Guest Column | June 1, 2016

Reducing The Threat Of Stolen And Compromised Credentials

Stolen Credentials

By Dean Wiech, managing director of Tools4ever

Compromised and stolen credentials continue to be a thorn in the life of the health IT security professional. A recent Cloud Security Alliance survey found more than 65 percent of respondents believed compromised credentials would be the root cause of a security breach.

Passwords came into fashion more than 50 years ago as a way to restrict access to the main computer at MIT. While not initially intended for security purposes, they were a contrivance to enforce time sharing restrictions. A clever hacker realized the credentials were stored in plain text in a file on the machine, and printed them out for all to use.

While any type of organization can be devastated by compromised credentials, healthcare in particular can be exposed to the risk of lawsuits and sanctions, especially if patient data is involved. While there are many projects focused on reducing the threat of stolen and compromised credentials, biometrics appears to be leading the way. One of the most prevalent is fingerprint scanners as they are becoming ubiquitous on smartphones and tablets from multiple suppliers.

While this technology may become common place by the inclusion of scanners on computer keyboards, mice, and laptops, the usability by healthcare professionals is doubtful. Imagine a doctor or a nurse needing to remove gloves to login on a computer because it timed out in the middle of an exam.

One of the newest technologies includes facial recognition with Windows 10. Windows “Hello” requires a special camera, which makes use of 3D technology, that is just now starting to become prevalent in the marketplace. This technology holds great promise, as instead of needing to use a badge and PIN, or type credentials on a keyboard, the user can simply look at a camera that provides the information needed to log them into the computer. The use of 3D technology ensures the system cannot be compromised by holding a photograph in front of the camera.

Another new technology that could be useful in the healthcare environment is keystroke dynamics. This behavioral biometric solution evaluates the way a user interacts with the keyboard, mouse, or smart device to establish a baseline profile. This profile is then utilized as a pass/fail when individuals log on to the network, and is utilized in conjunction with a password. If a disparity is detected, indicating a fail, a third form of authentication must be provided, such as an SMS code or PIN generated via an app on a smart device. This technology is also able to constantly assess the user’s pattern while they are utilizing the computer or smartphone.

Keystroke dynamics can assist in relieving two concerns with credentials. This technology provides a second factor of authentication during the login process — a user’s password may be accepted, but if they “fail” the biometrics component they must enter a PIN to complete the authentication. The technology can also force a re-validation should it detect a change in the typing pattern during a session.

For example, a user leaves for a quick break but forgets to lock their screen. A co-worker or visitor could easily walk up to the machine and try to access sensitive data. The keystroke biometrics application would detect the change in user based on how they are interacting with the keyboard and mouse, and immediately require a re-validation of credentials. Should the person be unable to provide the correct credentials, the computer would be locked and inaccessible. IT and managers can also be alerted via email or SMS that a potential intrusion has occurred.

Other options for securing the network are available, and may even be less intrusive to end users. These techniques require a combination of technologies to provide the utmost in security. These methods involve restrictions on where and when the network can be accessed to reduce risk from an offsite hacker.

Time of day restrictions are one step — limiting when someone can access their machine based on their normal usage patterns. Another step is IP limiting — only allowing usage to sensitive applications and data from a specific range of IP addresses. Geo-fencing is another potential method that restricts users based on physical location and the range from for example, the main hospital.

Regardless if one or more of the technologies are utilized, hospitals must move in the direction of securing user credentials beyond the simple user name and password. If not, hacks because of compromised credentials will continue to be common place and will continue to be unhealthy news for the foreseeable future.

Dean Wiech is managing director of Tools4ever, a provider of identity and access governance software solutions to the healthcare industry.