Harden User Authentication to Better Secure ePHI
A strong password and new technology solutions are your best defenses against hackers.
by Arthur Gasch
Authentication is verifying a person who is accessing data is the person authorized to do so. Authentication typically consists of a username and password. When coding, be sure to maintain a secure password when accessing electronic protected health information (ePHI), and be aware that weak passwords are a security threat to the patient record and confidential information.
Generate Memorable Secure Passwords
Most people can remember only a limited number of passwords. Using a different password for every site may result in frequent clicking of the “forgot password” option. As a result, people tend to use the same password across several sites. The problem with doing that is if a password is captured on one site, it provides a passport to access the others.
One approach is to pick a password that is a compound of two factors. One factor is something about the site you’re accessing, and the other factor is something about you. In this structure, put the personal part of the password before the site-specific part of the password, or mix the two.
For example, a password for Amazon.com might be “mcnzm4,” which is the string for Amazon.com backwards with all of the vowels removed except the first one, with the A changed to 4. The password for drugstore.com would be “mcrtsgrd.”
These are algorithm-based passwords, with the site (or something on the site) as input data for the password algorithm. To make it stronger, also capitalize a letter — perhaps the first or last one — and then add a special character as a separator. This change makes the password for Amazon.com, “mcnzm4#.” The 4 isn’t capitalized because there are no “capitalized” numbers. For drugstore.com, it would become “mcrtsgrD!” The D is capitalized, and a special character “!” is added. On a Vision electronic healthcare system (EHR) system, a password might be rhnxV# as the first part, which is the string “Vision EHR” backwards, with the vowels removed and # added.
Not all systems allow special characters, but others actually require them. Check out the password restrictions for each site you frequently visit before creating a password.
For the first part of the password string, use a personal identity item, such as:
- Three initials of your kids’ names;
- Three letters from your car’s license plate;
- The first 3-4 letters of your spouse’s middle name; or
- Your shoe size, etc.
For example, suppose your license plate is CHA 62R. Use the CHA or the 62R (or both). This provides additional characters, which makes the password longer and harder to spoof (unless the pattern is recognized). Amazon becomes “62Rmcnzm4#.” If you use the CHA part of the license plate, the string is “Chamcnzm4#.”
Your mind can easily recreate such passwords by looking at the string, but the pattern isn’t obvious — and you don’t have to remember the password, only your password generation rule. It also means that the password used on one site is always different from the password used on another, and for a hacker with access to only one or two sites, the potential to figure out the pattern is limited.
There is nothing magic about reversing the string, or removing the vowels; sometimes changing vowels to numbers is helpful, but it makes the string more apparent. For example, if the password for Amazon is “Am4z0n” and the password for drugstore.com is “Drugst0r4,” the password algorithm might be obvious enough to allow hackers to guess your passwords for other sites.
Another option is to use characters from two sources alternately in the password string. For example, if you use “CHA” from your license plate as your personal identity element, then the password for Amazon.com becomes “mCchnazm4#” and the password for drugstore.com becomes “rCthsagrD!” Neither of these passwords would be obvious to a third-party hacker who has only one or two valid examples to work with, but they are easy to generate (if you can remember your license plate string and whatever else you are using).
Password Vaults Are Another Option, Maybe
If you are not the analytical type, you can use a password vault. But be warned: If the security to authenticate yourself to the vault is inadequate, your password vault becomes the only thing a hacker needs to steal your entire electronic identity, including passwords to your financial accounts, medical records, etc.
The vault also has to be installed on every device you use to connect to the internet; and if that device is physically stolen, a hacker has the rest of their life to crack the one vault password that contains your electronic identity. I avoid vaults because, like the one ring (Tolkien), a vault in the wrong hands provides too much access to your electronic life.
Multifactor Authentication Increases Security
The insecurity of passwords has led to multifactor authentication. Multifactor means “more than one” element to the authentication. Elements might be, for example:
- Something you have (like your smartcard or smartphone); plus
- Something you know (like your username and password); and
- Something you are, such as your fingerprint or retinal scan, or facial recognition from a selfie taken at the time you registered (which can be compared to a current selfie at the time the authentication is being approved).
Given these three factors, the receiving/host (remote) system generates a code to your known device (e.g., the smartphone you select as the final part of your user authentication). This combination of items validates that you are the authorized user, and data from the remote site is made available to you (or the transaction submitted is uploaded and posted). Although any of the items can be spoofed, the combination makes it difficult.
Are Smartphones Secure?
Many applications can operate with permission to access information on your phone, so the likelihood that a rogue application can be installed to watch your password information is high. Apple and Google are sensitive to this issue and have devised phone-based, two-step authentication as a solution. I’m not sure if it’s sufficient enough to prevent a rogue application installed on a smartphone from seeing and collecting personal information. Given the business model of many technology companies (to capture your information and market it to commercial vendors), it seems wise to be wary of your personal security and privacy.
Creating secure passwords is an easy way to help secure the process of accessing, processing, and handling ePHI.
Securing Our Future
The Heartbleed Flaw in the OpenSSL Code
Secure Socket Layer (SSL) fixed encryption was supposed to make transmissions across the internet secure, but the OpenSSL organization’s code flaws have been exploited to undermine SSL encryption. This code vulnerability is called “Heartbleed.”
Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. Having a security certificate and connecting only to secure websites (those with https:// addresses) is no guarantee that the information cannot be hacked.
Ramping Up Encryption May Be the Solution
There are technological solutions on the horizon. One interesting approach is a smartcard with a single use, rotating card verification value (CVV) code (the four digits normally printed on the back of the card). Rather than being printed on the card, the CVV area becomes a display that calculates a new CVV for each transaction. A similar approach could be taken with smartphone transactions.
Medical Strategic Planning (MSP) has worked out a data abstraction algorithm, based on a single-use encryption process, called Triad content layer (TCL). The TCL uses data abstraction for information stored prior to it being encrypted by the SSL certificate. This makes the data set a compound encryption using both a fixed and a single-use component. It means that even multiple transmissions of exactly the same information are never encrypted the same way twice, so even if they are intercepted every time, the content of the message remains obscure and protected. TCL is being implemented as an application-specific integrated circuit (ASIC) chip that can be embedded in medical devices such as smart card readers, smart cards, and maybe even smartphones, some day. This technology would overcome the Heartbleed issue because breaking the SSL encryption leaves only an encrypted message, which also has to be broken to reveal the real message.
Arthur Gasch is founder and CEO of Medical Strategic Planning since 1992. He has worked as market research manager at Siemens, regional manager at Spacelabs, and X-ray specialist at Hewlett Packard (now Philips). Gasch is the author of “Successfully Choosing Your EMR: 15 Crucial Decisions,” and is a member of Health Record Banking Alliance and leads its Security Committee. He has been involved in healthcare since the 1970s.