- With mobile devices in healthcare becoming the rule, rather than the exception, Aetna is looking to take advantage of that mobility to improve mHealth privacy and security.
Researchers at one of the nation’s largest insurers are teaming with mHealth experts to create a security platform that eliminates the traditional – and very unsafe – password, replacing it with analytical tools that can identify a user through everything from keyboard strokes to how one walks.
Aetna is intent on “using attributes to authenticate individual users,” Brian Heemsoth, Aetna’s director of security innovation, said during a recent webinar.
Some technology, like fingerprint and iris scanners and even voice authentication platforms, have been used with varying amounts of success in other industries. But with more consumers accessing healthcare networks from their mobile phones or tablets, Heemsoth said Aetna is looking at authentication tools that can take advantage of that mobility to ensure secure access.
For instance, he said, scanning programs can assess how a user presses keys on a keyboard or swipes through a stream of images; other tools might focus on the location of the user, how one holds a smartphone, even how one stands or walks.
And while biometric or binary programs are contextual, Heemsoth said, behavioral programs can be layered on top of each other, combining to paint a more complete picture of the user.
Analytical tools “can make very informed decisions on who is using the device,” he said.
Such programs, he added, can be programmed to gather information on a user as soon as he or she activates the app, creating an online library of behaviors that can be referenced for authentication.
Heemsoth said Aetna expects to launch a next-generation authentication program for its 40 million members within a few months, contained within a new app. The insurer hopes to launch behavioral-based authentication programs sometime in 2018, he added, first as a component of authentication but eventually becoming the primary authenticator.
Heemsoth’s webinar was sponsored by the FIDO (Fast Identity Online) Alliance, a global organization of more than 250 members pushing for better security for online authentication. Launched in 2012, the organization targets standards “that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.”
Brett McDowell, FIDO’s executive director, sees the ubiquitous password as the root cause of many hacks and cases of data theft. Citing Identity Theft Resource Center (ITRC) numbers for 2016, he said, more than 80 percent of reported breaches were caused by password issues. Of those breaches, 36 percent occurred in healthcare, with 44 percent of those involving health records.
“This problem is only going to get worse,” he said, “and we need a fundamental shift in authentication technology” to address the issue.
Heemsoth took the presentation to the next level, calling password-based authentication “a grave area of concern” in healthcare.
“The sensitive thing about healthcare data is … you can’t take it back” once it has been hacked, he said. “You can’t re-issue it. Once that healthcare data is compromised, you can’t take it back.”
According to Heemsoth, roughly half of those with password-based authentication write those passwords down on paper, while 25 percent use easy passwords and more than 30 percent use those passwords more than once. Finally, he said, 50 percent have five or more passwords.
In 2016 alone, he said, some 3 billion passwords or user Ids were reported stolen.
In the not-so-distant future, that type of theft might be prevented simply by how someone carries a smartphone or taps on the keys.