The importance of privacy within the healthcare industry is as old as the practice of medicine. In the middle of The Information Revolution, though, it has taken on a whole new level of complexity. As soon as Electronic Medical Record (EMR) databases were being hosted on Private networks connected to The Internet. Information Security took on a whole new definition. The Physical Security of paper files held within Filing Cabinets, and even the local proprietary security systems housed within standalone EMRs were no longer sufficient to protect against security penetrations from the outside world. In today’s world, IT personnel must put forth more effort than ever before to ensure that patient data is protected against all unauthorized access.
The Health Insurance Portability and Accountability Act (HIPAA), and Joint Commission accreditation, have information security requirements that must be met by a large percentage of the Medical Centers throughout the United States. An information Security system and policy is, therefore, in the best interest for any medical center wishing to adhere to these requirements.
The functional Information Security systems that I have seen, use at least 4 concepts, or principles, within their design, which I will discuss in this series of articles.
- Access Control
Authentication is the process by which an information security system guarantees the identity of a Principle (a person or resource requesting information or access). Authentication happens every day. Every time you put a bank card into an ATM it asks for your Personal Identification Number (PIN), this authenticates to the bank that you are who you say you are. This is also why you are, or at least should be, asked for a password when you log into your computer in the morning. Authentication does not, in and of itself, dictate your access to the system, it merely guarantees your identity to it.
The goal of a good authentication system is to have absolutely no false positives with as few as possible false negatives.
Historically most authentication systems I’ve seen have been done with a username/password combination. While this sounds like a perfectly acceptable form of authentication is has one huge drawback, it relies on the memory of the human brain. Your average user cannot remember a large number of sufficiently complex passwords for authentication to the multitude of applications they normally use. What ends up happening is the user either begins to “reuse” passwords, or they begin to write them down somewhere that is easy for them to retrieve when they need them. Both of these solutions compromise the security which the system is trying to provide. In my experience the less the human brain is involved in the process of Authentication, the better. This is one reason for the surge in use of biometrics. Biometric authentication does not use passwords to guarantee a users identity, it uses various measurements and properties of the human body instead. Much more certainty can be put into an individual authentication when more information is given about the individual.
A password is usually about 6 to 8 digits in length with most passwords being more characters than numbers or special characters. This leads to a small amount of entropy that is contained in most passwords. Entropy is used as a sort of measurement of randomness within something which is variable. A larger password has the possibility of having more entropy than a smaller one because a larger password has more possible combinations to it. In 1948 a man named Claude E. Shannon calculated that the English Language, of which most passwords in the US are usually based, contains 1 to 1.5 bits of entropy per character. This does not mean that a 6 digit password has only 6 to 9 bits of entropy within it, but it does give the impression that a password that does use English words within it would be very easy to break, even when a dictionary attack is not used.
Biometric authentication, on the other hand, can use many different aspects of the human body each of which containing more randomness than a single character or word. Fingerprint, retinal or iris scanning, facial or voice recognition systems all use many points of data to create a signature which can all be recreated by scanning the same person, while at the same time capable of producing a different signature for every person on the planet.
Yet another problem with password authentication is that, in many cases, it is poorly implemented. I’ve experienced many password authentication systems in my time that used “password comparison” as its chief authentication method. Where the system actually stores the password and compares that to the password entered by the user directly. The only time this would be an acceptable risk, in my opinion, is in a system that requires the ability for someone to retrieve their password instead of simply resetting it. The thing is, I don’t think I would ever let myself get put into that position willingly. Password comparison introduces so many weaknesses in the authentication process it hardly seems worth it. For instance you, now, have to transmit the password from the client to the server for authentication, now you have the password flowing over the network, most times in plaintext, all it takes is one compromised system with network scanning software to capture the password as it travels over the network.
If you do implement a Username/Password based authentication system do not store the password on a server, use a One-Way function like SHA-1 or MD5. Also known as a Trap Door, or Hash, function this converts the password into a large pseudo-random sequence of characters which cannot be turned back into the original password. When it comes time to authenticate a user, when they enter their password, use the One-Way function on whatever password the user has entered, and then compare that value with that of the “Hashed” password stored on the Server. Now it is not the password being stored and sent over the network but a large pseudo-random bunch of characters that cannot be transformed back into the original password if it is captured or discovered.