The Health Care Information and Management Systems Society (HIMSS), Juniper Networks, Anakam hosted a discussion on the importance of access control within health care networks, and introduce solutions that can provide a secure pathway to grant the appropriate access to hospital resources and patient records.
Offering secure remote access to your internal network to a diverse outside audience is a complex problem. “There are so many different people with so many different devices accessing the network, with so many different applications – and all of these are areas for risk and renewed threat,” says Michael Rothschild, director of Health care Solutions at Juniper Networks. “It is very important to ensure that people that are on the network get the access they need – only the access they need – and not more.”
Aside from being a serious compliance violation, unauthorized access into your health care network can endanger the livelihoods of staff and ultimately the lives of patients. “When individuals fear their personal information is vulnerable for compromise they’ll avoid sharing the right information, and in many situations not share all of their information required to receive the proper care,” says Jose Jimenez, director of Health Information Technology at Anakam.
In a longitudinal case study taken from Verzion, results indicate that an average of 26% of hackers take only hours – in terms of research – to access the network or cause some kind of security breach; and only a few days from point of entry to compromise.
From compromise to discovery – meaning a hacker has gotten into the network, and the time it takes for users to discover that something has happened – roughly 49% takes months to do so. And from the time of discovery to the time of containment, results showed approximately 42% take weeks to contain the threat. Which means the vulnerability comes out to be in the neighborhood of 104 days.
“What we’ve been use to is the username and password, which has been a weak method of authentication,” says Jimenez. “However, that username and password does not – with a high level certainty – verify that it is the right user is coming in, it just verifies that ‘someone’ has the right username and password. There are many alternative authentication methods such as tokens, smart cards and biometric devices. However, the costs associated with maintaining these devices and software becomes astronomical, especially as we expand these services to cover large user groups.”
To enable institutions to be able to address these strong second factor needs of a large user population without the associated costs Anakam has created what they call an Identity Management Lifecycle Suite. With it, users access through a VPN portal with strong second factor authentication. “To ensure the right users are the ones who are registering, we have what we call identity proofing, registration, and credentialing,” adds Jimenez. “Where we go out and do external data set questions and verification of the user when they are registering.”
“The ability to distribute a one-time passcode without requiring the distribution of hardware or software plays an instrumental part of enabling trusted access,” says Jimenez. “And providing strong second factor authentication to a wide set of users – from your providers, your patients, your first responders.”
In a demonstration Anakam simulates a lab environment where a doctor – in this case JDoctor – accesses a VPN appliance, which is protecting a patient record and a provider’s portal.
JDoctor logs in with their first factor credentials, and once done receives a phone call that issues a one-time passcode, which can be entered into the session. Also, to provide multiple vectors of coverage and to provide awareness of first factor compromise, an e-mail is sent to JDoctor with the same passcode.
The passcode is time sensitive and can also be delivered in Spanish, English, French, and any other type of language established for users. Once the passcode has been verified by Anakam the user is then redirected to their portal. In this case, JDoctor is able to follow up on his patients, lab work, prescriptions, or anything needed from their high level perspective.
Patients face similar authentication and messages can be tailored by institutions to include informative alerts, such as a reminder for upcoming visit. In addition, Jimenez mentioned that Anakam will allow users the ability to enable their own method of authentication based on their own policies within the organization.