According to Forbes, CHS, Anthem and Premera three recent and large-scale data breaches totaled about 95.5 million stolen health records. Health records provide a wealth of information for attackers seeking corporate weaknesses or other data targets. As the cost of data breaches for companies continues to rise, so too do the value of compromised records. Healthcare records are one of the most valuable types for sale on the black market, worth $363 per record. With access by numerous healthcare employees typically being spread across geographies, platforms, applications and devices, securing highly valuable information has become an IT nightmare in today’s digital world.
A range of vendors have stepped into the healthcare security space offering solutions for securing everything from patient records to pacemakers. SecureAuth is one such vendor, and recently upgraded Houston Methodist, a large hospital in Texas.
“Houston brought us in for a very specific use case to get rid of the hard tokens in their citrix network environment,” explains Craig Lund, CEO of SecureAuth in an interview with CivSource. On the Houston Methodist system, as doctors move between campuses they can access medical records through their mobile and other devices. However, broader use of a mobile system was limited due to security concerns. The staff wanted to avoid multi-factor identification because of the onerous process involved in accessing a single data point.
“SecureAuth can provide a single access point where you can get in and look at various content and resources through a single login,” Lund says. “What we did for Houston Methodist was create a device fingerprint registration. That type of registration isn’t like the fingerprint password on the your phone, but is instead a track record of the datapoints of how you use your device which creates a device fingerprint, and we map that into your account. Then on subsequent registrations if you try to get into the same resource we check it against the fingerprint.”
SecureAuth is using the system with organizations that have a multi-device management program or a bring your own device (BYOD) program. Lund says they can create the fingerprint without leaving behind any software on the device, or using continuous monitoring, which appeals to individuals who use the same device for work and personal use. “We don’t want to be storing data on phones or identifiable user data on our cloud. If someone’s fingerprint was stolen it would be completely unintelligible,” he adds.
Now, SecureAuth is releasing an expanded version of its software to general availability. According to Lund, in the future he wants to expand the context of authorization so that even if a user has a valid credential, systems can protect against more insidious attacks if that valid login happens from someone other than the user the credential is assigned to.
“We’ve worked with organizations where someone was logged in from China multiple times per day with valid credentials, but the company was in New Jersey. That kind of login gets missed if you have authentication without context.”
For version 8.1 SecureAuth IdP has officially incorporated an authentication API which enables the integration of IdP’s strong authentication capability into homegrown applications. In addition, stronger mobile applications are available, and the company has made improvements to its logging capabilities for organizations that require an audit trail.