Security and adoption of online health record access

25% of Patients Did Not Access Data Over Patient Privacy Concerns (Health IT Security)

“Using National Cancer Institute survey data, the study found that 52 percent of US citizens were offered access to an online medical record by a healthcare provider or insurer in 2017, up from 42 percent in 2014. Of those who were offered access, 53 percent viewed their records at least once in the past year.

However, of the individuals offered access to online medical record, one-quarter did not access that information because of privacy/security concerns.”

So, is it fair to imply that up to 25% more patients would access their online health record if they were more confident in the security of their access to it?

More baseball stadium biometrics…

Yankees announce improved security and entrance measures for fans (Crain’s) &#8212 Yankee Stadium visitors soon will be able to avoid long security lines by registering their fingerprints with a biometric identity service used at 12 U.S. airports.

In another deployment the St. Louis Cardinals (baseball’s second-most successful franchise in history) have installed iris biometrics for player and staff access control in more secure locations.

Windows 10 and biometrics

Microsoft Announces FIDO Support For Windows 10 (The Verge)

Soon, you may be able to log in to Outlook with a fingerprint or an eyescan. At the Stanford Cybersecurity Summit on Friday, Microsoft announced that Windows 10 would support the next version of the Fast Identification Online (FIDO) spec, allowing devices to work with a wealth of third-party biometric readers and providing an easy framework for any hardware makers that want to build extra security into a laptop or phone.

Biometrics for secure medical records access

NSTIC pilot uses biometrics to bring identity management to seniors (Fierce Government IT)

Members of AARP, a nonprofit group that serves adults 50 years or older, are testing technology to help them better manage their digital identities in a simple, but more secure way using biometrics. It’s just one of 15 federally funded pilots that was recently highlighted by the National Institute of Standards and Technology.

Access control upstages video surveillance

The Press Release for this Memoori market research study contains a lot of great information…

This steady consistent growth since 2011 has been driven by a combination of factors including strong growth in IP Video Networking and IP Access Control products, buoyant markets in Asia and North America and higher levels of penetration in vertical markets such as transport, retail, health and education.

ACCESS CONTROL MOVES TO IP AND DELIVERS CUSTOMER VALUE PROPOSITIONS

Access Control, for so long the poor relative of Video Surveillance, this year it has come out of the shadows and upstaged it by delivering a higher growth rate and we forecast that it will continue to increase its growth rate over the next 5 years.
This will be achieved by moving to IP Technology and integrating Access Control with Identity Management. There can be no doubt about the business case for integrating these services. Identity Management for the purpose of Access Control has given rise to a number of major acquisitions in the last 5 years. September 2010 saw a flurry of activity with the purchase of L-1 Identity Solutions by Safran for $1.1 billion, 3M’s purchase of Cogent Systems for $430m, the merger of AuthenTec and UPEK. In 2014 whilst the number of deals declined, this group accounted for 19.2% of the total number of acquisitions and 5.6% of the total value.

Access control through a standard card reader system is a weakness particularly at a time when risk of corporate theft, malicious damage to staff and property and terrorism has increased. The need for a more secure system incorporating biometric devices to authenticate identity and manage the process is becoming a standard requirement for new systems in high security areas.

Physical Identity and Access Management (PIAM) is also a service that promises to deliver further growth opportunities. It enables common policy, workflow, approval, compliance automation and life cycle management of the identity / badge holder (employee, contractor, visitor, temps) across disparate physical security systems. The key benefit from PIAM solutions is operational cost reductions that can be delivered through this platform providing a bridge between the disparate systems, without stripping out and starting again. PIAM has so far failed to attracted the mainstream PACS business.
There is a steady stream of alliances and partnerships between PIAM Software companies & PACS companies but so far we have not identified any mergers and acquisitions. Information on the business is pretty sparse and most “best estimates” on the market size range around $150 million. This if accurate is quite small considering that virtually all Fortunes Top 500 companies must have installed one.

IMPROVED PERFORMANCE, ROI & REDUCED TCO

Now has to be the time to dig even deeper and for manufacturers to increase their efforts to align the motivation of security buyers to invest in better performing systems through educating and training both themselves and those in the distribution channel in order to drive out all the benefits.

Whilst technology has been the enabler of change, the driver and motivator is now clearly to channel this to deliver products and services that increase productivity and provide a better ROI and reduce the TCO. This is gradually changing the buyers culture from believing that physical security is a pure cost centre to a profit centre.

Security, sadly, is still regarded by most end users as a cost center and as such has been towards the end of the food chain for capital investment. This can be crucial when budget reductions are on the agenda. However a gradual change in attitude by buyers is taking place. Specifically that security can be a cost saver when reducing shrinkage (retail) and that when integrated with other services it can increase productivity in the business enterprise and therefore reduce operational costs. This has been made possible through IP convergence and in some vertical markets such as retail there is a growing belief that IP Video Surveillance should be treated as a profit centre.
This has had a major impact on increasing the value-add on security projects. The market has not been slow to see the opportunities and changing requirements for more converged and integrated solutions. In order for companies to deliver such systems many have decided that it is necessary to acquire, merge or form alliances and partnerships with other suppliers. In order to maximize the opportunities of delivering on ROI it is vital for suppliers to have specialist knowledge and experience in vertical markets. But equally important is to have the networking skills to join all the vertical and horizontal layers of product together with the analytical software and interface with the other building services software and finally join them to the business enterprise. Video Surveillance is already on route to establishing an important role in the Building Internet of Things (BIoT) and the wider IoT.

 

Financial account security and biometric modalities

The 5 Best Ways to Protect Your Financial Data From Crooks (The Street)

“It’s premature to declare fingerprints the winner,” said Gil Mermelstein, a managing director with technology-focused consulting firm West Monroe Partners.

The lowest-hanging fruit would seem to be protecting customer information databases with biometric access control systems. Passwords, however complex aren’t enough protection against the huge data losses making the news lately.

This article discusses account-level (rather than database level) security and which type of biometric might work best.

Protecting customer data

After Massive Data Breaches, Businesses Move to Make ID More Personal (ABC News)

The cost of a data breach is terrifyingly high. Home Depot estimates that the massive data breach that affected 56 million customers this summer will cost the company several hundred million dollars—and that’s the figure they are using to assuage fears on the Street. The reality is probably much higher. Target’s breach may top out at the $1 billion mark. While the jury hasn’t even been empanelled as to what the JPMorgan breach will cost, it will leave a mark that will no doubt make news down the line.

With so much to lose, the implementation of biometrics-based consumer authentication may be the cheaper option for companies that handle the kinds of information hackers find so irresistible.

We’ve been saying it for years. All databases containing sensitive customer information should be biometrically protected. It’s just good business.

US: Iris and government ID

Who Are You? NIST Biometric Publication Provides Two New Ways to Tell Quickly (NIST)

A PIV card is a government-issued smart card used by federal employees and contractors to access government facilities and computer networks. The PIV card carries a photo, fingerprint information, personal identification number (PIN) and a cryptographic credential–random computer-generated data that are recognized only by the PIV card–all of which serve to bind the card to the card holder.

To assist agencies seeking stronger security and greater operational flexibility, NIST [ed. National Institute of Standards & Technology] made several modifications to the previous version of Biometric Data Specification for Personal Identity Verification. Major additions include:

On-card comparison of fingerprints for improved privacy. The specifications describe how to place one or two compact fingerprint templates and a recognition algorithm on the card. When the user wants to sign a document digitally or open a secure file, for example, she can place her finger on a reader attached to the keyboard to verify her identity. Currently, employees have to type in a PIN for matching, which is subject to error and misuse.

Iris recognition capability for increased security. Standardized compact images of one or both irises (the images are no more than 3 kilobytes each) can be loaded on the PIV card for compact on-card storage and fast reading times. The document provides performance specifications for iris biometrics to assure high accuracy and provides specifications for iris cameras to guide implementers on camera selection. These standards-based elements support interoperability within and across agencies using iris recognition technology.

Agencies may choose to add iris images as an alternate biometric over fingerprints, because, for some users, fingerprint collection can be difficult. At times, the fingerprints are too dry to yield a good image, and lotions, wounds or illness also can make for poor images. Agencies now have the option of using two biometric sources to avoid such circumstances.

Several recent NIST research projects have led to improved technologies for identity management that are included in the updated specification.

The full publication is available from NIST here.

See also: Iris ID tech is ready, but agencies might not be at Deep Dive Intel.

Nothing is fool proof

Google’s Patent on Facial Passwords Published; Analysts Not Impressed (Mobile Bloom) — “Fool proof biometrics are yet to be designed and according to experts, this technology won’t come close to achieving it either.”

Nothing is fool proof. If easy-to-use facial recognition leads to more people protecting their mobile handset with some sort of access control technology, that’s probably a good thing. The process described at the link is actually pretty sophisticated and would probably suffice for 99.99% of mobile device users.

No good work whatever can be perfect, and the demand for perfection is always a sign of a misunderstanding of the ends of art.

—John Ruskin

Substitute “technology” for “art” and it’s still true.

Biometric authentication for cloud storage

Intel’s McAfee brings biometric authentication to cloud storage (Computer World UK)

Intel is introducing new ideas to secure the public cloud, offering a service in which online files can be accessed after users are verified by an authentication scheme including face and voice recognition.

McAfee, a unit of Intel, is adding a product called LiveSafe that will offer 1GB of online storage that can be accessed through biometric authentication. LiveSafe has a Web-based management dashboard, and users can be authenticated through face recognition, voice or by punching in a PIN. LiveSafe also includes antivirus and other security features.

The changing face of security and access control

Gary Hills, Head of capital development at the British Broadcasting Corp. (BBC) had some interesting things to say at the recent FMP London event. [ed. I’m pretty sure FMP stands for Facility Management Professional, but I was shocked to see how popular the acronym is.]

The BBC is considering using biometric access controls at its buildings. (FM World)

Hills said the first phase of the BBC’s review had seen 15 control rooms consolidated into one.

He added: “Access ID is used – not biometrics yet, but [we are] looking at it for the second phase. [We] think it will be more acceptable now as they have it in schools and colleges.

“Security is now more a building management role and the information that comes through the control room can be used more widely for building management.”

Adam Vrankulj at Biometric Update ties the story back to recent industry forecasts for the access control market.

I predict some real upheaval in the market for security systems and access control. So far, large security providers have been able to keep their market walled off from competition from the providers of other types of networked information technology. If increasing numbers of facilities management professionals see the world as Gary Hills does, those days are numbered.

End of the line for online passwords, says PayPal (BBC)

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through,” he tells BBC World Service’s Business Daily.

“We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones

Social media critique with a bleg for some biometrics already

The recent Burger King and Jeep twitter account hacks inspired Charlie Wollborg’s Having your social media feed hacked is forgivable; being boring is not at Crain’s Detroit Business.

Of course there’s a biometrics tie-in but the article is a fun read for those who are interested in the social media as well.

The biometrics part:

Can we unleash a few of our most talented geeks on making biometric security apps to the smartphone? Every sci-fi and spy movie in the last 50 years has shown our heroes using fingerprint scanners, retinal scanners and voice print identification. Forget the flying car, just bring me a biometric security app!

We’re working on it!

And then there’s the social media critique.

So yes, Burger King and Jeep had to deal with being hacked, but look at the opportunity! All eyes were on their social media feeds! What did they respond with? More of the same boring, bland content. Reading the last 30 twitter updates for both brand will give Lunesta a run for it’s money. Overly promotional. Instantly forgettable. Yawn.

Being hacked is forgivable. Being boring is not. A status update should not be a to do item. Don’t just post to post…

Good advice follows. I’d like to think we…

Coopetition: Biometrics and Passwords

Startup Prepares Alternative to Online, Mobile Banking Passwords (American Banker)

As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.

Despite hopeful initiatives, demise of passwords years away (CSO)

Security pros have been saying for years that password protection is not enough. And this week, two groups — one private, one public — announced initiatives to create more secure ways to authenticate identities online.

Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don’t expect mainstream change for at least the next several years.

Passwords are the ID management security method everyone loves to hate. So why are they still everywhere? Why is their number growing without signs of slowing?

In their A Research Agenda Acknowledging the Persistence of PasswordsCormac Herley and Paul C. van Oorschot tell us why.

Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats.

The part about them being essentially free requires qualification (which the authors offer), but that’s a pretty impressive list.

So it’s good thing for us in the biometrics business that biometrics don’t need to supplant the password altogether. For the moment biometrics can’t compete on cost to root passwords out everywhere. But I’d like to discuss two (there are more) instances where biometrics can and should be used to limit the risks organizations expose themselves to by over-reliance upon passwords.

Databases of customer information should be biometrically protected. 
From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Biometrics can also be used to overcome some of the limitations of passwords in more mundane password use models.
Biometrics can facilitate the use of more complex passwords that change more frequently and hence are more secure. [See the laptop fingerprint sensor (i.e. biometrics to control a password management application).]

In higher value authentications, biometrics can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type*. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

*This type of model also has virtues regarding the irrevocablility of biometric identifiers, a discussion of which is beyond the scope of this post.