Patient data are better protected with MFA

Posted by | May 17, 2019 | In The Press | No Comments

inWebo presents: “When sensitive health data is exchanged over the Internet, the protection of access and transfers is paramount. Security experts recommend two-factor authentication for this:

By Hannes Rügheimer

NEU-ISENBURG.The digitization of the healthcare system is accompanied by the concern that sensitive data could fall into the wrong hands. Recently, there have been many examples of cyber-attack IT systems vulnerability. Earlier this year, it became known that lists of more than two billion known passwords are traded in the dark corners of the Internet, the darknet.

At the end of 2018, hackers at a Chaos Computer Club congress documented a variety of vulnerabilities in various e-health services already on the market.

Data protection experts such as Christoph Rösseler, spokesman for the security software provider G-Data, point out that classic passwords or PINs do not provide sufficient data protection: “In order to reliably protect online access, a two-factor authentication system should be used urgently.”

Two factors for more security

This concept requires two instead of just one safety factor, such as a password. The principle has long been in use – such as in online banking, where for transfers in addition to personal identification number (PIN) and a transaction number (TAN) is required, which is generated by about a code generator.

Company employees also need a code generator for remote access to the company network in addition to their access data – a so-called token.

“It is important that the two factors have different properties. For example, the combination of knowledge and having: the user knows his access data, and he has a token, “says expert Rösseler. An attacker could spy on credentials, but unauthorized access is much more difficult, as he would also have to capture the second factor.

In a slightly modified form, the second factor can also be a smartphone, on which an app confirms the PC login via an independent channel. The Federal Ministry of Health explicitly requires two-factor authentication or “alternative secure authentication” for the requirements of a virtual electronic health card.

Health insurances pair accounts

The health app Vivy offered jointly by DAK, Allianz, Barmenia and other health insurances also relies on this principle. Here, the user account is linked to the smartphone used in addition to a password. The authentication takes place via SMS and is the basis for the encryption between patient and doctor’s office.

The German Society for Medical Informatics, Biometry and Epidemiology (GMDS) advocates data protection and IT security in health care whenever it comes to authentication with two factors, whenever an increased level of security is to be achieved to protect sensitive health data.

Two-factor authentication significantly enhances security, says Olivier Perroquin, managing director of inWebo, a French provider of security technology. “However, many digital services still shy away from the consistent implementation of this principle.” Because code generator, smartphone, token are currently not at hand, a registration is not possible.

In addition, some companies just do not want to bother private customers with the complicated handling of such registration processes. Therefore, inWebo has developed a middle ground. The solution dispenses with an additional device, but achieves a comparable level of protection by providing two different security factors via the user’s web browser.

Better protection in the web browser

For this purpose, the user logs on with the access data sent by the provider on his commonly used computer at the service. The registration can even be done anonymously. The user then only receives an identification number, but he does not have to provide any name or other personal data.

Only on the opposite side, for example in the doctor’s office or clinic, does the linkage between ID and personal data take place. However, the communication partner does not need to provide any special systems for encryption and authentication; inWebo operates the necessary infrastructure in its company buildings. The company uses security hardware, which was developed by the Aachen company Utimaco.

Their chief strategy officer, Malte Pollmann, explains: “Although there are no special devices required by users and service providers, the verification still takes place with certified high-security hardware security modules, such as those used in the banking environment.”

In order to authorize exactly the browser used on the used PC for future use, the system deposits encrypted codes – in technical language a “browser token” – in the user’s web browser. “Factor 1 for the authentication is then the registered browser on the registered device. Factor 2 is the classic credentials of username and password or PIN, “explains Perroquin.

A major international insurance group has already opted for this solution to secure its new online consultation platform. “Because it is part of the security concept of this company to give no insight into the used protection technology, we must unfortunately not name his name,” adds Carlos Pinilla, sales manager at inWebo.

inWebo: BSI before certification

“But the French security authority ANSSI has already certified our solution, the German BSI will also recognize it in the course of this year. We hold several patents for our process.”

The solution is as comfortable for users as a simple login. At the same time, it offers reliable protection against attacks such as phishing (emails with malicious programs) or manipulated websites (“HTML injection”). And it can be used without installation on PCs, tablets and smartphones alike.

The examples show how two-factor authentication solutions can raise the security level of IT systems. The principle is not the only solution that can prevent unauthorized access to sensitive data – but it can be an important building block.

Source : AerzteZeitung [translated] – Link here