Authenticate Virtual Summit Recap: Modernizing Healthcare with Strong Authentication

By: FIDO Alliance Staff

Few if any industries are as critical as healthcare where literal life and death decisions hang in the balance.

At the Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication broadcast on June 16, experts outlined how FIDO can fit into healthcare to improve user experience and help secure provider authentication approaches.

Megan Shamas, senior director of marketing at FIDO Alliance, started the event by noting that healthcare is one of the most targeted industries with phishing and ransomware being highly prevalent and highly successful. She noted that passwords are not fit for purpose in healthcare and can be phished by attackers.

Looking at the FIDO imperative for healthcare, Shamas said that FIDO-based technology can help with secure login for patients, as well as supporting authentication in complex medical environments. For example, if a medical professional is wearing gloves, FIDO-based technology can also support local PIN, face recognition or FIDO security keys. She added that FIDO authentication also helps healthcare organizations to comply with regulatory and privacy requirements.

“Our goal at the FIDO Alliance from day-one was to transform the market away from a dependence on centrally stored shared secrets and knowledge based authentication to a model that is possession based and uses public key cryptography,” Shamas said. “It allows consumers, patients and employees to authenticate through devices that they literally have at their fingertips, every single day and it’s just simpler and it’s stronger.”

FIDO Reduces Friction, Complies with eIDAS

Rolf Lindemann, VP of Product at Nok Nok Labs, noted that IT should help to simplify healthcare operations and not contribute additional friction for practitioners and patients.

“Patients want assurance that their sensitive health data cannot be stolen,” Lindemann said.

Lindemann said that health insurance cards are widely used in Europe but are not practical to use as an authentication mechanism on mobile devices. Additionally,  he noted that in Europe, the eIDAS (electronic IDentification, Authentication and trust Services) identification standard needs to be complied with by providers.

“Passwords are insecure, and legacy two- factor methods like OTPs (one time passwords) are inconvenient, and they still don’t protect against phishing,” Lindermann said.

That’s where he sees FIDO as fitting in, providing a strong authentication approach that can help healthcare providers to secure user access as well as being compliant with regulations like eIDAS.

Abbie Barbir, FIDO board member and co-founder of ADIA, detailed security challenges of passwords in his session at Authenticate.  

“Passwords are shared secrets and shared secrets can be stolen, copied, used and shared, and as such passwords are a security risk,” Barbir said. “They should not be relied upon if you really need to secure your accounts and your users, ideally, the best way going forward is to actually not use passwords.”

In Barbir’s view, good risk-based authentication introduces friction for hackers and is transparent to the end user.

Timy Kim, senior solutions engineer at Daon, commented that due to the increase of online services rendering different modalities of care, hackers and fraudsters will look for a weak point to penetrate. The weak point more often than not is a password that can easily be phished.

“Patient authentication can be your face, finger, or even your voice,” Kim said. “This will save you from needing to remember lengthy or complex passwords, which sometimes become a frustration point when trying to access your patient portal.”

Healthcare Organizations detail FIDO Uses

Merck KGaA, Darmstadt is a Germany-based science and technology conglomerate with operations across multiple sectors including healthcare.

Andreas Pellengahr, Head of IAM at Merck Merck KGaA, Darmstadt, Germany, said that his organization has approximately 80,000 users that need secure access. To help enable that, Merck relies on FIDO authentication.

Pellengahr said that they could not use a SaaS service to enable FIDO as the company needs to control its own authentication and credentials. Dennis Kniep, domain architect of IAM at Merck KGaA, Darmstadt, Germany,  explained that the core of the authentication infrastructure is a locally-hosted open source FIDO server.

Kniep noted that the authentication service is certified by the FIDO Alliance, which ensures interoperability with other FIDO products. 

“We are running multiple servers in a cluster, which are hosted across different data centers,” Kniep explained. “The responsibility of the FIDO server is to securely store the registered FIDO credentials in our self hosted environment, so that we really have full control over these credentials.”

The United Kingdom’s National Health Service (NHS) is also using FIDO authentication to help secure its users. 

Priyanka Mittal, senior technical architect at NHS Digital, explained that the NHS Login service is an authentication and identity verification service, which enables people to access healthcare apps and websites securely. She noted that over the last 18 months, NHS has seen a dramatic increase in its user base for NHS Login, which now supports 25 million users. The NHS App is a mobile application that brings a variety of healthcare services to users and also provides COVID-19 passport functionality.

Sean Devlin, tech lead for NHS App, explained that his organization’s journey to FIDO began two years ago. NHS required that users have two factor authentication for every login, but that approach introduced some friction and there was a desire to make the process more seamless. That’s why the NHS started to look at passwordless approaches, and settled on FIDO.

NHS Digital decided to build its own FIDO server and client, based on existing open source projects from eBay, which is also a large FIDO user. Devlin explained that his group converted the eBay open source FIDO server to the Python programming language and implemented a serverless approach to run on the AWS Lambda service.

The overall approach for the NHS App of enabling FIDO has helped to save the NHS a good deal of money as well.

“11 million users that have registered with NHS logon have also registered a FIDO device and  that sort of equates to about 500,000 FIDO logins per day,” Devlin said.

Devlin noted that the NHS was paying 1.6 pence per text message to send out two factor authentication code on 500,000 logins per day. 

“That equates to about 8,000 Pound Sterling, that we are saving on SMS by using FIDO,” Devlin said.

Modernizing Healthcare Identity and Authentication Regulations

The regulatory environment around healthcare has been evolving in recent years. 

Among the most impactful, yet least well known regulations is the 21st Century Cures Act which mandated the implementation of application programming interfaces (APIs) in healthcare. In a panel session, Jeremy Grant, managing director of technology business strategy at Venable; Christine Owen, director at Guidehouse, and Ryan Howells, principal at Leavitt Partners, discussed the impact of healthcare regulations and where FIDO fits in.

Howells explained that his organization helped to create the CARIN Alliance which aims to improve the state of identity and authentication in healthcare. Using APIs to help connect information, as mandated by the 21st Century Cures Act, also requires authentication.

“Approximately 84% of all the major health plans in the country have actually implemented an API based architecture now,” Howells said. “They’re all asking very similar questions that we’re asking other industries, which is how do you identify and authenticate an individual securely across systems.”

That’s an area where FIDO fits in.

Owen said that adding FIDO is an obvious choice for healthcare providers and plans that want to make sure that there is a strong credential behind users.

“The reason why FIDO is really important is because it helps healthcare organizations to meet HIPAA and other regulatory requirements,” she said. “FIDO in my mind equates to frictionless authentication, so the user has less to do to be able to show a very strong credential and because of that, it’s actually perfect for healthcare.”

To engage with the FIDO Alliance on FIDO authentication for healthcare, visit www.fidoalliance.org or get in touch at [email protected]. 

The next Authenticate event will be the flagship conference, Authenticate 2022, being held in Seattle, WA and virtually on October 17-19. For more details or to register, visit www.authenticatecon.com.