The Imperative Need for Biometric Multi-Factor Medical Device Authentication

The need to move toward multi-factor biometric authentication of the authorized user has become a desired requirement for the DOD (Department of Defense) and healthcare. It just makes sense.

Passwords and the current “use model”

To date, the way folks authenticate to their mobile device is pretty much defined to a user name and password.

Passwords simply are not safe. Many on-line tools are available to break them...easily and quickly. Just witness all of our security breaches across the enterprise at all levels in many vertical markets! However, the most obvious problem is that users use the least resistant method; that is easy to remember passwords and they are the often the same; without any two step authentication.

To make things easier…which adds to more risk is some users store passwords in the cloud or store a fingerprint which may be on your phone (for two step). The problem is magnified if someone breaks into the cloud to steal your passwords: (which has happened several times to cloud based password storage solutions) or worse yet they steal your phone with your fingerprint. You are then compromised forever / For instance they now have your biometric! Or even without your biometrics; they steal your phone. next step then they get your password and now also have your two step authentication process.

Consumer mobile "smart devices and tablets devices" simply were not designed to be “enterprise security devices”, they were designed to provide a great consumer “experience”!

To prove this example, just try to use your “smart phone” with the WLAN radio on while roaming in an enterprise WLAN. It will fail in a miserable fashion. Why? …because the radio is low cost and was designed to be used in a “hot-spot” environment. It was not designed to work in a highly mobile WLAN environment where you need robust roaming to ensure a persistent and secure WPA-2 enterprise supplicant connection.

Medical Devices and Passwords

Passwords simply were not designed for (high security) and are not used to authenticate the right user to the right device. How do you know that this is the right person who has the authorized use? In fact through an available web site, you actually can obtain passwords for most of the CT and MRI scanners on the market. So in the case of secure authentication of the authorized user to the networked medical device this has become pretty much an afterthought. Passwords are often just used for maintenance requirements.
Even when the BCMA (Bar Code Medication Application) was introduced over 15 years ago, clinicians still found “work arounds” This pretty much negated the whole issue of validating the five rights.

See the latest Bloomberg article which should open a lot of eyes!

Could not now these "networked medical devices" also become the back door to our enterprise networks? This was the concept that pretty much happened at a large retail chain...the simple HVAC network became the back door to the internal networks.

http://www.bloomberg.com/features/2015-hospital-hack

Why has not multi-factor biometric authentication widely been adopted?

1. It is simply because current legacy “smart cards/chip and pin” were never designed to provide this. The use in this case for two step biometric authentication to work requires the change out/add of proprietary infrastructure readers and lot’s of expensive technology to put into place, like finger print readers, and other scanners/cameras that are extremely cumbersome to implement and use. (As a side, do you really want YOUR biometrics stored on someone else's server that they are supposed to be in control of?) Yes, while we are now finally getting “chip and pin” cards here in the United States we are way behind...a patch to the magnetic stripe. It is what Europe has been using for thirty years.

2. The proliferation of mobile phones, the adoption of Low Power Bluetooth, NFC, has become the way we live today. Trying to adapt legacy “chip and pin” technology to the now accepted modern technology is a challenge. How will this impact or not impact work flow for any type of biometric authentication to really work?

3. See the latest article on why the Federal Government has not adopted multi-factor authentication.

Download Federal agencies slow to adopt two factor authentication, says White House annual report | Biometric

It is felt that changing the game is the only way for “multi-factor biometric authentication with the highest degree of security to work. Put your biometrics close to you and secure. Don't put your passwords in the cloud which be be broken into because you cannot remember them; or put your finger print on a non-secure smart phone that somebody can steal.

What is an available option to finally allow for secure multi-factor biometric authentication in our new mobile world?

Use the existing technology like fingerprint readers on mobile devices, camera/voice capabilities on mobile devices and then provide match on match multi-factor biometric identification. Your biometrics will then be stored on a multi-layered highly secure enterprise grade "computer on a card" that you have and are in control of. This will allow a new level of security to finally take off. www.blustor.co

Why has not somebody gone down this direction before....read the book. "The Innovators Dilemma"

http://www.businessweek.com/chapter/christensen.htm

CyberSecurity Protection in the Healthcare Enterprise in 2015 moving forward needs to be Multi-Layered End to End.

We have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.

One of the most popular and trusted methods for strong authentication has been the use of one-time passwords (OTPs) in the form of tokens. While OTP tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

Two-factor authentication (2FA) is based on the assumption that two of the three factors of authentication are used (something you know, something you have and something you are), tokens no longer qualify as “something you have.” The moment a user looks at a token’s randomly generated number, it becomes something he knows. While this new password does have a short time to live, it is still just another password in the user’s possession. Extracting passwords from an end user with infected with malware is not a difficult task.

Targeting OTPs is nothing new. Today’s cybercriminal has a long list of tools that can be used to extract everything from passwords to secret questions, token-generated passwords and even device ID data.

Cybercriminals regularly defeat SMS passwords, emulate users’ online behavior and even outsmart combinations of smart cards, passwords and unique card readers.

Phishing attacks dating back to 2008 used OTP-stealing mechanisms by asking victims repeatedly for their token-generated password. The criminal simply monitored his command-and-control server and attempted to use these credentials as they were stolen and sent to his server in real time.

When malware became cybercriminals’ main tool, malware designers and users approached the OTP issue through social engineering and HTML injection. From login page OTP stealers to SMS OTPs, everyone — at the enterprise level in all vertical markets — was targeted.

So Where Is Authentication Heading?
New authentication solutions are taking a much wider view and approach to the problem than 2FA. We are moving away from relying on passwords and secrets that the user holds to the correlation of multiple events and elements to decisively understand whether the session, device and user are who they claim to be.

While passwords will not die anytime soon security experts today correlate multiple fraud indicators to better understand an incoming authentication event. These indicators include multiple data elements and decisions such as the following:

• Is the authenticating device or enterprise infected with malware...this is the first step?
• How do you know or not know?

A deception-based cyber security defense should enable the enterprise to meet and defeat the threats of advanced persistent threats (APTs), zero day events and other sophisticated malware. There should be the ability to automate the deployment of a network of camouflaged malware traps that are intermingled with your real information technology resources. These traps should appear identical in every way to your real IT assets. Once attackers have slipped past some of IDS (Intrusion Detection Systems), they move laterally to find high value targets. Real-time automation should isolate malware and deliver a comprehensive assessment.

Download White_Paper_TrapX_BOD_Series

• Is the user authenticating onto the device or network actually the person who is authorized?

Our convenience of the mobile world has opened up doors to more opportunities for the cybercriminals to gather what they need to do. Understand the following:

- Consumer devices are not enterprise edge devices and were designed for convenience; however we now have ability because of convenience to store your passwords and biometrics on the device.

- Remembering passwords or multiple combinations tends to be a pain, so for convenience there are now solutions to store passwords in the cloud?

What if someone stole your smart phone with your passwords and biometrics on this device and or was able to hack into your cloud based password storage solution?

We believe multi-factor biometric authentication of the user that is authorized to use the specific medical device, clinical systems, drug delivery, and or day to day physical access is the future for the Healthcare Enterprise.

Download Blustor-white-paper

www.blustor.co