HIPAA/SECURE:
Security Q/A
September 2002
"Security Solutions: Key Technologies and Practices"
>> Authentication <<
by Eric Maiwald, CISSP
This month's HIPAAsecure Q/A column marks the start of a new series
intended to provide HIPAA covered entities with a "primer"
on security requirements and technologies. In each issue, Eric Maiwald,
CISSP, will pick out one security practice, define it, and discuss
its applicability to HIPAA security -- including uses, benefits,
drawbacks and other considerations.
QUESTION: I know user authentication is supposed to be an
important HIPAA security requirement. Can you explain what authentication
actually means - and how it might apply to my organization?
ANSWER: Authentication is a key component of security for
any organization. The reason for this is that many other security
components (such as access control and logging) are based on the
computer system knowing who you are.
When a person interacts with a computer system, the computer system
must learn who the person is. This is normally done with a user
name or some other type of identification. The computer system then
must find a way to prove that you are who you say you are - this
is the authentication piece.
There are three types of authentication information (ways to prove
who you are to a computer):
- Something you know like a password or a PIN
- Something you have like a smart card or credit card
- Something you are such as a fingerprint or a retina print
Passwords are the most common type of authentication information
in use today. In most cases, the person gets to choose his or her
own password but in some cases the computer system chooses the password.
Since the person is supposed to keep the password secret, the computer
can prove that you are who you say you are because you know the
correct password.
Unfortunately, passwords can also be guessed and thus we have requirements
for longer passwords (eight characters) that include numbers, capitals,
and special characters (such as #, $, and %). Often the use of such
things causes the passwords to be harder to remember and people
write them down (which often defeats the purpose of the strong password!).
For very sensitive information, the use of two-factor authentication
may be necessary. Two-factor authentication requires a person to
have two of the three types of authentication information to prove
his or her identity. The most common two-factor authentication schemes
are the use of a smart card (something you have) and a password
(something you know). It could also be a fingerprint (something
you are) and a password (something you know).
Authentication systems can be very costly (smart cards can run
$60-$100 per employee) and can lead to other issues. For example,
if smart cards are used, there must be a mechanism to get replacement
cards to employees very quickly if they are lost. Likewise, biometrics
such as fingerprints and hand scanners may run into problems if
an employee has a cut or bandage on a finger or hand. Also biometrics
do not work well for large groups of people gaining access to information
across the Internet.
No matter which authentication mechanism is used, care must be
taken to educate the user base before changes are made. Authentication
systems touch every employee in the organization.
Read past HIPAA / SECURE Q/A articles.
Fortrex Technologies, a Phoenix Health Systems security partner,
provides enterprise security management services and information
security process and monitoring services for healthcare and other
industries. www.fortrex.com
|
