Passwordless authentication for healthcare possible with biometrics: Imprivata
Imprivata has published a new white paper on how to navigate “the journey to passwordless for healthcare,” covering passwordless authentication in the healthcare sector. Healthcare organizations, it says, face “unique obstacles related to shared mobile devices and workstations, clinical workflows, plus legacy apps, which make achieving full passwordless a challenge.”
“While all industries contend with cybersecurity threats, healthcare is among the most-targeted industries, due in large part to the criticality of patient care, as well as the perceived value of personal health information (PHI).” And passwords are “the weakest link.”
Yet passwords are pesky, in that they are so deeply embedded in complex systems. To succeed, any alternative must be at least as easy and efficient as passwords. But generic authentication solutions can’t account for the complexities of healthcare infrastructure.
The white paper breaks down the arguments in favor of phasing out passwords. In short, they are far too phishable. Passwordless authentication reduces credential sharing and attack surfaces. Operationally, it can improve end user experience and reduce costs.
Diverse workflows, liveness detection key considerations
But there are conditions that must be met to successfully deploy passwordless authentication for healthcare use cases. Different devices and workflows have different authentication criteria and each case should be considered for its specifics. A shared clinical workstation does not have the same authentication options as, for instance, a shared mobile device.
Design-wise, “simplicity prevails over complexity.” It is crucial that clinicians are always able to authenticate quickly and easily when they need to. The solution must also be secure.
Biometrics offers a secure and efficient “something you are” identification factor for multi-factor authentication (MFA), the paper says. “For clinicians, centralized biometrics are a commonly-selected option, as this modality allows users to enroll once and then use the enrollment across devices. Biometric enrollments can be centralized or stored on the local authenticator.” They work well on mobile phones and other mobile devices and require minimal user interaction.
However, says Imprivata, “the security of facial biometrics cannot rely solely on the possession of a biometrics secret, since obtaining a picture of a user is easy for an attacker. Instead, Presentation Attack Detection (PAD), also called liveness detection, is needed to ensure that an authentic person is in front of the camera, and not a photo, video, or someone wearing a silicone mask.”
Imprivata outlines framework for passwordless maturity
Acknowledging the impracticality of trying to go cold turkey on passwords, Imprivata has developed a framework that denotes stages of maturity on the journey to fully password-free authentication, from Level 0 (“Passwords everywhere”) to Level 4 (“Passwords no longer exist in any systems”). Most healthcare organizations, says the paper, are at Level 1: tap-and-go has reduced password use, but reliance on passwords still means a phishable attack surface.
Yet the transition requires a surgeon’s gentle touch and precision. “Change management while rolling out passwordless with frequent input from stakeholders – especially clinicians – is key to success.”
Imprivata now a sponsor member of FIDO Alliance
No group loves passwordless authentication more than the FIDO Alliance, so it tracks that Imprivata has sought and obtained membership in FIDO. In a press release, Andrew Shikiar, executive director and CEO of the FIDO Alliance, says Imprivata’s expertise in healthcare and other mission-critical industries will support FIDO’s mission to “advance a global commitment to open industry standards for strong authentication.”
Article Topics
biometric authentication | biometric liveness detection | biometrics | cybersecurity | FIDO Alliance | healthcare | Imprivata | passwordless authentication
Comments