Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/21/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

What the Transition to Smart Cards Can Teach the US Healthcare Industry

Healthcare information security suffers from the inherent weakness of using passwords to guard information. Chip-based smart cards could change that.

Given the copious amounts of sensitive data coursing through the US healthcare system, strong information security remains a high-stakes requirement for all players in the industry. Among the most obvious problem areas, healthcare information security currently suffers from the inherent weakness of using passwords to guard information access. Passwords remain an easy attack vector because humans pick easy-to-remember — and therefore hackable — words or phrases.

However, hope is on the horizon. Technology vendors and organizations are collaborating toward making a password-less future. But meanwhile, industries that store and share personally identifiable information can activate multifactor authentication (MFA) to buttress password protection. Given the successful rollout of chip-based cards for US consumer payments in the past few years, this form factor might be the best candidate for implementing MFA in healthcare.

Chip-based "smart" cards have become ubiquitous in the US since the middle of 2015, when they were distributed by payments issuers to combat the spike in data breaches and the resulting credit card fraud. This transition has reduced fraud, proved the sector can self-regulate and adapt to new systems, and demonstrated that American consumers will incorporate this form factor into routine practice. With three years' evidence, it's time we apply the lessons learned from financial services' smart card implementation to secure access to medical records and other sensitive information of high interest to cybercriminals.

Reduce fraud: In the US healthcare sector, fraud, waste, and abuse are persistent problems. This begins with patient enrollment and continues with subsequent redundant information entry that is sometimes complicated by language barriers and improper patient identification. The adoption of a chip-based system for healthcare services provides an avenue to make things more efficient. For instance, a chip-based system would greatly improve the accuracy of data capture. In addition, the chip can ensure HIPAA compliance and increase the difficulty for medical identity theft to take place in a physical setting in which care is being provided. This will also lead to an accurate view of consumption.

Invite self-regulation: Financial services and healthcare are among the most regulated industries in the US, with a combination of governmental and self-regulating organizations (SROs). The Federal Financial Institutions Examination Council, the Federal Deposit Insurance Corporation, and the Consumer Financial Protection Bureau are examples of government regulators, while Financial Industry Regulatory Authority and the Payment Card Industry Security Standards Council are influential SROs. Healthcare, currently regulated primarily by government bodies, could accelerate stronger security practices by incorporating industry bodies that have a financial and ethical responsibility to protect access to sensitive information, including patient data, research results, and other proprietary information. Giving hospitals, insurance providers, and other medical players a stake in industry practices could speed implementation and result in a better outcome in the long run.

Change industry relationships: Like the tension between merchants and card providers in the payments industry, a similar tension exists in the US healthcare system. While employers and the government bear much of the costs, the actual "payment" is typically processed through insurance companies. Financial services implemented changes by reversing previous policies regarding how fraud liability was handled; under the new chip-card way of working, card issuers covered fraudulent charges in situations in which merchants had adopted point-of-sale technology that allowed chip-based cards to be used. Healthcare could similarly drive change by mandating providers integrate point-of-care terminals or otherwise looking for a parallel from the financial services industry. When insurers negotiate prices with healthcare providers, they could expedite payments for those using chip-based cards or add fees for those providers not implementing chip-based cards.

Change consumer habits: The way that hundreds of millions of US consumers relatively quickly adopted to the move to chip-based cards holds promise for the US healthcare industry. Moreover, many American consumers now understand that the chip provides a stronger level of both security and fraud prevention than previously existed. This prepares the way for the healthcare sector to adopt chip-based cards. As a way to implement stronger identity protection, portability, and tracking, the equivalent chip for our health data could become a reality via our insurance cards in a manner that moves patient data with greater veracity and velocity.

Chip-based cards hold the potential to solve many of the ongoing problems in the US healthcare sector, and consumers are already accustomed to using this technology as result of implementation in the payments industry. The time is right to bring smart chip cards into the healthcare security equation.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Joram Borenstein, General Manager of Microsoft's Cybersecurity Solutions Group Joram Borenstein is the General Manager of Microsoft's Cybersecurity Solutions Group, holds CISSP and CISA certifications. He has been on the Advisory Board of numerous cybersecurity startups, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Yenrab
50%
50%
Yenrab,
User Rank: Strategist
3/24/2019 | 9:12:13 AM
So NOW we think this is a good idea
If memory serves, was not Microsoft (not always security wizards) reccomending smart card usage back in 2000?  The Win2K training manuals for Server suggested using them that long ago.  Nice to see that their advice is finaly being heeded.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...