Aetna rolls out FIDO, behavioral authentication for healthcare data security
FIDO Alliance executive director, Brett McDowell, reiterated in a blog post a report by the Wall Street Journal in which Aetna’s chief security officer Jim Routh discussed how the company adopted FIDO Authentication to improve the security and usability of its online services for its customers, partners and employees.
Aetna is currently in the midst of a multi-year rollout of its next-generation authentication (NGA) platform across mobile and web applications.
With NGA, Aetna is developing new industry best practices for improving healthcare access through a two-tiered approach to strong authentication.
First, the company has adopted passwordless FIDO Authentication by using biometrics for its customers’ online account credentials.
By deploying strong, unphishable, public key cryptography, Aetna is able to decrease the highly vulnerable “shared secrets,” such as passwords and one-time-passcodes.
“Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process,” Routh said. “FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, our member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”
McDowell noted that FIDO commends Aetna’s “commitment to consumer choice and creating a more unified experience throughout its services with single-gesture, FIDO-based biometric authentication.”
In addition, adopting FIDO will help Aetna customers, partners and employees block phishing, man-in-the-middle and other attacks that are frequently used to harvest traditional user credentials.
Aetna is also rolling out the second core component of the NGA platform — continuous, behavior-based authentication — to ensure that the authenticated user is, in fact, the same individual throughout the duration of the session.
In order to accomplish this, Aetna examines multiple user attributes — such as the way they hold their phone — and assigns risk scores to determine how much access to provide the user during a session.
In the case of a high risk session, Aetna may request the user to provide additional information before allowing continued access from that device.
Aetna’s rollout of FIDO Authentication plus continuous, behavioral authentication is a considerable achievement for remote authentication and access management of sensitive healthcare data.
The security measure improves patient and provider access to the data, along with the protection of that data.
“While this is a great milestone for an industry in need of innovative solutions, it is only the beginning of FIDO Authentication in healthcare,” McDowell wrote. “I anticipate that other healthcare organizations will follow Aetna’s lead and either replicate or leverage the platform Aetna has put in place to deliver more convenient, stronger authentication leading to increased patient record access and decreased data breach metrics across their highly targeted industry.”
Previously reported, the FIDO Alliance recently partnered with the Data Security Council of India (DSCI) to launch the FIDO India Working Group in an effort to raise awareness of strong authentication standards and solutions in India.