To Protect Personal Health Information, Passwords Are Not Enough
The drumbeat for stronger account authentication has been swelling over the past few years, and the death of the lowly password has arrived — if you do not consider it to be here already. Given the highly visible compromises of online accounts in recent history, a new round of discussions by security experts about the use of two-factor authentication has been unleashed.
This type of authentication requires two unique kinds of evidence before access is granted to websites and online services. The evidence usually consists of a combination of details known by the user (e.g. passphrase, pin code) in addition to an item that is unique to the user, such as a smart card, RSA tokens, biometrics, or a virtual token device (e.g. smartphone). Basically, two-factor authentication consists of something you know and something you have.
Many of the online service providers, including Microsoft, Google, Dropbox, Amazon Web Services, and Apple offer two-factor authentication. In fact, some such as Google, Microsoft, MasterCard and Visa have gone as far as participating in the Fast Identity Online (FIDO) alliance to supplant the reliance on passwords by coming up with alternate methods to verify user identities.
Simply put, passwords have become passé. And while we wait for industry leaders like Google to come up with better identity management, those of us who work with personal health information have to remain especially vigilant. To put this in context, a Verizon report on data breaches pointed out that nearly 75% of online breaches stemmed from exploited log-in credentials, presumably because of weak passwords.
The case for two-factor authentication is not a slam dunk, but it does improve on security. It is not the answer to every computer crime, but it does seem to — at least for now — prevent someone else from pretending to be you. On the Internet of things, two-factor is only one part of the equation, and it protects a path to the sensitive data. Locking down the data is the second part, which online service providers bear the burden of protecting, and which most do (we hope).
As Omada Health’s Director of Security, I have encouraged everyone on staff to protect all accounts — business and personal — with two-factor authentication to help keep sensitive data out of the wrong hands. You’d be wise to do the same.