Achieving Cost-Effective, Scalable and Secure PHI Access Without Workflow Disruption

Achieving Cost-Effective, Scalable and Secure PHI Access Without Workflow Disruption

July 23, 2013 2:00 pm

(Save to cal)


Zoe Lindsey, Regional Director of Duo Security and April Sage, Director Healthcare Vertical of Online Tech, provide an informative webinar on how to secure access to confidential health information in a cost effective and scalable way without interrupting your users’ workflow.

TitleAchieving Cost-Effective, Scalable and Secure PHI Access Without Workflow Disruption
When: Tuesday, July 23 @2PM ET
Description: Passwords are flawed; they are shared among users, easy to guess, and increasingly easy to breach. Two-factor authentication (using two different types of authentication), provides a higher level of security and assurance. Two-factor authentication is now offered by the Department of Health & Human Services/Centers for Medicare & Medicaid Services (CMS) as guidance for remotely accessing Electronic Protected Health Information (EPHI) for entities that must adhere to the HIPAA security regulations.

The vulnerability of static passwords has led to a wide range of regulatory provisions mandating the use of two-factor authentication to secure remote access to sensitive or private information, such as PHI, NIST, PCI and more.

Historically, costs and scalability issues have limited the use of two factor authentication to very small implementations for users with the most privileged access. Workplace trends and new technology are changing that.



View Slides

April: My name is April Sage from Online Tech, and I'm very happy to welcome Zoe Lindsey. She's the Regional Director of Duo Security. Zoe's going to be talking about cost effective scalable solutions for protecting PHI or protected health information which for those of you in the healthcare industry know is a very critical asset to protect. Just for full disclosure, let me share that Online Tech does use Duo Security's technologies, highly recommend them to our clients as well, but we don't receive any remuneration when we pass along other folks to Duo. Boy, we sure do recommend that anyone who needs to mitigate passwords and protect PHI uses some form of two-factor authentication. We know that the simplicity of setup that we see with Duo is far and beyond anything else that we've seen.

We're really excited to have Zoe join us today. Zoe has a background in medical technology. Zoe warmed my heart to hear that you started with a Commodore64. I think I still have one in the attic. That's awesome. I know that you've worked with many healthcare organizations to help them be secure. With no further ado, welcome. Thanks for joining us today.

Zoe: Thank you, April. That was a great introduction. I appreciate it. Hi, everybody. I just wanted to spend a little bit of time today, as April said, talking with you about the importance of a strong first line of defense when you're talking about access to personally identifying information or PHI. Without further ado, let's go ahead and dive in here. Real quick, we have a little housekeeping slide here. If you are able to see but not hear or vice versa, this is going to give you information necessary to get connected. I can't see the chat, but I believe April can. If you have any questions please toss them in there and she'll make sure that we get answers for you.

The first thing to point out is that there really is no such thing as a data breach that at some level does not involve stolen credentials. Stolen credentials in one form or another, whether it's stealing an active session on a user's system; stealing the actual user credentials, the user name or the password; stealing a cookie for logging in, etcetera, one way or another a breach is going to occur after an attacker has obtained a user's credentials. From that point they're going to use that access to expand their influence and spread out to other surfaces and systems.

The truth is there is really no better protection against that type of user credentials compromise than to factor authentication. The reason why it's important you can see here. This data is already now a couple of years old, but you can see that as there's been more and more valuable information stored online and the cost of attack continues to drop as technology gets easier for attackers to use, there's been an exponential increase in malware, in attacks against user systems, etcetera. Really, HIPAA compliance and the fees associated for failure to comply is not the biggest risk. In 2011, there were 30.9 billion dollars in losses as a result of medical identify theft. That's really because when you're talking about stealing medical information it's a one-stop shop for attackers. There they get personally identifying information. They get social security numbers. They get full contact information. They get supporting information that can often be used for security questions and financial information if they have any payment information stored with the provider. It's a very attractive target for attackers. It doesn't take very many of those records to be exposed before the cost of attack is less than the benefits that they would gain by getting access to that information.

In the past, it hasn't been especially easy to keep up on your compliance. There's a number of different provisions that you have to meet the requirements across administrative, physical, and technical levels. The wording in a lot of these is fairly ambiguous, and so we get calls a lot of times from folks that aren't entirely sure exactly what they need to do to meet that requirement of strong authentication.

Zoe: Two-factor has been for many years, more than 20 years now, an effective method to protect that first line of defense, stopping attackers before they're able to get within your perimeter and expand that access. The process of implementing two-factor itself hasn't always been terribly intuitive. You have a very high learning curve in getting the system setup. It typically involves a lot of investment both in time and money to get the servers up and running; to get tokens deployed and provision for your users; to get your administrators trained on the new system; and then ongoing support costs in getting those tokens replaced, for example when a user loses it, or when a battery dies; maintenance, going through and clearing up users. All of these are factors that have made two-factor a hard pill to swallow in the past.

It is effective. It's added the element of something that you have or are or do, most commonly something that you have to something that you know through your password. That's why you see it reflected not just in HIPAA requirements but in other regulatory requirements across many industries and now increasingly you even see it in the consumer realm. More than likely you've heard about Twitter, Facebook, LinkedIn, even Microsoft for the XBox 360 releasing two-factor measures to protect against breaches, oftentimes retroactively after a breach has occurred.

As we mentioned, these are some of the issues that you run into. It's very complicated setup process. In particular, when you're talking healthcare you deal with physicians' resentment when they end up with this huge keychain full of tokens that they have to carry around, and then whenever they go to a new site or a new office they have to go through and make sure that they're using the correct token to get logged in. On top of all of that, oftentimes, those legacy providers are using a shared key standard where the seed file that's being matched up against the code or one-time passcode that a user is entering, the seed file that is stored on the server and the seed file that's on the user's device around the same. What that means is if the attacker gains access to the authentication provider's network, as happened when RSA was breached, that places those customers at risk once those seed files are compromised.

That’s why we came into the market is we wanted to try and prevent these issues from happening in the first place. We wanted to make a solution that was going to be very easy to deploy which we'll cover in a couple of slides how we went about doing that, and not only to deploy but to scale, whether you have just a couple of users or you're covering tens of thousands of users. We want to make it easy for your service to grow or shrink as your needs do. We want to make it easy to manage, so we want to have a minimal amount of time that your administrators and IT staff have to spend on getting it up and running and in keeping it running. We want to make it easy for your end user so that it's not a system that they resent having to use and it has a very minimal impact on their workflow.

Zoe: In doing this, we're going to address some of the biggest problems in security. By beefing up that first line for defense you can prevent account takeover and fraud before it happens. We do that by leveraging mobile devices that your users already have. More often than not, we find that better than 70% of our users across all the different fields that we assist are using some sort of smart device, whether it's a smartphone or a tablet, and rather than having that be a BYOD unknown and potentially a security risk for your environment we want those mobile devices and turn them into an asset.

Here's how we do it. We step in after the primary authentication has been completed. That's important to note. Your users are going to log in with their username and password the same way that they do now. There's no change there, and that credential is still processed locally as you have been doing it up until now so you're never passing those primary credentials or that personally identifying information outside of your network. Where we step in is after that primary authentication is complete but before you're logged into the service you’re accessing it redirects to Duo’s service. It's going to prompt your user on how they'd like to authenticate. After they successfully authenticate, Duo's going to pass them back to your service, say they've been fully authenticated, we've checked the second factor, and then the user will be logged in as normal. We do this in such a way that the user experience doesn't change. You'll see in the demo here what I mean.

We stress, since it's the best user experience, it's really the unique value that we brought for the market our push authentication method that works through a smartphone. We were the first provider that offered a push authentication method for smart phones. We built our service on a private key infrastructure rather than the shared key infrastructure that I referenced earlier. We'll circle back to that in just one second. Just to point out flexibility, we do also support pass codes that's generated through the mobile application. That'll work even if the user has no connectivity whatsoever. If they're somewhere where they don't have phone service, they don't have data reception on a device, even if the phone is in airplane mode they can still use that one-time pass code generation feature. We also support passcodes sent via SMS. As an administrator, based on your preference you can configure how many of those pass codes you'd like to send as well as how long they'll be good for. We really want to give the administrator the ability to customize that balance between security and convenience for the user, or phone call back which will work either with cell phone or with a landline even if that phone has an extension, or hardware tokens. Any OS compliant HOTP token will work with our service as will new keys. We're able to import those as well.

We have a good long bullet point list here, but the gist is our primary benefits, as I said, easy to use, easy to deploy, easy to manage. We do that through simple IFrame integrations that can drop in in a matter of minutes for most services and systems that you'll need to access.

Zoe: This is literally what a setup looks like for our service. You go ahead and get signed up for which version of the service you want to try. You're then going to go to our documentation page, and that'll you give you step-by-step instructions on how you get it installed and started. As you can see, right-hand side, this is actually only a sample of all the integrations that we cover. We do have drop-in native integrations for most of the popular hardware and software you're likely to see in your enterprise environment. In some cases, for example, with our remote desktop integration for RDPs, it is a five-minute installation. You run an MSI installer. You generate the keys for your new integration in your admin panel and paste those values in and you're done.

Not only that, but your users are going to enroll themselves as well. We use a trust on first use philosophy. What that means is the first time that your users log in after you've deployed Duo, if you've chosen to use our requirement enrollment access option, the first time that they log in after you've deployed Duo they're going to be brought to a screen like you see on the left. It's going to be branded in line with the service that your users are already familiar with, so there's no jarring switch that directs them to a separate site or something like that. They're just going to enter their device number. They're going to verify that device either with a call or a text, and then it's going to prompt them as to whether this is a mobile phone or a landline phone or another device. That could be a tablet or a hardware token. If they're using a smartphone it's going to take them to the appropriate app store to download our application direct from there and send them an activation link. Once that's done, they'll be logged in as normal.

Zoe: Take a step back and talk a little bit more about the background that we have in security. As I mentioned, we use a public key protocol. The difference between that and the shared key service that's used by legacy providers is we don't have the same seed file on our server and on the user's device. We have a public seed file that's on our server, and then each user's device has a unique private certificate that's generated at the time of enrollment. We're available currently as primarily on Nexus device from Google. That certificate is stored in a hardened software security module on the user's device with the same level of encryption that's actually used for government cloud cards. Without both pieces, the public and the private key, you cannot complete an authentication. Even if you do compromise a single user because that private key certificate is unique to each device, you would individually have to breach each user that you wanted to compromise.

Because you're using not only an out-of-band device through your user's smartphone, you're also using an out-of-band network with Duo. We have a complete segregation of responsibility. That means your primary authentication occurs entirely on your network through your service and no part of that is passed to us. Likewise, the second factor of authentication is completed entirely by our service, no portion of it is passed to you. That means that in addition you have to compromise both your own network and ours in order to breach the service.

In terms of reliability, it's something that we get asked a lot when users are talking about a service that's hosted rather than they host locally. We've had 99.9% uptime since 2010. We can contribute that in part to our founders. Dug Song, our CEO, was a founder at Arbor Networks. While he was there he was responsible for building up the infrastructure that Arbor uses to this day to protect the world's leading ISPs worldwide against DDoS attacks and other online threats.

We also have a leadership coming to us from some of the other biggest names in security, Symantec. One of our members, Stratton Sclavos is a former CEO of VeriSign. Our CTO, Jon Oberheide, has most recently been in the news for research that he's done on behalf on Darpa around remote exploit patching for mobile devices. You may be familiar with the ReKey software, available appears to have, that patches Android devices that are vulnerable to the master key exploits that was disclosed earlier this year. One of the things that we point out that is functional to our history is Duo’s a company that moved into information security, really we're a company with deep roots in inform security that saw an opportunity to raise the bar for security in the market.

Zoe: Briefly, as I talked around what the user experience is like I just want to walk you through authentication from your user's perspective as they log into, in our example, Outlook web access. Users are to going to go, they'll enter their username and password. We're going to assume this is the first time that your user is doing a push authentication request. They verify their number. They've activated the account through their mobile app, and now it's going to prompt them how do they want to authentication. Do they want to use Duo Push? Do they want to use phone call back, or do they want to use a pass code, either generated by the mobile application or sent via SMS? In our example they're going to Push. They receive that Push notification on their device. When they open it up it's going to give them some contacts for that authentication. It's going to say, "Here's who's logging in to our service from what IP address the request is originating with ref to your location," and then the time on that request. The hit approve, they're going to be logged in as normal.

If they don't have access to the net either through the cell network or through a local WiFi network, they can generate a pass code through that mobile application just tapping on their account. It'll generate a one-time six-digit pass code that they can enter. In this case, it would provide exactly the same user experience as they would have with a hard token except without having to carry a separate item, and then after they put that pass code in, once again, they're going to be logged in as normal.

I also want to point out here that we do support third party accounts. One of the things that we wanted to address with our mobile application is that we want to encourage your users to have strong security practice wherever they go. That includes whatever services they use, whether the services that you protect with two-factor or third party accounts like Google, Dropbox, other Amazon web services, so forth. We want them to be able to use two-factor on all of those services, but we also don't want to duplicate the 70 tokens on a keychain problem that was a problem in the first place. What we do is we allow you to import those credentials into our mobile application and store them there instead.

Zoe: As an example here of a customer who's used our service to meet their compliance needs, we're briefly going to touch on the Royal Victorian Eye and Ear Hospital. They came to us in an on-fire priority to get two-factor implemented. When they found us they had actually just failed their IT audit because they had no strong authentication implemented for remote employees. Their need was that they had both mail and VPN services that their users needed access to and that their user base wasn't especially tech savvy, or for remote users, obviously, they didn't have the same kind of access to report support to be walked through the usage of the service.

What we were able to assist them with was very quickly getting Duo deployed for both their Citrix access gateway and Outlook Web Access integration. In this case, their users primarily did not have smart phone, and so they relied on SMS, but it was still an intuitive process for their users to get enrolled. The reason that they ended going with us is that for the extremely high priority on this project that they needed to have deployed yesterday, we were able to help them get set up and rolling in a matter of about two hours. That's a very common situation for our users.

As an example, outside of healthcare, when Twitter was getting Duo deployed initially it took their administrators 50, five zero, minutes to get the service setup and deployed in their production environment. Then, their first 1,000 users were able to self enroll in 24 hours with no further administrator access. The remainder of their users were actually able to get enrolled in the next 24 hours. Again, other than the 50 minutes of initial setup there was no further action needed by their administrators.

Another example of where folks have been able to implement Duo to meet their healthcare needs, we worked with a large healthcare network in the New York area that in the wake of Hurricane Sandy found that their legacy provider's server that was stored onsite was suddenly under 10 feet of water. That prevented their users from getting any access to the service since the server was unreachable. That situation persisted for about a week as they tried to work with the provider to get a workaround and to undo that two-factor setup that they couldn't authenticate. After that happened, they began looking for specifically a hosted solution and chose ours because of our uptime rating and because in that exact same situation where they have a distributed environment but a localized authentication provider, we would've kept their service running in the wake of that hurricane when their previous provider wasn't able to meet it.

That's the nickel tour of the importance of two-factor. Really it's the simplest and most cost effective measure you can take to prevent attacker access before it happens. I just want to leave this slide up here of some other upcoming events through Online Tech. I believe a little bit of time here for any questions that you have. April, I'm going to leave this slide up here, but if you can help me with the questions that folks ask in chat that would be great.

April: Absolutely. Thanks, Zoe. Really appreciated the combination of the broad overview but also the real use cases and the chance to see in real life what a demo looks like. I think one of the things that is most difficult to understand is that you can really have this degree of fantastic protection. You can really leave your worries about weak passwords, which I'm sure many involved in security lose a lot of sleep over. When you couple that level of protection with two-factor with the juxtaposition that you can set this up so easily, I'll just speak from the, perhaps, less technically educated. Marketing team’s perspectives when Online Tech decided to roll it out across the company, everyone in marketing, everyone in sales, it wasn't just the operations teams that was able to get this set up and on their phone, it literally took everyone in the company 10 to 15 minutes each to self enroll, learn how to use it. It just works like magic. It's an awesome, awesome thing. We love the service that you help us with and with our clients as well.

Zoe: Thank you.

April: Absolutely. We do have a question here. Have you implemented your solution for access to patient portals and health information exchanges?

Zoe: Great question. Actually, we have a couple EHR providers that we're working currently to implement the solution. As you may be familiar with, there are some stricter DEA requirements around I believe it's schedule II medications that are restricted access that require two-factor authentication when a doctor is prescribing those substances. We have a number of EHRs that are looking for a lightweight and easy implement solution that's going to allow the physicians using their service to quickly do their authentications without impacting their workflow. I don't have a use case to present to you currently. It's an in progress project that we're working on in parallel with a couple of EHR providers, but it is a solution that fits what their needs are. Because the process of implementing for a web app typically is reduced to about dropping in three to five lines of code to redirect to our service for that second factor.

April: I'll just share that the vast majority of our healthcare clients also use Duo for secure VPN connection to their servers as well, so a little bit different use case scenario but have really never heard of a problem with setup and use, at least no so far.

Zoe: Yes and in addition the VPN use case is probably, I'd say actually by far, it's our most common in the healthcare industry just simply because any of that information accessible behind the VPN is so valuable.

April: Great, makes a lot of sense. Just wanted to invite any last questions here. For the person who just wrote in, I'll make sure to connect you with Zoe at Duo for further discussions. Just wanted to invite everyone to join next week, Tuesday at 2:00, we're going to be talking about using document management securely to improve the workflow and return on investment in the healthcare area. Zoe, if you have some contact info for Duo we'll share that with everyone next. Those of you who have online text info we will be sure to pass you to Duo as well, but Zoe let's go ahead and show them the Duo slide.

Zoe: It's funny, it looks like our last presenter left her information in here. I'll just give it out to you and I'll put it in the chat as well. My email is zoe, My direct contact number is 734-274-2534. I'll just put that in here.

April: Super. Fantastic. I'll send it out in chat. Thanks everyone for joining us today. Zoe, thanks so much. Really appreciated your expertise and your insights of how this is used in the healthcare industry. We look forward to chatting with all of you again soon.

Zoe: Absolutely. Thanks a lot, everyone. Have a great day and we'll talk to you soon.

April: Thanks, everyone. Bye-bye.

zoe-lindseyZoe Lindsey, Regional Director, Enterprise Sales at Duo Security

Zoe has worked in tech for years, and came to Duo with a background in cellular and medical technology. Ever since getting her first Commodore64 at age 10, her passion has drawn her back again and again to working with technology and information. Zoe works with her team to introduce Duo to as many new users as possible -- she has assisted surgical centers, general hospitals, and specialty clinic to implement two-factor authentication solutions.

april-sageApril Sage, Director of Healthcare Vertical Online Tech

April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems. Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director, Healthcare Vertical of Online Tech.


Webinars    |    Online

Get started now. Exceptional service awaits.