In this week's #TechTuesday Roundup: two-factor authentication companies continue to be attractive acquisition targets, new ransomware that is stealing digital wallets, USB ports pose hidden risk for medical facilities, DailyMotion is hit with a malvertising attack, VTech reportedly did not properly secure 6M user passwords and according to Symantec, iOS threats have doubled in the last twelve months.
Who in their right mind opens a hospital? Providing quality healthcare is too hard. As my brother once told me when he was in medical school: “there is a reason they call it ‘practicing’ medicine.” Recently, I was asked to consider why Courion has had such success helping healthcare providers. During my investigation, I stumbled on one reason (among many) why the business of medicine is so difficult.
Healthcare providers have one mission: providing quality care to patients. Logically, anything that disrupts the ability to deliver quality care must be rejected, correct? Not so fast. Providing quality care is not cheap, but healthcare payers demand lower cost services. Therefore, quality care should be delivered efficiently.
Easy enough, with focus and discipline healthcare providers should be able to provide quality care, efficiently. Hold your horses though, because patients also demand privacy. Increasingly (with HIPAA, HITECH and other regimes) governments are regulating in favor of securing private health information (PHI). So now hospital systems must juggle quality, price and privacy. And as the old joke goes: pick two.
Now let me take you back to 1996 when a young Chris Zannetos and Brian Milas (Courion founders) were consulting in the banking industry and saw a similar situation: corporate help desks constantly made a trade-off between quality of service, efficiency, and security. Back then, and often still today, help desks got bogged down with password resets and managing users’ access. So much so that they just could not keep up with their workload without taking on more staff.
Chris and Brian began thinking about the curve that security and efficiency occupy —and how to move the curve out rather than just moving along it. In their thinking, organizations like banks and hospitals cannot operate like bars and restaurants. To thrive they need secure, efficient operations and extremely high quality of service.
As I imagine it, these two young visionaries ran out of beer money while pondering these questions. Like many in this situation, they went outside to reload their cash at an ATM. Then something hit them.
OK, the ATM didn’t actually hit them but this idea did: The ATM offers superior service, at a lower cost and is FAR more secure than a human teller. Heady stuff yes, but what does this have to do with healthcare? In other words, what does Courion provide a hospital system that is analogous to the ATM for banking?
I’m glad you asked. Providing & auditing access to the systems and resources doctors and nurses need to use in order to care for patients hits on all three concerns (quality care, secure PHI and efficient operations). Traditionally, hospitals that invest in technology to improve patient care, using electronic medical record systems (EMR) for example, must then maintain a large staff to manually create, change, terminate and review access. This creates a number of problems:
It slows down caregivers: Doctors and nurses often wait days or weeks just to get into the system they need to care for patients.
It costs too much: Expensive IT resources should invest their time developing tools to improve patient’s outcomes, not resetting passwords, creating accounts or pulling lists of who has access to what into spreadsheets.
It puts patient data at risk: Account sharing proliferates, tracking who is looking at what becomes impossible, and access audits are rubber-stamped.
Courion turns this whole process into an automated self-service experience, just like the ATM. Importantly, and like the ATM, there is no need to rip out the underlying systems. Courion’s solution simply overlays on top of the existing infrastructure as the IT access ‘automated teller’. By bringing the “ATM” to healthcare IT access — with self-service access request, approval, fulfillment and password reset — Chris, Brian and the Courion team have enabled hospitals to “pick three”; instead of making trade-offs between security, efficiency and quality healthcare.
Do organizations in your industry make similar trade-offs? Tell us about them in the comments.
According to CSO Online, there is an internet petition going around calling for the end of passwords. Whose idea is this? Not surprisingly it’s the password augmentation or replacement technology companies who are pushing this idea.
The problems with passwords have been well documented, with weaknesses that include:
- Users picking easy-to-guess-or-crack passwords, and machines getting better at cracking them.
- User passwords being re-used across multiple consumer and corporate applications
- Increasingly complex password requirements that ensure users will forget their passwords (or write them down).
Unfortunately for these petitioners, passwords are more like the French Monarchy, circa 1422: when the password dies it will only be replaced with yet more passwords! Surely, some companies have and will continue to buy into more secure methods of authentication. For example, Google’s two-factor option, which uses an SMS message to confirm identity, is quite good. The problem facing the “end of passwords” crowd is simple: people prefer the price and convenience of passwords. We won’t see a massive shift to something different unless it is free and infinitely portable.
So, if the password isn’t going away, what can we do to make a better password?
- Two-factor authentication is a big one, if you have the budget.
- Secure self-service password reset (which is ubiquitous for consumer applications) is a great investment for companies looking to reduce help-desk costs, improve service levels and increase security without busting the budget.
- Shake up your challenge/response questions. Through social media, I can probably get your mother’s maiden name and the street you grew up on from your Facebook profile.
And here’s the biggie: Analyze your “complexity” policy. Unfortunately, to make passwords harder to guess, many companies are requiring oddball characters and random capitalizations while capping password length. That’s backwards. It actually makes passwords hard for people to remember but easy for machines to guess.
Forget about complexity and instead insist on longer passwords. Insisting on long passwords allows users to create easily remembered passwords that machines take much longer to crack —which means most attackers will move on to easier targets.
Here’s how I do it when a system allows:
- Pick four common and unrelated words and add spaces between them (or dashes if spaces are not allowed).
- Lower-case letters only is fine, but capitalize if it makes you feel better.
- Append the initials of the service you are using to the end.
Using this approach, passwords that used to be “Pa$$w0rd!” become “billiards-workshops-whenever-human-fb.” This approach takes advantage of a simple truth: Human brains have evolved to remember strings of words, but machines have not yet been taught to crack them. Take advantage while you can, because this approach will die someday, too.
As you can see, we’ve given this some thought, having done password self-service here for nearly two decades.
So, what is your organization’s approach to the password challenge? Have you thought about replacing them, and how?