A step back, rather than a security upgrade
Terry Gold, founder, IDanalyst
Industries often require different technical approaches to address regulatory requirements and this is certainly true for health care. Executives deal with regulations regarding Protected Health Information, and mandates are evolving and penalties are becoming stiffer in an attempt to increase accountability in the event Protected Health Information is compromised.
Passwords are a productive area for improvement as they are both targets for hackers and a major point of vulnerability for even well-intentioned employees.
But the industry cannot just implement strong authentication and carry a big stick when patients and providers complain about its usability. It must provide quality care without unnecessary barriers as slowing down a nurse or doctor in the ER by even a few seconds can have serious implications.
It’s here, however, that a bad decision is sometimes made when an organization opts to replace existing passwords with proximity cards. Common reasons include:
- Cost: Stakeholders look to leverage existing investments like the card they have
- Ease of Use: Users are already familiar with them
- Security: Prox is assumed to be secure
- Convenience: Doctors tend to override security in favor of convenience.
In these instances, the assumption is that upgrading the authentication to prox cards results in a significant security improvement. Unfortunately, for organizations where there was a minimally-acceptable password policy before the transition, it’s actually less secure than before.
Replacing a password with another password
Most health care organizations have incorporated best practices into their existing password management programs — enforcing longer more complex passwords, forcing users to change them regularly and restricting reuse. Tools automate password resets and help desk processes.
Proximity cards store a static binary string of data that is essentially just a numeric password. It is the credential or card number that is used to authenticate at the door access point.
Since it is clear text, anyone can verify it. Card providers do sometimes employ attempts to obscure this password, but these can be deciphered in an automated fashion with tools available over the Internet. It is within reach of anyone who wants it and is not reserved for an elite few that have advanced hacking skills.
Cards on the 125 kHz frequency, the most common type proximity card, have no protection of their data. When they were designed, the goal was not security but rather reducing the cost and burden of replacing keyed locks. High-frequency contactless smart cards use encryption to protect stored data, such as the identification number, but prox was never intended for this type of use.
Breaking old rules and ignoring new ones
I most cases, this “card number” — or password — is vendor-assigned and encoded in the card at the production facility. When the cards reach their destination, a photo is taken, the card number is entered into the building access system, and finally handed over to the user. Frequently the card number is printed on the card itself to make it easy for the enrollment officer to enter the number into the system.
While this process has historically been acceptable for physical access, it breaks fundamental principles in information security.
To put this in perspective, consider a different scenario in a similar context. Would it be acceptable If IT ordered new computers from Dell, and they arrived with the passwords printed on them that could not be changed? No information security professional would consider it.
An often-overlooked aspect to leveraging physical access cards for IT is that the same password is stored in the physical access control system databases in clear text the vast majority of the time. This means the data:
- Is not under the control of IT
- Does not subscribe to the same application security principles, audit or review
- Is setup using default privileged and administrator passwords — such as “admin”, “Blank” or even “password” — to the system itself
- Is not properly secured on the network or otherwise
- Does not undergo adequate penetration testing before release.
This reduces IT security to the lowest common denominator practiced by the two departments. It is a systemic, organizational vulnerability.
Misconceptions and false security
The common defense by supporters of proximity cards for authentication in IT is that a PIN is required as well, but this is hardly foolproof. The premise here is that the PIN is unique in that only the user knows it, which makes this a two-factor solution. It shouldn’t, however, earn the confidence of an information security professional. Proximity cards cannot store a PIN, which means it’s stored somewhere else and therefore vulnerable. Even if you agree that this is a two-factor solution, it is giving up a previously strong password for a weak PIN.
Mandates are forcing the adoption of Electronic Health Records systems and Health Information Exchanges to enable improved care by sharing information across providers, payers and the patients. At the same time, ePrescribing is rapidly growing and the DEA’s ruling for Electronic Prescribing of Controlled Substances requires approved identity proofing and authentication methods. Prox cards and/or static passwords are not on that approved list.
A slew of other mandates and initiatives are also taking shape to influence health care providers to rethink how they proof, manage, credential and use identities.
In most cases, there are two recurring considerations for systems that will be viable and scalable in the long-term. First, credentials must be able to be repurposed across the various mandates to avoid the need for multiple credentialing systems. Second, these credentials must be able to demonstrate they were implemented in a way that complies with requirements so they can participate in the various exchanges.
Proximity cards are their own trust model, established by the vendor independently, and have no standards frameworks that govern how they are to be used for authentication. Generally, it is an opaque operation, clouded in obscurity, with little peer testing to test those systems or disclose reports of testing performed by creditable third-party labs.
Therefore, outside of the organization that implements them, no other organization can trust the credential. In the age of health care mandates where the basic requirement is collaboration and sharing across disparate organizations, an investment in proximity for authentication to IT systems is not only insecure, but short-sighted.