Modern Authentication: Scott Clements, VASCO’s President and Chief Operating Officer, explains how the NHS can achieve the Balance between Security and Ease

Scott Clements
Scott Clements

Under the watchful eyes of regulators and, more alarmingly, cybercriminals, healthcare providers attempt to make their databases more accessible for access and sharing. One of the first elements that needs to be taken into account is authentication. Effective authentication is not only the first line of defence against efforts to limit unauthorised access, it can also be a cushion that softens the fall after a breach has occurred.

Logic would rule that healthcare providers would prioritise sharing medical information with patients and between themselves in order to expedite treatment. This would also facilitate the need General Practitioners have to access patient files wherever they are. Things are not that simple however. Medical data is among the most regulated out there, and for good reason. In the wrong hands, records can be misused to acquire equipment and medicine at the expense of patients, who risk suffering full fallout of identity theft.

Platform and location agnostic

This makes security a top priority for providers, who would rather err on the side of caution. As a consequence easy access to data, even by those who are fully entitled to it, is not a given. The need for that access, however, is very present. Like other professionals, doctors are more mobile than they were in the past. It is expected from them to perform the same duties while at the same time being unrestrained by their location, whether it is at their General Practitioner Centre, their own homes or while on house calls. And since GP practices have different IT environments when it comes to platforms, size and support, it is important that any solution for centralised data stores is platform independent and does not require additional installs.

Single Factor Authentication Won’t Cut It

One very important element of such a solution is the identification and authentication process. A simple username and password or PIN will not suffice, as prominent data beaches in recent years has made painfully clear.

But it has been known for longer that single-factor authentication simply is not secure enough. Not only does it allow for full access by simply knowing a passphrase or PIN, the case is also that most users are not used to define strong passwords, making it easier to deduce by others.

Healthcare providers are therefore increasingly using solutions that require periodic identity verification. Two-factor authentication, where an additional code is sent to a token after submitting a password or PIN number, goes a long way as physical access to a certain device is needed. It also meets the requirement of healthcare providers to be mobile, as they can still access the database from any location, as long as they bring their token with them. Such security renders the simple theft of ID and passwords or PIN numbers useless for criminals, who are usually located in another country and have no means to steal a specific token as well.

Strict but Easy to Use

Looking overseas for examples, one such solution is offered by specialist Dutch IT service provider Promedico ICT Ltd. It uses a multi-factor identification and authorisation system by VASCO and included it in it Promedico ASP solution. “Our security policy regarding Promedico ASP is very strict,” says Robert Verhagen, Operations Manager at Promedico. “It consists out of three steps: authentication, non-repudiation and confidentiality. In order to comply with all three steps, Promedico has built a close administrative procedure.”

In order to register, GPs need to present a valid medical ID to receive a DIGIPASS 260 authentication device. In order to access the central database, the doctor needs to enter a PIN into the DIGIPASS authentication device, after which a code is shown. During the session, the ID process is verified constantly, while the connection is encrypted to thwart any eavesdroppers. The result is that the security has multiple layers: username and password for the application, physically owning the right DIGIPASS device, and knowing the PIN for the DIGIPASS. That way, Promedico has achieved to cater to all demands of their customers: easy and quick but airtight access to the medical database, independent of the GP’s location. The healthcare providers are also fully compliant with the strict rules and regulations set by national governments.

Six Healthcare Applications that Need Authentication

The need for strong authentication reaches much further than the exchange of information between GPs and other providers though. The Information Security Media Group and VASCO have identified six areas in healthcare IT for which strong authentication practices are vital. Applications for Electronic Health Records (EHR), the category in which the Promedico example falls, is just one of those. A second category is applications for e-prescriptions, which are used to administer and track prescriptions in a paperless environment. Relatively simple employee portal applications also need strong authentication as they can give indirect access to medical files as well. The fourth type are patient portal applications, which serve as a way to communicate with patients and offer them a way to access their own files. It is, of course, of utmost importance that this access is restricted to just their own files.

The fifth type of application that needs strong authentication are medical mobile apps, of which more and more are appearing at hospitals and GP Centres. And finally, there is the network infrastructure of hospitals themselves.

When asked off the bat, professionals will always acknowledge the need for strong authentication. This realisation is even stronger among medical professionals, who need to comply with strict regulations. However, because of the perception that strong authentication applications place a burden on usability and cause a general hassle, even healthcare professionals will either access and share data in an unsecure way, or not access and share it at all. It is less known that modern applications offer a balance between both needs, ensuring that doctors can get on with their work while patients get prompt treatment without facing bureaucratic speed bumps.