Improving Authentication for Online Services


Published on

As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into their online account.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Improving Authentication for Online Services

  1. 1. Improving Authentication for Online ServicesThe FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unifiedstandards across the various regulatory agencies, recently issued new guidance on managing risks in user authenticationfor online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions areconducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and moreelectronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end userscan expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log intotheir online account.First, it’s important to understand why the FFIEC issued the new guidance. They make that very clear: currentauthentication strategies are not working. The FFIEC cites the loss of “hundreds of millions of dollars resulting fromonline account takeovers and unauthorized funds transfers” based on the government’s IC3 Annual Internet CrimeReports. With our extensive experience in the financial services industry we can vouch for the losses incurred by theindustry due to online account takeovers.The FFIEC guidance essentially breaks down to three primary recommendations or activities: 1. Periodic risk assessments (“prior to implementing new electronic financial services, or at least every twelve months“) 2. Layered security 3. Customer awareness and educationIn the FFIEC’s press release, (July 28, 2011), it states that regulatory examiners will be focused on this issue starting nextyear: “The FFIEC member agencies [FDIC, NCUA, OCC, OTS] will continue to work closely with financial institutions topromote security in electronic banking and have directed examiners to formally assess financial institutions under theenhanced expectations outlined in the supplement beginning in January 2012“. This means that banking industryplayers should expect to present to examiners that they’ve taken some action in this regard by the time of their 2012regulatory examinations. While healthcare organizations are not regulated by the FFIEC member agencies, this guidanceprovides a practical approach to managing risk in an increasingly risky online environment.We strongly urge any organization that requires user authentication for sensitive online transactions to evaluate theguidance - Authentication in an Internet Banking Environment - and ensure that your controls are evolvingcommensurate with the nature of the online transactions you provide your customers as well as evolving nature of therisk.Furthermore, because so many banks and healthcare organizations (both providers and payers) are relying on third-party software for their online services, we recommend that you push your vendors for better controls. While some ofthe smaller upstarts (such as online banking service providers and new EMR vendors) are agile and aggressively pushingnew controls for differentiation, some of the more established players can be slower to react to the dynamic nature ofsecurity threats. Given how difficult it can be to move to a new system there is not always much leverage for serviceproviders to aggressively improve their offerings. Nonetheless, I urge both banks and healthcare organizations to pushhard for improved controls. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM