of identity and the reasons why identity management and the establishment of trust are very difficult and complex issues in healthcare and other industries. Identity is only half the problem. The other half, and unfortunately the one to which many incomplete solutions have been posed, is the establishment of digital credentials that tie to a person’s online identity. It seems that everyone has a solution to the improvement of digital credentials. Long ago, username and password combinations (e.g., the simplified “identity” surrogate) were the only mechanisms by which access might be granted to programs or data. Today, we appear to be beset with a wide and growing variety of credential types, including two – factor authentication, biometrics, out-of-band, and a number of creative mobile-based systems. While many of these are vast improvements over the traditional username and password combination, none of them alone will do the magic trick of securing an application at the level of assurance usually required or desired in healthcare. The real key to security in healthcare lies deeper, in the way applications work (regardless of the credential they use) and in the inherent frailty that comes when an application takes on the daunting identity/credential challenges alongside its own application logic.
Let’s start by examining what’s wrong with traditional credentials in the first place. Much has been written about this topic, especially lately, so I’ll cover it briefly:
- Usernames and passwords are generally vulnerable, largely because they have to be memorable. Making anything memorable generally simplifies it, and the simpler a credential is the easier it is to impersonate it.
- Even complex password schemes, like those that enforce a password consisting of uppercase and lowercase letters mixed with numerals and even special characters, are not really safe. Criminals seeking access will very rarely attempt to manually guess passwords. For over 20 years, password-cracking schemes and sophisticated software have been used to penetrate vulnerable accounts. Since many passwords are short enough to be memorable, this software makes quick work of the additional combinations afforded by adding 30-odd characters to the set used for the password. Speaking mathematically, a password that is eight characters long, using 62 possible characters in each position yields 628 or about 218 trillion combinations. This sounds like a lot, but in reality, systems trying several hundred thousand combinations per second can accomplish this task in a reasonable amount of time. Longer passwords would certainly make this task much harder, but many people resist password lengths in excess of eight characters despite the dramatic mathematical effect it would have on deliberate cracking schemes. In comparison, a 32 character password would be nearly impenetrable given current processor speeds, as it would yield 6232 or 2.2 * 1057 combinations, an improvement of nearly five orders of magnitude.
- Despite password complexity, usernames and passwords are still vulnerable because they depend on human intervention, and may be learned or stolen by any number of means. Social exploits, phony websites, workplace espionage, key-loggers, virus and malware, and many other forms utilize this frailty to exploit human trust and behavior in order to gain access to systems and data.
- Perhaps the biggest issue with traditional credentials, and in fact with credentials in general, is that each application establishes them individually and independently. Consequently, each provider, whether in a hospital setting or in a private practice, usually possesses many credentials simultaneously – one for each application they access. Hospitals tend to simplify this somewhat using single sign-on technology, but providers who access systems outside the hospital still have other credentials to use and remember. The more credentials a provider has, the more likely it is that the provider will reuse password values across systems or, worse yet, keep a written log of passwords so that he can keep them all straight. Finally, in the real world, whether logins and passwords are simple or complex, they are frequently shared voluntarily and inappropriately by end users who feel they have neither the time nor inclination to access secure data needed to accomplish specific tasks.
Recently, as a reaction to these vulnerabilities and shortcomings, hospitals have been discussing the need to demand higher levels of compliance among their peers and associates. Laboratories, imaging centers, physicians and their staff, ambulatory care and chronic care centers are being asked to tighten control as endpoints in the hospital ecosystem. Even insurance companies, exchanges, and health information service providers have considered tightening control by enforcing new and more stringent operational controls, technical software requirements, networking constraints, and workflow–impinging rules in order to stem the vulnerability created by reliance on traditional access controls. It’s a curious turn of events. Especially now that doctors and administrators alike utilize their own private, mobile technology at work, it seems futile to attempt a top-down, dictatorial strategy to change behavior. Furthermore, in a world already complicated by government regulation, additionally intrusive or expensive controls just seem like the wrong idea.
I do not mean to imply that stringent network, BYOD, and other related policies are in any way ineffective. They are necessary, and at the heart of any great solution. However the real problem runs much deeper and the healthcare industry needs a more innovative solution. Determined fraudsters and thieves will find holes in any strategy, but generally move around those that demand compliance with the greatest ease. Budgetary, resource, and expertise lapses often creates holes and opportunities for nefarious advantage.
The outlines of a plan
In order to be effective, I believe the healthcare IT industry must reevaluate its love affair with application-specific solutions and look to form a more impenetrable and distributed scheme that is at once simplifying, inexpensive, and easy to adopt. This is not a new dream, but rather one that has been in the works and imminent for some time. This vision has been promoted by several federal government agencies and institutes, particularly the National Institute of Standards and Technology (NIST) and its IDESG (The identity Ecosystem Group), along many of the proponents and related committees that have been involved and invested for over three years. It is in the spirit pioneered in those committees that I offer the outlines of a simple plan to overcome the vulnerabilities of both identity and credential management.
In short, I believe our plan should include the following:
- A complete separation of identity management, credential management, and access control, management (also known as role-based authorities) into separate, independent system components. In other words, applications should no longer manage their own identities, bind them to exclusive credentials, and also define the authority or capabilities of a user. Doing so creates vulnerabilities and redundancies that must be avoided.
- Each of these components must be blind to the actions of the others. There can be no functional or technical interdependence between these facets of the ecosystem. Any fraudster can gain no advantage unless all three aspects of the ecosystem are simultaneously compromised, which would be very unlikely. The only exception to this concept of “three-way blindness” would be through a stipulated legal process.
- The use of username and password-based credentials should be curtailed or ended as soon as possible. In their place, multifactor, biometric and other credentials should be used. These tend to require far less memorization and repetitive action on the part of the user and are consequently more immune to theft or compromise.
- The ecosystem must itself be extensible. Additional credential types, providers and operating parameters must be enabled as required by application logic. Identity sources, methods and levels must also be extensible.
- A single, comprehensive Trust-mark standard must be envisioned, applied and enforced across all elements of the ecosystem. If the Trust-mark originates from a well-known and independently audited entity, or one with the authority to enforce it legally, it will become a compelling aspect of adoption for applications that might otherwise be slow or reluctant to comply.
- The ecosystem must rely on well-documented standards for technical content, so that adoption is simple, well-defined and nonproprietary.
Each of these items is probably worthy of its own blog post. There are many potential obstacles, including the status quo, that stand between us and this goal. However, the effect such an ecosystem will have on the state of healthcare will be monumental; providers will no longer be troubled to own multiple credentials, applications will no longer continuously reinvent credentialing/identity proofing and access management, and the future of privacy and information security in healthcare applications will be finally assured.
Eric Rosenfeld’s Series on Identity Security in Healthcare:
1. Who is your physician and how do you know? Solving questions of identity in healthcare
2. The real key to security in healthcare in an online world