March 07, 2014 By Jeff Mongelli
HIPAA and meaningful use seem to have opposing goals: HIPAA mandates keeping protected health information (PHI) secure, while meaningful use requires sharing PHI. The mantra could be “to protect and share,” to borrow a phrase from our boys in blue. Therein lies the challenge of current healthcare IT — accessing PHI needs to be as easy as possible for those authorized, and impenetrable for those who aren’t.
One common security technique that’s been gaining popularity is the use of text messages sent to your cell phone in addition to using your username and password. In short, you receive a text message with a passcode, then you use that, your login ID, and password to gain access to your sensitive data. Common in banking, it’s been gaining acceptance in the healthcare community. But there’s a problem, a big one. If you think Short Messaging System- (SMS-)-based authentication is your savior for securing patient or remote access to your PHI, then you’re entertaining a false sense of security.
More than a decade ago, attacks would come in the form of passive intrusions. A password sniffer would work away until it stumbled upon the correct password tied to a given username, for example. Two-factor authentication relying upon SMS would have been an effective deterrent; but that was more than 10 years ago. Today, threat vectors have changed and become more aggressive. Using SMS as a form of additional authentication doesn’t close all the holes, and these sophisticated threats are adept at exploiting them. Here are two examples of the weakness.
The man-in-the-middle attack is basically what it sounds like: A miscreant lures you to a fake banking site, or healthcare portal, for example, and when you enter your sensitive information, including your SMS code, they’re there to capture it. The important point to know is SMS based two-factor authentication will not typically thwart this type of attack. Along the same line as the man-in-the-middle attack are Trojans, key loggers, and other types of malware that enable criminals to capture your sensitive information as you enter it, for example, and then use it for their own nefarious purposes.
SMS was not designed with security in mind. As a result, numerous spoofing exploits exist. Additionally, mobile devices are frequently lost or stolen, reducing their reliability as a security metric. Finally, as this platform is used more commonly for authentication, so too will the attacks on it proliferate. Our point here is to recognize that a SMS-based authentication method is better than none at all, but it still falls short of being truly secure.
While SMS is a welcome addition to the realm of authentication to enhance the protection of health information, it’s not a significant step forward. Greater security measures already exist and will matriculate their way into the healthcare community. If you’re thinking fingerprint scanning or other bio-feedback authentication, we’ll discuss the shortcomings of those techniques in future posts.